[webkit-qt] Release assert in JIT on ARM

Konstantin Tokarev annulen at yandex.ru
Fri Aug 19 10:43:02 PDT 2016 


19.08.2016, 18:34, "Andrew Webster" <awebster at arcx.com>:
> This may be a question for webkit-dev, but I thought I'd check here first since I'm using qtwebkit-tp3.
>
> On an arm 32-bit platform in SpeculativeJIT::speculate, I occasionally hit the default handler which contains a release assert when using the WebInspector:
>
> switch (edge.useKind()) {
>
> ...
>
> default:
>     RELEASE_ASSERT_NOT_REACHED();
>     break;
> }
>
> The value of edge.useKind() causing this is MachineIntUse. The case handler for this value has been ifdef'd out on my platform:
>
> #if USE(JSVALUE64)
>     case MachineIntUse:
>         speculateMachineInt(edge);
>         break;
>     case DoubleRepMachineIntUse:
>         speculateDoubleRepMachineInt(edge);
>         break;
> #endif
>
> It appears that MachineIntUse is being set in JSC::DFG::FixupPhase::fixupNode when op is ProfileType:
>
> if (typeSet->doesTypeConformTo(TypeMachineInt)) {
>     if (node->child1()->shouldSpeculateInt32())
>         fixEdge<Int32Use>(node->child1());
>     else
>         fixEdge<MachineIntUse>(node->child1());
>     node->remove();
> }
>
> I am not at all familiar with this code, but from other usage of MachineIntUse, I would guess that this should not be used except on a 64-bit platform. Given that, I am not sure if
>
> 1. The typeSet should not conform to TypeMachineInt on 32-bit,
>
> 2. shouldSpeculateInt32 should always be true on 32-bit,
>
> 3. Int32Use should always be used on 32-bit, or
>
> 4. Something else.
>
> I currently am going with 3:
>
> if (typeSet->doesTypeConformTo(TypeMachineInt)) {
> #if USE(JSVALUE64)
>     if (node->child1()->shouldSpeculateInt32())
> #endif
>         fixEdge<Int32Use>(node->child1());
> #if USE(JSVALUE64)
>     else
>         fixEdge<MachineIntUse>(node->child1());
> #endif
>
> }
>
> This has solved my immediate problem, but due to my lack of understanding, this solution could be quite flawed.
>
> Any help is much appreciated.


Hello, thanks for the interest!

I'm by no means a JSC expert, however from quick analysis it seems to me that the correct code would be


#if USE(JSVALUE64)
            if (typeSet->doesTypeConformTo(TypeMachineInt)) {
                if (node->child1()->shouldSpeculateInt32())
                    fixEdge<Int32Use>(node->child1());
                else
                    fixEdge<MachineIntUse>(node->child1());
                node->remove();
            }
#else
            if (typeSet->doesTypeConformTo(TypeMachineInt) && node->child1()->shouldSpeculateInt32()) {
                fixEdge<Int32Use>(node->child1());
                node->remove();
            }
#endif


Anyway, I highly recommend you to:

1. Ask real JSC experts on webkit-dev or jsc-dev
2. Run JSC test suite on target (better debug build as well, as it has much more ASSERTs) before and after such changes



>
> Thanks,
>
> Andrew
> ,
>
> _______________________________________________
> webkit-qt mailing list
> webkit-qt at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-qt


-- 
Regards,
Konstantin

More information about the webkit-qt mailing list