[webkit-qt] Release assert in JIT on ARM

Yusuke SUZUKI utatane.tea at gmail.com
Fri Aug 19 22:34:14 PDT 2016


Nice catch!

I've just filed it in https://bugs.webkit.org/show_bug.cgi?id=161029.
AnyInt includes int52 representation, that is only allowed in 64bit DFG.
(See enableInt52())

On Sat, Aug 20, 2016 at 2:49 AM, Konstantin Tokarev <annulen at yandex.ru>
wrote:

>
>
> 19.08.2016, 20:43, "Konstantin Tokarev" <annulen at yandex.ru>:
> > 19.08.2016, 18:34, "Andrew Webster" <awebster at arcx.com>:
> >>  This may be a question for webkit-dev, but I thought I'd check here
> first since I'm using qtwebkit-tp3.
> >>
> >>  On an arm 32-bit platform in SpeculativeJIT::speculate, I occasionally
> hit the default handler which contains a release assert when using the
> WebInspector:
> >>
> >>  switch (edge.useKind()) {
> >>
> >>  ...
> >>
> >>  default:
> >>      RELEASE_ASSERT_NOT_REACHED();
> >>      break;
> >>  }
> >>
> >>  The value of edge.useKind() causing this is MachineIntUse. The case
> handler for this value has been ifdef'd out on my platform:
> >>
> >>  #if USE(JSVALUE64)
> >>      case MachineIntUse:
> >>          speculateMachineInt(edge);
> >>          break;
> >>      case DoubleRepMachineIntUse:
> >>          speculateDoubleRepMachineInt(edge);
> >>          break;
> >>  #endif
> >>
> >>  It appears that MachineIntUse is being set in JSC::DFG::FixupPhase::fixupNode
> when op is ProfileType:
> >>
> >>  if (typeSet->doesTypeConformTo(TypeMachineInt)) {
> >>      if (node->child1()->shouldSpeculateInt32())
> >>          fixEdge<Int32Use>(node->child1());
> >>      else
> >>          fixEdge<MachineIntUse>(node->child1());
> >>      node->remove();
> >>  }
> >>
> >>  I am not at all familiar with this code, but from other usage of
> MachineIntUse, I would guess that this should not be used except on a
> 64-bit platform. Given that, I am not sure if
> >>
> >>  1. The typeSet should not conform to TypeMachineInt on 32-bit,
> >>
> >>  2. shouldSpeculateInt32 should always be true on 32-bit,
> >>
> >>  3. Int32Use should always be used on 32-bit, or
> >>
> >>  4. Something else.
> >>
> >>  I currently am going with 3:
> >>
> >>  if (typeSet->doesTypeConformTo(TypeMachineInt)) {
> >>  #if USE(JSVALUE64)
> >>      if (node->child1()->shouldSpeculateInt32())
> >>  #endif
> >>          fixEdge<Int32Use>(node->child1());
> >>  #if USE(JSVALUE64)
> >>      else
> >>          fixEdge<MachineIntUse>(node->child1());
> >>  #endif
> >>
> >>  }
> >>
> >>  This has solved my immediate problem, but due to my lack of
> understanding, this solution could be quite flawed.
> >>
> >>  Any help is much appreciated.
> >
> > Hello, thanks for the interest!
> >
> > I'm by no means a JSC expert, however from quick analysis it seems to me
> that the correct code would be
> >
> > #if USE(JSVALUE64)
> >             if (typeSet->doesTypeConformTo(TypeMachineInt)) {
> >                 if (node->child1()->shouldSpeculateInt32())
> >                     fixEdge<Int32Use>(node->child1());
> >                 else
> >                     fixEdge<MachineIntUse>(node->child1());
> >                 node->remove();
> >             }
> > #else
> >             if (typeSet->doesTypeConformTo(TypeMachineInt) &&
> node->child1()->shouldSpeculateInt32()) {
> >                 fixEdge<Int32Use>(node->child1());
> >                 node->remove();
> >             }
> > #endif
> >
> > Anyway, I highly recommend you to:
> >
> > 1. Ask real JSC experts on webkit-dev or jsc-dev
> > 2. Run JSC test suite on target (better debug build as well, as it has
> much more ASSERTs) before and after such changes
>
> Sorry, I forgot to add an explanation: AFAIU, MachineInt is Int32 | Int52
> and on 32-bit platforms we don't speculate about Int52 because it won't fit
> in the register anyway, so MachineInt can be only Int32. If we have a
> MachineInt which is not inferred to be Int32, we cannot do anything fast
> with it and we follow to the next branch TypeNumber | TypeMachineInt.
>
> --
> Regards,
> Konstantin
> _______________________________________________
> webkit-qt mailing list
> webkit-qt at lists.webkit.org
> https://lists.webkit.org/mailman/listinfo/webkit-qt
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-qt/attachments/20160820/248b93fa/attachment.html>


More information about the webkit-qt mailing list