[Webkit-unassigned] [Bug 91074] New: ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Jul 12 04:47:22 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=91074
Summary: ASSERTION FAILED: at(m_compileIndex).canExit() ||
m_isCheckingArgumentTypes
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
URL: http://uglyhack.appspot.com/boingy/
OS/Version: Unspecified
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: tomeu at tomeuvizoso.net
[tomeu at cizrna (master) build]$ ./Programs/GtkLauncher --enable-webgl=1 --enable-accelerated-compositing=1 http://uglyhack.appspot.com/boingy/
** Message: console message: http://uglyhack.appspot.com/boingy/ @99: THREE.WebGLRenderer
ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes
../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2128) : void JSC::DFG::SpeculativeJIT::speculationCheck(JSC::DFG::ExitKind, JSC::DFG::JSValueSource, JSC::DFG::NodeIndex, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump)
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff23e71f1 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x7fffffff96b0,
kind=JSC::DFG::BadType, jsValueSource=..., nodeIndex=169, jumpToFail=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2129
2129 ASSERT(at(m_compileIndex).canExit() || m_isCheckingArgumentTypes);
(gdb) bt
#0 0x00007ffff23e71f1 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x7fffffff96b0,
kind=JSC::DFG::BadType, jsValueSource=..., nodeIndex=169, jumpToFail=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2129
#1 0x00007ffff23ccef0 in JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality (this=0x7fffffff96b0, leftChild=..., rightChild=..., branchNodeIndex=172, classInfo=
0x7ffff29d91e0, speculatedTypeChecker=
0x7ffff230405a <JSC::isFinalObjectSpeculation(unsigned int)>)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1665
#2 0x00007ffff23fd21a in JSC::DFG::SpeculativeJIT::compilePeepHoleBranch (this=
0x7fffffff96b0, node=..., condition=JSC::MacroAssemblerX86Common::Equal,
doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation=
0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:891
#3 0x00007ffff2406e90 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffff96b0, node=...,
condition=JSC::MacroAssemblerX86Common::Equal,
doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation=
0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2656
#4 0x00007ffff23d1117 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, node=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2358
#5 0x00007ffff23fe1da in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, block=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1106
#6 0x00007ffff23ff7ef in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1328
#7 0x00007ffff239f82c in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa670,
speculative=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:91
#8 0x00007ffff23a07ad in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa670,
entry=..., entryWithArityCheck=...)
at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:268
#9 0x00007ffff239628a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=
0x7fff7fc00370, codeBlock=0x23ab6d0, jitCode=..., jitCodeWithArityCheck=0x7fffa02fc878)
at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:123
#10 0x00007ffff2395a6d in JSC::DFG::tryCompileFunction (exec=0x7fff7fc00370, codeBlock=
0x23ab6d0, jitCode=..., jitCodeWithArityCheck=...)
at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:141
#11 0x00007ffff252648f in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff7fc00370,
codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=
@0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT,
effort=JSC::JITCompilationCanFail) at ../Source/JavaScriptCore/jit/JITDriver.h:95
#12 0x00007ffff2526744 in JSC::prepareFunctionForExecution (exec=0x7fff7fc00370,
codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=
@0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT, kind=JSC::CodeForCall)
at ../Source/JavaScriptCore/runtime/ExecutionHarness.h:64
#13 0x00007ffff252458e in JSC::FunctionExecutable::compileForCallInternal (this=
0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0,
jitType=JSC::JITCode::DFGJIT) at ../Source/JavaScriptCore/runtime/Executable.cpp:529
#14 0x00007ffff25239df in JSC::FunctionExecutable::compileOptimizedForCall (this=
0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0)
---Type <return> to continue, or q <return> to quit---q
at ../Source/JavaScripQuit
(gdb) set height 0
(gdb) bt
#0 0x00007ffff23e71f1 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x7fffffff96b0,
kind=JSC::DFG::BadType, jsValueSource=..., nodeIndex=169, jumpToFail=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2129
#1 0x00007ffff23ccef0 in JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality (this=0x7fffffff96b0, leftChild=..., rightChild=..., branchNodeIndex=172, classInfo=
0x7ffff29d91e0, speculatedTypeChecker=
0x7ffff230405a <JSC::isFinalObjectSpeculation(unsigned int)>)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1665
#2 0x00007ffff23fd21a in JSC::DFG::SpeculativeJIT::compilePeepHoleBranch (this=
0x7fffffff96b0, node=..., condition=JSC::MacroAssemblerX86Common::Equal,
doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation=
0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:891
#3 0x00007ffff2406e90 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffff96b0, node=...,
condition=JSC::MacroAssemblerX86Common::Equal,
doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation=
0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2656
#4 0x00007ffff23d1117 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, node=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2358
#5 0x00007ffff23fe1da in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, block=...)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1106
#6 0x00007ffff23ff7ef in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0)
at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1328
#7 0x00007ffff239f82c in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa670,
speculative=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:91
#8 0x00007ffff23a07ad in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa670,
entry=..., entryWithArityCheck=...)
at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:268
#9 0x00007ffff239628a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=
0x7fff7fc00370, codeBlock=0x23ab6d0, jitCode=..., jitCodeWithArityCheck=0x7fffa02fc878)
at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:123
#10 0x00007ffff2395a6d in JSC::DFG::tryCompileFunction (exec=0x7fff7fc00370, codeBlock=
0x23ab6d0, jitCode=..., jitCodeWithArityCheck=...)
at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:141
#11 0x00007ffff252648f in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff7fc00370,
codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=
@0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT,
effort=JSC::JITCompilationCanFail) at ../Source/JavaScriptCore/jit/JITDriver.h:95
#12 0x00007ffff2526744 in JSC::prepareFunctionForExecution (exec=0x7fff7fc00370,
codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=
@0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT, kind=JSC::CodeForCall)
at ../Source/JavaScriptCore/runtime/ExecutionHarness.h:64
#13 0x00007ffff252458e in JSC::FunctionExecutable::compileForCallInternal (this=
0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0,
jitType=JSC::JITCode::DFGJIT) at ../Source/JavaScriptCore/runtime/Executable.cpp:529
#14 0x00007ffff25239df in JSC::FunctionExecutable::compileOptimizedForCall (this=
0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0)
at ../Source/JavaScriptCore/runtime/Executable.cpp:440
#15 0x00007ffff22d977b in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fffa02fc820,
exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0, kind=JSC::CodeForCall)
at ../Source/JavaScriptCore/runtime/Executable.h:611
#16 0x00007ffff22d5ea1 in JSC::FunctionCodeBlock::compileOptimized (this=0x2354b00, exec=
0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0)
at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2690
#17 0x00007ffff247bdff in JSC::cti_optimize (args=0x7fffffffca90)
at ../Source/JavaScriptCore/jit/JITStubs.cpp:1990
#18 0x00007ffff2478387 in JSC::JITThunks::tryCacheGetByID (callFrame=0xffffc9a0, codeBlock=
Python Exception <class 'gdb.error'> There is no member or method named m_hashAndFlags.:
0x7ffff22d977b, returnAddress=..., baseValue=..., propertyName=, slot=..., stubInfo=
0x7fff00000000) at ../Source/JavaScriptCore/jit/JITStubs.cpp:975
#19 0x00007fffffffcac0 in ?? ()
#20 0x00007fff00000000 in ?? ()
#21 0x00007fffa801c180 in ?? ()
#22 0x0000000000000002 in ?? ()
#23 0x00007fff00000004 in ?? ()
#24 0x00007fff7c177de0 in ?? ()
#25 0x00007fffffffcaf0 in ?? ()
#26 0x00007ffff229fa43 in JSC::JSValue::decode (ptr=0x45e7e8c78948104d)
at ../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:336
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list