[Webkit-unassigned] [Bug 87994] ASSERTION FAILED: m_refCount in DFG::Node:deref with patch from 87158
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 5 07:39:42 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=87994
--- Comment #2 from Andy Wingo <wingo at igalia.com> 2012-06-05 07:39:42 PST ---
BT with arguments:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff205e9b5 in JSC::DFG::Node::deref (this=0x11c1550) at ../../Source/JavaScriptCore/dfg/DFGNode.h:728
728 ASSERT(m_refCount);
(gdb) bt
#0 0x00007ffff205e9b5 in JSC::DFG::Node::deref (this=0x11c1550) at ../../Source/JavaScriptCore/dfg/DFGNode.h:728
#1 0x00007ffff205eb12 in JSC::DFG::Graph::deref (this=0x7fffffffb5e0, nodeIndex=864) at ../../Source/JavaScriptCore/dfg/DFGGraph.h:114
#2 0x00007ffff205eb55 in JSC::DFG::Graph::deref (this=0x7fffffffb5e0, nodeUse=...) at ../../Source/JavaScriptCore/dfg/DFGGraph.h:119
#3 0x00007ffff209eb2b in JSC::DFG::Graph::derefChildren (this=0x7fffffffb5e0, op=864) at ../../Source/JavaScriptCore/dfg/DFGGraph.cpp:375
#4 0x00007ffff205eb27 in JSC::DFG::Graph::deref (this=0x7fffffffb5e0, nodeIndex=864) at ../../Source/JavaScriptCore/dfg/DFGGraph.h:115
#5 0x00007ffff208891d in JSC::DFG::CFGSimplificationPhase::removePotentiallyDeadPhiReference (this=0x7fffffffb560, myNodeIndex=864, phiNode=..., edgeIndex=0)
at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:425
#6 0x00007ffff2088799 in JSC::DFG::CFGSimplificationPhase::fixPhis (this=0x7fffffffb560, sourceBlockIndex=10, destinationBlockIndex=10) at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:392
#7 0x00007ffff20880a9 in JSC::DFG::CFGSimplificationPhase::killUnreachable (this=0x7fffffffb560, blockIndex=10) at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:259
#8 0x00007ffff2087f40 in JSC::DFG::CFGSimplificationPhase::run (this=0x7fffffffb560) at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:239
#9 0x00007ffff2089ffa in JSC::DFG::runPhase<JSC::DFG::CFGSimplificationPhase> (graph=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:82
#10 0x00007ffff20870ab in JSC::DFG::performCFGSimplification (graph=...) at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:723
#11 0x00007ffff20980c6 in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fff9b1f9140, codeBlock=0x1173b20, jitCode=..., jitCodeWithArityCheck=0x7fff9b010b68)
at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:84
#12 0x00007ffff2097744 in JSC::DFG::tryCompileFunction (exec=0x7fff9b1f9140, codeBlock=0x1173b20, jitCode=..., jitCodeWithArityCheck=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128
#13 0x00007ffff2216909 in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff9b1f9140, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=@0x7fff9b010bd8: 0x10c2ad0, jitType=JSC::JITCode::DFGJIT,
effort=JSC::JITCompilationCanFail) at ../../Source/JavaScriptCore/jit/JITDriver.h:95
#14 0x00007ffff2216bbe in JSC::prepareFunctionForExecution (exec=0x7fff9b1f9140, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=@0x7fff9b010bd8: 0x10c2ad0, jitType=JSC::JITCode::DFGJIT,
kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/ExecutionHarness.h:64
#15 0x00007ffff2214a42 in JSC::FunctionExecutable::compileForCallInternal (this=0x7fff9b010b20, exec=0x7fff9b1f9140, scopeChainNode=0x7fff9ad8cfc0, jitType=JSC::JITCode::DFGJIT)
at ../../Source/JavaScriptCore/runtime/Executable.cpp:554
#16 0x00007ffff2213e93 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7fff9b010b20, exec=0x7fff9b1f9140, scopeChainNode=0x7fff9ad8cfc0) at ../../Source/JavaScriptCore/runtime/Executable.cpp:465
#17 0x00007ffff1fe3317 in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fff9b010b20, exec=0x7fff9b1f9140, scopeChainNode=0x7fff9ad8cfc0, kind=JSC::CodeForCall)
at ../../Source/JavaScriptCore/runtime/Executable.h:586
#18 0x00007ffff1fdfe0b in JSC::FunctionCodeBlock::compileOptimized (this=0x10c4060, exec=0x7fff9b1f9140, scopeChainNode=0x7fff9ad8cfc0) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2473
#19 0x00007ffff216d865 in JSC::cti_optimize_from_ret (args=0x7fffffffd9c0) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:2070
#20 0x00007ffff2169bbc in JSC::JITThunks::tryCacheGetByID (callFrame=0x7fffffffd8d0, codeBlock=0x7fff9b010b20, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fff98a8e880)
at ../../Source/JavaScriptCore/jit/JITStubs.cpp:970
The function being optimized is pretty large:
#12 0x00007ffff2097744 in JSC::DFG::tryCompileFunction (exec=0x7fff9b1f9140, codeBlock=0x1173b20, jitCode=..., jitCodeWithArityCheck=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128
128 return compile(CompileFunction, exec, codeBlock, jitCode, &jitCodeWithArityCheck);
(gdb) call codeBlock->dump(exec)
1261 m_instructions; 10088 bytes at 0x1173b20 (FunctionCode); 1 parameter(s); 31 callee register(s); 16 variable(s)
[ 0] enter
[ 1] convert_this r-7
[ 4] get_by_id r0, r-7, _segments(@id0) llint()
[ 13] get_by_id r1, r0, length(@id1) llint()
[ 22] mov r2, r1
[ 25] jnlesseq r1, Int32: 2(@k0), 6(->31)
[ 29] ret Undefined(@k1)
[ 31] get_by_id r16, r-7, _closed(@id2) llint()
[ 40] jfalse r16, 79(->119)
[ 43] get_global_var r19, 0
[ 47] method_check
[ 47] get_by_id r16, r19, min(@id3) llint()
[ 57] mov r18, r1
[ 60] mov r17, Int32: 4(@k2)
[ 63] call r16, 3, 26 llint(not set)
[ 69] op_call_put_result r3
[ 72] mov r16, r2
[ 75] get_global_var r20, 0
[ 79] method_check
[ 79] get_by_id r17, r20, min(@id3) llint()
[ 89] mov r19, r1
[ 92] mov r18, r3
[ 95] call r17, 3, 27 llint(not set)
[ 101] op_call_put_result r17
[ 104] mul r17, r17, Int32: 2(@k0)
[ 109] add r16, r16, r17
[ 114] mov r2, r16
[ 117] jmp 5(->122)
[ 119] mov r3, Int32: 0(@k3)
[ 122] new_array r4, r0, 0
[ 126] mov r5, Int32: 0(@k3)
[ 129] jnless r5, r1, 37(->166)
[ 133] loop_hint
[ 134] mov r16, r4
[ 137] add r17, r5, r3
[ 142] get_by_val r18, r0, r5
[ 147] get_by_id r18, r18, _point(@id4) llint(struct = 0x7fff98aac660 (offset = 0))
[ 156] put_by_val r16, r17, r18
[ 160] pre_inc r5
[ 162] loop_if_less r5, r1, -29(->133)
[ 166] get_by_id r16, r-7, _closed(@id2) llint()
[ 175] jfalse r16, 84(->259)
[ 178] mov r5, Int32: 0(@k3)
[ 181] jnless r5, r3, 76(->257)
[ 185] loop_hint
[ 186] mov r16, r4
[ 189] mov r17, r5
[ 192] add r18, r5, r1
[ 197] sub r18, r18, r3
[ 202] get_by_val r18, r0, r18
[ 207] get_by_id r18, r18, _point(@id4) llint()
[ 216] put_by_val r16, r17, r18
[ 220] mov r16, r4
[ 223] add r18, r5, r1
[ 228] add r17, r18, r3
[ 233] get_by_val r18, r0, r5
[ 238] get_by_id r18, r18, _point(@id4) llint()
[ 247] put_by_val r16, r17, r18
[ 251] pre_inc r5
[ 253] loop_if_less r5, r3, -68(->185)
[ 257] jmp 4(->261)
[ 259] pre_dec r2
[ 261] new_array r6, r0, 0
[ 265] mov r5, Int32: 1(@k4)
[ 268] sub r16, r2, Int32: 1(@k4)
[ 273] jnless r5, r16, 74(->347)
[ 277] loop_hint
[ 278] mov r16, r6
[ 281] mov r17, r5
[ 284] get_by_val r18, r4, r5
[ 289] get_by_id r18, r18, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[ 298] mul r18, Int32: 4(@k2), r18
[ 303] add r19, r5, Int32: 1(@k4)
[ 308] get_by_val r19, r4, r19
[ 313] get_by_id r19, r19, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[ 322] mul r19, Int32: 2(@k0), r19
[ 327] add r18, r18, r19
[ 332] put_by_val r16, r17, r18
[ 336] pre_inc r5
[ 338] sub r16, r2, Int32: 1(@k4)
[ 343] loop_if_less r5, r16, -66(->277)
[ 347] mov r16, r6
[ 350] mov r17, Int32: 0(@k3)
[ 353] get_by_val r18, r4, Int32: 0(@k3)
[ 358] get_by_id r18, r18, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[ 367] get_by_val r19, r4, Int32: 1(@k4)
[ 372] get_by_id r19, r19, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[ 381] mul r19, Int32: 2(@k0), r19
[ 386] add r18, r18, r19
[ 391] put_by_val r16, r17, r18
[ 395] mov r16, r6
[ 398] sub r17, r2, Int32: 1(@k4)
[ 403] sub r18, r2, Int32: 1(@k4)
[ 408] get_by_val r18, r4, r18
[ 413] get_by_id r18, r18, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[ 422] mul r18, Int32: 3(@k5), r18
[ 427] put_by_val r16, r17, r18
[ 431] get_scoped_var r16, 3, 0
[ 436] mov r18, Undefined(@k1)
[ 439] mov r17, r6
[ 442] call r16, 2, 25 llint(0x7fff9ada97e0, exec 0x7fff9b010ce0)
[ 448] op_call_put_result r7
[ 451] mov r5, Int32: 1(@k4)
[ 454] sub r16, r2, Int32: 1(@k4)
[ 459] jnless r5, r16, 74(->533)
[ 463] loop_hint
[ 464] mov r16, r6
[ 467] mov r17, r5
[ 470] get_by_val r18, r4, r5
[ 475] get_by_id r18, r18, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[ 484] mul r18, Int32: 4(@k2), r18
[ 489] add r19, r5, Int32: 1(@k4)
[ 494] get_by_val r19, r4, r19
[ 499] get_by_id r19, r19, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[ 508] mul r19, Int32: 2(@k0), r19
[ 513] add r18, r18, r19
[ 518] put_by_val r16, r17, r18
[ 522] pre_inc r5
[ 524] sub r16, r2, Int32: 1(@k4)
[ 529] loop_if_less r5, r16, -66(->463)
[ 533] mov r16, r6
[ 536] mov r17, Int32: 0(@k3)
[ 539] get_by_val r18, r4, Int32: 0(@k3)
[ 544] get_by_id r18, r18, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[ 553] get_by_val r19, r4, Int32: 1(@k4)
[ 558] get_by_id r19, r19, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[ 567] mul r19, Int32: 2(@k0), r19
[ 572] add r18, r18, r19
[ 577] put_by_val r16, r17, r18
[ 581] mov r16, r6
[ 584] sub r17, r2, Int32: 1(@k4)
[ 589] sub r18, r2, Int32: 1(@k4)
[ 594] get_by_val r18, r4, r18
[ 599] get_by_id r18, r18, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[ 608] mul r18, Int32: 3(@k5), r18
[ 613] put_by_val r16, r17, r18
[ 617] get_scoped_var r16, 3, 0
[ 622] mov r18, Undefined(@k1)
[ 625] mov r17, r6
[ 628] call r16, 2, 25 llint(0x7fff9ada97e0, exec 0x7fff9b010ce0)
[ 634] op_call_put_result r8
[ 637] get_by_id r16, r-7, _closed(@id2) llint()
[ 646] jfalse r16, 184(->830)
[ 649] mov r5, Int32: 0(@k3)
[ 652] mov r9, r1
[ 655] jnless r5, r3, 173(->828)
[ 659] loop_hint
[ 660] div r10, r5, r3
[ 665] sub r11, Int32: 1(@k4), r10
[ 670] mov r16, r7
[ 673] mov r17, r9
[ 676] get_by_val r18, r7, r5
[ 681] mul r18, r18, r10
[ 686] get_by_val r19, r7, r9
[ 691] mul r19, r19, r11
[ 696] add r18, r18, r19
[ 701] put_by_val r16, r17, r18
[ 705] mov r16, r8
[ 708] mov r17, r9
[ 711] get_by_val r18, r8, r5
[ 716] mul r18, r18, r10
[ 721] get_by_val r19, r8, r9
[ 726] mul r19, r19, r11
[ 731] add r18, r18, r19
[ 736] put_by_val r16, r17, r18
[ 740] add r12, r5, r3
[ 745] add r13, r9, r3
[ 750] mov r16, r7
[ 753] mov r17, r13
[ 756] get_by_val r18, r7, r12
[ 761] mul r18, r18, r11
[ 766] get_by_val r19, r7, r13
[ 771] mul r19, r19, r10
[ 776] add r18, r18, r19
[ 781] put_by_val r16, r17, r18
[ 785] mov r16, r8
[ 788] mov r17, r13
[ 791] get_by_val r18, r8, r12
[ 796] mul r18, r18, r11
[ 801] get_by_val r19, r8, r13
[ 806] mul r19, r19, r10
[ 811] add r18, r18, r19
[ 816] put_by_val r16, r17, r18
[ 820] pre_inc r5
[ 822] pre_inc r9
[ 824] loop_if_less r5, r3, -165(->659)
[ 828] pre_dec r2
[ 830] mov r14, Null(@k6)
[ 833] mov r5, r3
[ 836] sub r16, r2, r3
[ 841] jnlesseq r5, r16, 339(->1180)
[ 845] loop_hint
[ 846] sub r16, r5, r3
[ 851] get_by_val r15, r0, r16
[ 856] jfalse r14, 53(->909)
[ 859] mov r18, r15
[ 862] method_check
[ 862] get_by_id r16, r18, setHandleIn(@id7) llint()
[ 872] mov r20, r14
[ 875] method_check
[ 875] get_by_id r17, r20, subtract(@id8) llint()
[ 885] get_by_id r19, r15, _point(@id4) llint(struct = 0x7fff98aac660 (offset = 0))
[ 894] call r17, 2, 27 llint(0x7fff9afd9120, exec 0x7fffa0084320)
[ 900] op_call_put_result r17
[ 903] call r16, 2, 25 llint(0x7fff9ae61b00, exec 0x7fff9b034400)
[ 909] jnless r5, r2, 260(->1169)
[ 913] mov r18, r15
[ 916] method_check
[ 916] get_by_id r16, r18, setHandleOut(@id9) llint()
[ 926] get_scoped_var r21, 6, 1
[ 931] get_by_val r23, r7, r5
[ 936] get_by_val r22, r8, r5
[ 941] construct r21, 3, 31 llint(0x7fff9afd7f20, exec 0x7fff9b013440)
[ 947] op_call_put_result r20
[ 950] method_check
[ 950] get_by_id r17, r20, subtract(@id8) llint()
[ 960] get_by_id r19, r15, _point(@id4) llint(struct = 0x7fff98aac660 (offset = 0))
[ 969] call r17, 2, 27 llint(0x7fff9afd9120, exec 0x7fffa0084320)
[ 975] op_call_put_result r17
[ 978] call r16, 2, 25 llint(0x7fff9ae61a40, exec 0x7fff9b034240)
[ 984] sub r16, r2, Int32: 1(@k4)
[ 989] jnless r5, r16, 98(->1087)
[ 993] get_scoped_var r16, 6, 1
[ 998] add r20, r5, Int32: 1(@k4)
[1003] get_by_val r20, r4, r20
[1008] get_by_id r20, r20, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[1017] mul r20, Int32: 2(@k0), r20
[1022] add r21, r5, Int32: 1(@k4)
[1027] get_by_val r21, r7, r21
[1032] sub r18, r20, r21
[1037] add r20, r5, Int32: 1(@k4)
[1042] get_by_val r20, r4, r20
[1047] get_by_id r20, r20, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[1056] mul r20, Int32: 2(@k0), r20
[1061] add r21, r5, Int32: 1(@k4)
[1066] get_by_val r21, r8, r21
[1071] sub r17, r20, r21
[1076] construct r16, 3, 26 llint(0x7fff9afd7f20, exec 0x7fff9b013440)
[1082] op_call_put_result r14
[1085] jmp 84(->1169)
[1087] get_scoped_var r16, 6, 1
[1092] get_by_val r20, r4, r2
[1097] get_by_id r20, r20, _x(@id5) llint(struct = 0x7fff9ad5e320 (offset = 0))
[1106] sub r21, r2, Int32: 1(@k4)
[1111] get_by_val r21, r7, r21
[1116] add r20, r20, r21
[1121] div r18, r20, Int32: 2(@k0)
[1126] get_by_val r20, r4, r2
[1131] get_by_id r20, r20, _y(@id6) llint(struct = 0x7fff9ad5e320 (offset = 1))
[1140] sub r21, r2, Int32: 1(@k4)
[1145] get_by_val r21, r8, r21
[1150] add r20, r20, r21
[1155] div r17, r20, Int32: 2(@k0)
[1160] construct r16, 3, 26 llint(0x7fff9afd7f20, exec 0x7fff9b013440)
[1166] op_call_put_result r14
[1169] pre_inc r5
[1171] sub r16, r2, r3
[1176] loop_if_lesseq r5, r16, -331(->845)
[1180] get_by_id r16, r-7, _closed(@id2) llint()
[1189] jfalse r16, 70(->1259)
[1192] jfalse r14, 67(->1259)
[1195] get_by_id r16, r-7, _segments(@id0) llint()
[1204] get_by_val r15, r16, Int32: 0(@k3)
[1209] mov r18, r15
[1212] method_check
[1212] get_by_id r16, r18, setHandleIn(@id7) llint()
[1222] mov r20, r14
[1225] method_check
[1225] get_by_id r17, r20, subtract(@id8) llint()
[1235] get_by_id r19, r15, _point(@id4) llint()
[1244] call r17, 2, 27 llint(not set)
[1250] op_call_put_result r17
[1253] call r16, 2, 25 llint(not set)
[1259] ret Undefined(@k1)
Identifiers:
id0 = _segments
id1 = length
id2 = _closed
id3 = min
id4 = _point
id5 = _x
id6 = _y
id7 = setHandleIn
id8 = subtract
id9 = setHandleOut
Constants:
k0 = Int32: 2
k1 = Undefined
k2 = Int32: 4
k3 = Int32: 0
k4 = Int32: 1
k5 = Int32: 3
k6 = Null
k7 = False
k8 = Double: 4010000000000000, 4.000000
k9 = Double: 4000000000000000, 2.000000
k10 = Double: 4008000000000000, 3.000000
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list