[Webkit-unassigned] [Bug 87994] ASSERTION FAILED: m_refCount in DFG::Node:deref with patch from 87158

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 5 08:52:00 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=87994





--- Comment #6 from Andy Wingo <wingo at igalia.com>  2012-06-05 08:51:59 PST ---
If my analysis is right, I'm not sure what the right fix is.  One can easily have arbitrarily long cycles that could exhibit similar behaviour.

This patch fixes the immediate symptom:

diff --git a/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp
index 0f0a225..84286d3 100644
--- a/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp
@@ -365,6 +365,10 @@ private:

     void fixPhis(BlockIndex sourceBlockIndex, BlockIndex destinationBlockIndex)
     {
+        if (sourceBlockIndex == destinationBlockIndex) {
+            // No need to kill off phis referenced from our own block.
+            return;
+        }
         BasicBlock* sourceBlock = m_graph.m_blocks[sourceBlockIndex].get();
         BasicBlock* destinationBlock = m_graph.m_blocks[destinationBlockIndex].get();
         if (!destinationBlock) {

However I get other problems on paperjs.org, including a segfault in meta balls:


Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1facd86 in JSC::JSCell::classInfo (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCell.h:195
195            return m_classInfo;
(gdb) bt
#0  0x00007ffff1facd86 in JSC::JSCell::classInfo (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCell.h:195
#1  0x00007ffff1faed96 in JSC::JSCell::methodTable (this=0x0) at ../../Source/JavaScriptCore/runtime/JSObject.h:536
#2  0x00007ffff20ad801 in JSC::JSValue::get (this=0x7fffffffcde0, exec=0x7fff96f963b0, propertyName=0, slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.h:843
#3  0x00007ffff20ad755 in JSC::JSValue::get (this=0x7fffffffcde0, exec=0x7fff96f963b0, propertyName=0) at ../../Source/JavaScriptCore/runtime/JSObject.h:830
#4  0x00007ffff20aae9b in JSC::DFG::operationGetArgumentByVal (exec=0x7fff96f963b0, argumentsRegister=1, index=0) at ../../Source/JavaScriptCore/dfg/DFGOperations.cpp:1108
#5  0x00007fffa3a3107f in ?? ()

And voronoi prints out this on the console, many times:

** Message: console message: http://jonathanpuckey.com/static/rhill-voronoi-core.js @284: TypeError: 'null' is not an object

Michael, can you reproduce any of these?  Filip, do you have any thoughts here?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list