[Webkit-unassigned] [Bug 119582] New: Crash due to DFG in jslinux

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 8 11:14:52 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119582

           Summary: Crash due to DFG in jslinux
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
               URL: http://bellard.org/jslinux/
        OS/Version: Unspecified
            Status: NEW
          Keywords: NeedsRadar
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: oliver at apple.com
                CC: fpizlo at apple.com


jslinux crashes, occasionally during boot, but consistently when running gcc

1. JSC_enableConcurrentJIT=0 JSC_maximumInliningDepth=1 JSC_bytecodeRangeToDFGCompile=435:445  run-minibrowser 
2. Go to http://bellard.org/jslinux/
3. Wait for linux to boot
4. type gcc hello.c

This results in a crash in release build, and the following assertion failure:
ASSERTION FAILED: to.isSet()
/Volumes/Data/git/WebKit/OpenSource/Source/JavaScriptCore/assembler/X86Assembler.h(1862) : void JSC::X86Assembler::linkJump(JSC::AssemblerLabel, JSC::AssemblerLabel)
1   0x1047b76a0 WTFCrash
2   0x10436cefc JSC::X86Assembler::linkJump(JSC::AssemblerLabel, JSC::AssemblerLabel)
3   0x1044223a9 JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::linkTo(JSC::AbstractMacroAssembler<JSC::X86Assembler>::Label, JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const
4   0x10447111c JSC::DFG::SpeculativeJIT::linkBranches()
5   0x10447105f JSC::DFG::SpeculativeJIT::compile()
6   0x10441d214 JSC::DFG::JITCompiler::compileBody()
7   0x10441f3b4 JSC::DFG::JITCompiler::compileFunction()
8   0x10445534b JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
9   0x104454d26 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&)
10  0x1043f7b4d JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr*, unsigned int)
11  0x1043f7bcc JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, unsigned int)
12  0x10450dfa5 JSC::jitCompileFunctionIfAppropriateImpl(JSC::ExecState*, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
13  0x10450debe JSC::prepareFunctionForExecutionImpl(JSC::ExecState*, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
14  0x1045098b9 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::RefPtr<JSC::FunctionCodeBlock>&, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, int&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
15  0x104506afc JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, JSC::CompilationResult*, unsigned int)
16  0x10450689c JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, JSC::CompilationResult&, unsigned int)
17  0x1042ff4e4 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, JSC::CompilationResult&, unsigned int, JSC::CodeSpecializationKind)
18  0x1042f5353 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, JSC::CompilationResult&, unsigned int)
19  0x1045706e4 cti_optimize
20  0x1045767c0 jscGeneratedNativeCode
21  0x104552207 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*)
22  0x104535bd2 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
23  0x1042e2ede JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
24  0x10459da39 JSC::boundFunctionCall(JSC::ExecState*)
25  0x104535c08 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
26  0x1042e2ede JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
27  0x105f6796b WebCore::JSMainThreadExecState::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&)
28  0x106a28d41 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*)
29  0x106a28932 WebCore::ScheduledAction::execute(WebCore::Document*)
30  0x106a28794 WebCore::ScheduledAction::execute(WebCore::ScriptExecutionContext*)
31  0x10597531e WebCore::DOMTimer::fired()

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list