[Webkit-unassigned] [Bug 119794] New: [DFG] isDouble(edge.useKind()) assertion fail

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Aug 14 04:55:44 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=119794

           Summary: [DFG] isDouble(edge.useKind()) assertion fail
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jbrianceau at nds.com


On 32-bit sh4 and mips debug build, many SunSpider 1.0 JSC tests fail:

ASSERTION FAILED: mode == ManualOperandSpeculation || isDouble(edge.useKind())
/local/jbriance/webkit-mips/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2694) : JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode)
FATAL ERROR: CRASH() called.


Backtrace looks always the same. For instance, on my sh4 board: 

(gdb) bt
#0  0x00000000 in ?? ()
#1  0x00a77d8a in WTFCrash () at /local/jbriance/webkit-dfg-sh4Source/WTF/wtf/Assertions.cpp:347
#2  0x00761eba in SpeculateDoubleOperand (this=0x7bec23d8, jit=0xedcb18, edge=..., mode=JSC::DFG::AutomaticOperandSpeculation)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2703
#3  0x0073f08a in JSC::DFG::SpeculativeJIT::compileDoubleAsInt32 (this=0xedcb18, node=0x2bc31814)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2456
#4  0x0078d9e2 in JSC::DFG::SpeculativeJIT::compile (this=0xedcb18, node=0x2bc31814)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2214
#5  0x0073ac68 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0xedcb18)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1804
#6  0x0073b538 in JSC::DFG::SpeculativeJIT::compile (this=0xedcb18)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1918
#7  0x006c7944 in JSC::DFG::JITCompiler::compileBody (this=0x7bec4778)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117
#8  0x006c9ea0 in JSC::DFG::JITCompiler::compileFunction (this=0x7bec4778)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382
#9  0x00716950 in JSC::DFG::Plan::compileInThreadImpl (this=0xee3e28, longLivedState=...)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGPlan.cpp:256
#10 0x007161ee in JSC::DFG::Plan::compileInThread (this=0xee3e28, longLivedState=...)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGPlan.cpp:113
#11 0x0069ba26 in compile (compileMode=JSC::DFG::CompileFunction, exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=0x2bbffacc, 
    osrEntryBytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGDriver.cpp:127
#12 0x0069bba4 in JSC::DFG::tryCompileFunction (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=89)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGDriver.cpp:138
#13 0x0095b1c4 in JSC::jitCompileFunctionIfAppropriateImpl (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, effort=JSC::JITCompilationCanFail)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITDriver.h:98
#14 0x0095b620 in JSC::prepareFunctionForExecutionImpl (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., 
    jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, kind=JSC::CodeForCall)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/ExecutionHarness.h:84
#15 0x0095b6c2 in JSC::prepareFunctionForExecution (exec=0x2b62b130, sink=..., codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., 
    numParameters=@0x2bbffab4, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, kind=JSC::CodeForCall)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/ExecutionHarness.h:138
#16 0x00958c0c in JSC::FunctionExecutable::compileForCallInternal (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, jitType=JSC::JITCode::DFGJIT, 
    result=0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.cpp:561
#17 0x009581ec in JSC::FunctionExecutable::compileOptimizedForCall (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.cpp:480
#18 0x004c7716 in JSC::FunctionExecutable::compileOptimizedFor (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89, 
    kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.h:691
#19 0x004be7ee in JSC::FunctionCodeBlock::compileOptimized (this=0xedeb30, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/bytecode/CodeBlock.cpp:2744
#20 0x00840b64 in JITStubThunked_optimize (args=0x7bec5060)
    at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITStubs.cpp:1046
#21 0x008404bc in cti_optimize () at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITStubs.cpp:888

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list