[Webkit-unassigned] [Bug 120167] New: ASSERT in dfg/DFGSpeculativeJIT.h SpeculateCellOperand ctor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 22 12:26:41 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=120167

           Summary: ASSERT in dfg/DFGSpeculativeJIT.h SpeculateCellOperand
                    ctor
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: All
               URL: http://www.wenxuecity.com
        OS/Version: Unspecified
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ascian at rim.com


ASSERT_UNUSED(mode, mode == ManualOperandSpeculation ... fails when visiting the website circa Aug-22. The edge.useKind() values will also fail the ASSERT.

(gdb) p edge.useKind()
$3 = JSC::DFG::UntypedUse
(gdb) p mode
$4 = JSC::DFG::AutomaticOperandSpeculation

The mode argument is the default arg value for the ctor, moving up to the caller, it doesn't specify the argument so this path will never execute properly in ASSERT-mode.

dfg/DFGSpeculativeJIT32_64.cpp
     case GetById: { 
3865│         if (!node->prediction()) {
3866│             terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
3867│             break;
3868│         }
3869│
3870│         if (isCellSpeculation(node->child1()->prediction())) {
3871├>            SpeculateCellOperand base(this, node->child1()); <<<<<<<<


(gdb) bt 8
#0  0x02a3665c in JSC::DFG::SpeculateCellOperand::SpeculateCellOperand (this=0x77fbfc00, jit=0x77fc1128, edge=..., mode=JSC::DFG::AutomaticOperandSpeculation) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2930
#1  0x02a5850e in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128, node=0x771b5018) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3871
#2  0x02a22152 in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128, block=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762
#3  0x02a22742 in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880
#4  0x029f226c in JSC::DFG::JITCompiler::compileBody (this=0x77fc19f8, speculative=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
#5  0x029f3152 in JSC::DFG::JITCompiler::compileFunction (this=0x77fc19f8, entry=..., entryWithArityCheck=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
#6  0x029e302a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x2af596c8, codeBlock=0x7ffed5d8, jitCode=..., jitCodeWithArityCheck=0x7fddf584, osrEntryBytecodeIndex=0) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:161
#7  0x029e2944 in JSC::DFG::tryCompileFunction (exec=0x2af596c8, codeBlock=0x7ffed5d8, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:179
(More stack frames follow...)

 Hopefully this is enough to reproduce and fix the problem.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list