[Webkit-unassigned] [Bug 109933] New: JSC asserting on division in debug mode ARM traditional
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Feb 15 06:22:38 PST 2013
https://bugs.webkit.org/show_bug.cgi?id=109933
Summary: JSC asserting on division in debug mode ARM
traditional
Product: WebKit
Version: 528+ (Nightly build)
Platform: Unspecified
OS/Version: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: rgabor at webkit.org
JSC asserting on graph validation after the fixup phase because of a division operation.
When fixupNode() function creates the newDivision node it increases the m_refCount of it with the copied node refcounts.
DFGFixupPhase:338
Node* newDivision = m_insertionSet.insertNode(
m_indexInBlock, DontRefChildren, RefNode, SpecDouble, *node);
node->setOp(DoubleAsInt32);
node->children.initialize(Edge(newDivision, DoubleUse), Edge(), Edge());
The problem is that the addNode() function copies the references of the node and then puts on two more.
DFGGraph.h:207
Node* node = new (m_allocator) Node(valueArgs); \
node->predict(type); \
if (node->flags() & NodeMustGenerate) \
node->ref(); \
if (refNodeMode == RefNode) \
node->ref(); \
After this fixup phase the validate() function is asserts when it checks the nodes refcounts.
DFGValidate.cpp:151
V_EQUAL((node), myRefCounts.get(node), node->adjustedRefCount());
Is this the expected behavior of addNode() function?
A possible workaround could be to decrease the refcounts of the newDivision with the original node refcounts after the node creation like this:
newDivision->setRefCount(newDivision->refCount() - node->refCount());
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list