[Webkit-unassigned] [Bug 117144] New: JSC asserting without LLINT with DFG JIT

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 3 06:11:14 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=117144

           Summary: JSC asserting without LLINT with DFG JIT
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: rgabor at webkit.org
                CC: oliver at apple.com, zherczeg at webkit.org,
                    fpizlo at apple.com, mark.lam at apple.com
            Blocks: 108645


JSC asserting without LLINT on Linux (x86, ARM) and Mac (x86) as well.

The test is:
  var j,k;
  function b(){
      for (var i = 0; i < 1986; ++i) {
          j *= k;
      }
  }
  b();


The assert:
ASSERTION FAILED: isCell()
/Users/rgabor/gitWebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(491) : JSC::JSCell *JSC::JSValue::asCell() const
1   0x10ac82350 WTFCrash
2   0x10a7fdf95 JSC::JSValue::asCell() const
3   0x10ab07207 JSC::JSScope::resolvePut(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::JSValue, JSC::PutToBaseOperation*)
4   0x10aa7e93b cti_op_put_to_base
5   0x10aa84620 jscGeneratedNativeCode
6   0x10aa45a44 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*)
7   0x10aa422a6 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
8   0x10a8c82df JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
9   0x10a779127 _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0ENS1_15CrashOnOverflowEEEb
10  0x10a77881c jscmain(int, char**)
11  0x10a77867e main
12  0x10a770ce4 start
13  0x2
Segmentation fault: 11


I've made some debugging on this and found that JSC::JSScope::resolveWithBase called by LLINT which changes the instructions[30].u.putToBaseOperation->m_kind (on this test) from Uninitialised to GlobalVariablePut and later the JIT will compile that but without LLINT JIT will compile the bytecode before this change and that will cause the problem after OSRExitCompiler::compileExit().

#0  JSC::JSScope::resolveContainingScopeInternal<(JSC::JSScope::LookupMode)0, (JSC::JSScope::ReturnValues)3> (callFrame=0x7ffeb36f90a0, identifier=..., slot=..., 
    operations=0xf6b9e0, putToBaseOperation=0xf69300) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/JSScope.cpp:262
#1  0x00000000007af832 in JSC::JSScope::resolveContainingScope<(JSC::JSScope::ReturnValues)3> (callFrame=0x7ffeb36f90a0, identifier=..., slot=..., operations=0xf6b9e0, 
    putToBaseOperation=0xf69300, isStrict=false) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/JSScope.cpp:428
#2  0x00000000007ae19f in JSC::JSScope::resolveWithBase (callFrame=0x7ffeb36f90a0, identifier=..., base=0x7ffeb36f90b0, operations=0xf6b9e0, 
    putToBaseOperations=0xf69300) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/JSScope.cpp:499
#3  0x00000000006ad4e4 in JSC::LLInt::llint_slow_path_resolve_with_base (exec=0x7ffeb36f90a0, pc=0xf696a0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:865
#4  0x00000000006b8add in llint_op_resolve_with_base ()
#5  0x00007ffeb36f9058 in ?? ()
#6  0x0000000000f55160 in ?? ()
#7  0x00007fffffffcde0 in ?? ()
#8  0x0000000000661017 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/rgabor/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:213
#9  0x000000000065fd96 in JSC::JITCode::execute (this=0x7ffeb441fe90, stack=0xf55160, callFrame=0x7ffeb36f9058, vm=0xf467b0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/jit/JITCode.h:135
#10 0x000000000065d0d0 in JSC::Interpreter::execute (this=0xf55150, program=0x7ffeb441fe70, callFrame=0x7ffeb434fb78, thisObj=0x7ffeb43cfeb0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:976
#11 0x00000000007471a4 in JSC::evaluate (exec=0x7ffeb434fb78, source=..., thisValue=..., returnedException=0x7fffffffe3e0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83
#12 0x00000000004111ca in runWithScripts (globalObject=0x7ffeb434f970, scripts=..., dump=false) at /home/rgabor/WebKit/Source/JavaScriptCore/jsc.cpp:578
#13 0x0000000000411ed5 in jscmain (argc=2, argv=0x7fffffffe6a8) at /home/rgabor/WebKit/Source/JavaScriptCore/jsc.cpp:794
#14 0x0000000000410fa6 in main (argc=2, argv=0x7fffffffe6a8) at /home/rgabor/WebKit/Source/JavaScriptCore/jsc.cpp:541

I'm not sure how to fix this problem so if you have any thoughts on this please share with me :)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list