[Webkit-unassigned] [Bug 117140] ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit in JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 3 14:24:40 PDT 2013 

https://bugs.webkit.org/show_bug.cgi?id=117140





--- Comment #7 from Filip Pizlo <fpizlo at apple.com>  2013-06-03 14:23:12 PST ---
(In reply to comment #5)
> Here the final dump prior to codegen:
> 
> Graph after optimization:
> DFG for f#ECftdW:[0x106809800->0x1017ffd70, DFGFunctionCall]:
>   Fixpoint state: FixpointConverged; Form: ThreadedCPS; Unification state: GloballyUnified; Ref count state: ExactRefCount
> Block #0 (bc#0):  (OSR target)
>   Predecessors:
>   Phi Nodes:
>   vars before: arg0:(Top, TOP, TOP, TOP) : r0:(None, 0:<empty>, [], []) r1:(None, 0:<empty>, [], [])
>   var links: arg0:@0 : r0:- r1:-
>    0:  skipped  < 0:->    SetArgument(arg0(a), bc#0)
>    1:           < 2:1>    JSConstant(JS|UseAsOther, $2 = Undefined, bc#0)
>    2:           < 1:->    SetLocal(@1<Other>, NodeExitsForward, r0(B~), bc#0)  predicting StringOther
>    3:           < 2:2>    JSConstant(JS|UseAsOther, $0 = String: 
> , bc#1)
>   19:           <!0:->    Phantom(String:@3<String>, MustGen, bc#1)
>   20:           <!1:1>    ToPrimitive(@1<Other>, JS|MustGen|Clobbers|PureInt, bc#1)
>   21:           <!1:1>    ToString(@20<Other>, JS|MustGen|MightClobber|PureInt, bc#1)
>    4:           < 1:1>    MakeRope(KnownString:@3<String>, KnownString:@21<String>, JS|PureInt, bc#1)
>    5:  skipped  < 0:->    MovHint(@4<String>, r1(C~<String>), bc#1)
>    6:           <!0:->    Branch(@4<String>, MustGen|CanExit, T:#1, F:#2, bc#6)
>   vars after: arg0:(Top, TOP, TOP, TOP) : r0:(Other, 0:<empty>, [], [], Undefined) r1:(String, 1:NonArray, [0x1011efde0(string)], [0x1011efde0(string)])
>   var links: arg0:@0 : r0:@2 r1:@5
> Block #1 (bc#10):  (OSR target)
>   Predecessors: #0 #1
>   Phi Nodes:
>   vars before: arg0:(Other, 0:<empty>, [], [], Undefined) : r0:(String, 1:NonArray, [0x1011efde0(string)], [0x1011efde0(string)], String: foo) r1:(None, 0:<empty>, [], [])
>   var links: arg0:- : r0:- r1:-
>    8:           < 4:1>    JSConstant(JS|UseAsOther, $1 = String: foo, bc#10)
>    9:           < 1:->    SetLocal(@8<String>, NodeExitsForward, r0(B~), bc#10)  predicting StringOther
>   10:           <!0:2>    ArithNegate(Check:Int32:@8<String>, Number|MustGen|PureInt|MayOverflow|CanExit, bc#13)
>   11:  skipped  < 0:->    MovHint(@10<Int32>, r1(E~<Int32>), bc#13)
>   12:           < 2:2>    JSConstant(JS|UseAsOther, $0 = String: 
> , bc#16)
>   22:           <!0:->    Phantom(String:@12<String>, MustGen, bc#16)
>   23:           <!0:->    Phantom(String:@8<String>, MustGen, bc#16)
>   13:           < 1:1>    MakeRope(KnownString:@12<String>, KnownString:@8<String>, JS|PureInt, bc#16)
>   14:  skipped  < 0:->    MovHint(@13<String>, r1(F~<String>), bc#16)
>   15:           <!0:->    Branch(@13<String>, MustGen|CanExit, T:#1, F:#2, bc#21)
>   vars after: arg0:(None, 0:<empty>, [], []) : r0:(None, 0:<empty>, [], []) r1:(String, 1:NonArray, [0x1011efde0(string)], [0x1011efde0(string)])
>   var links: arg0:- : r0:@9 r1:@14
> Block #2 (bc#24): 
>   Predecessors: #0 #1
>   Phi Nodes: @25<1>->(@9, @2)
>   vars before: arg0:(None, 0:<empty>, [], []) : r0:(Other, 0:<empty>, [], [], Undefined) r1:(None, 0:<empty>, [], [])
>   var links: arg0:- : r0:@24 r1:-
>   24:           <!0:->    PhantomLocal(@25, MustGen, r0(B~), bc#24)  predicting StringOther
>   16:           < 1:1>    JSConstant(JS|UseAsOther, $2 = Undefined, bc#24)
>   17:           <!0:->    Return(@16, MustGen, bc#24)
>   vars after: arg0:(None, 0:<empty>, [], []) : r0:(None, 0:<empty>, [], []) r1:(None, 0:<empty>, [], [])
>   var links: arg0:- : r0:@24 r1:-
> 
> 
> 
> The assertion fires trying to compile node 13 when loading op2, an edge pointing to node 8 (a string) but the edge claims its register format is JSInteger.  I don't understand how.why the makes sense - the assertion implies that it is unexpected.

This is a harmless debug-only assertion.  We should get rid of that assertion at some point.

The DFG backend didn't realize that it unconditionally exited at node @10.  That's not really a bug.  In a release build, the backend will generate some bad code after the unconditional exit.  We don't care what code we generate after unconditional exits.

This assertion does systematically fire in code generated after unconditional exits.

We can either get rid of the assertion, or try to modify the DFG to know when it unconditionally exited.  I don't like the latter since it would be a lot of work just to silence an assertion.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list