[Webkit-unassigned] [Bug 124371] New: ASSERT(divisor != 1) in JSC::DFG::SpeculativeJIT::compileArithMod

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 14 10:48:26 PST 2013 

https://bugs.webkit.org/show_bug.cgi?id=124371

           Summary: ASSERT(divisor != 1) in
                    JSC::DFG::SpeculativeJIT::compileArithMod
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: joepeck at webkit.org
                CC: oliver at apple.com, fpizlo at apple.com,
                    mhahnenberg at apple.com


At WebKit r159272.

Test: (assert.js)

    function foo(a, b)
    {
        var h = parseFloat(a);
        var l = parseFloat(b);
        h % 1
    }

    var result;
    for (var i = 0; i < 1000; ++i)
        result = foo(360, 100)

shell>  DYLD_FRAMEWORK_PATH=`pwd` ./jsc /Users/pecoraro/Desktop/assert.js 
ASSERTION FAILED: divisor != 1

shell> DYLD_FRAMEWORK_PATH=`pwd` ./jsc -p foo.txt /Users/pecoraro/Desktop/assert.js
ASSERTION FAILED: divisor != 1
/Volumes/Data/Code/safari/OpenSource/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3543) : void JSC::DFG::SpeculativeJIT::compileArithMod(JSC::DFG::Node *)
1   0x1052d35d0 WTFCrash
2   0x104ed35f8 JSC::DFG::SpeculativeJIT::compileArithMod(JSC::DFG::Node*)
3   0x104f10f65 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
4   0x104ec929c JSC::DFG::SpeculativeJIT::compileCurrentBlock()
5   0x104ec9a96 JSC::DFG::SpeculativeJIT::compile()
6   0x104e5fe24 JSC::DFG::JITCompiler::compileBody()
7   0x104e61c4b JSC::DFG::JITCompiler::compileFunction()
8   0x104ebbe95 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
9   0x104ebb672 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&)
10  0x104f56274 JSC::DFG::Worklist::runThread()
11  0x104f55355 JSC::DFG::Worklist::threadFunction(void*)
12  0x105322738 WTF::threadEntryPoint(void*)
13  0x1053234e8 WTF::wtfThreadEntryPoint(void*)
14  0x7fff8fb94899 _pthread_body
15  0x7fff8fb9472a _pthread_struct_init
16  0x7fff8fb98fc9 thread_start
Segmentation fault: 11


Assert was added back with:
<http://trac.webkit.org/changeset/153186>
<https://webkit.org/b/116793> fourthTier: clean up ArithDiv/ArithMod in the DFG

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list