[Webkit-unassigned] [Bug 121710] REGRESSION(r153215): New iCloud site crashes

Fri Sep 20 15:00:31 PDT 2013

https://bugs.webkit.org/show_bug.cgi?id=121710

--- Comment #4 from Filip Pizlo <fpizlo at apple.com>  2013-09-20 14:59:36 PST ---
(In reply to comment #3)
> If we bring back the assertion here:
>     for (m_indexInBlock = 0; m_indexInBlock < block.size(); ++m_indexInBlock) {
>         m_currentNode = block[m_indexInBlock];
> 
>         // We may have his a contradiction that the CFA was aware of but that the JIT
>         // didn't cause directly.
>         if (!m_state.isValid()) {
>             RELEASE_ASSERT_NOT_REACHED(); <---
>             bail();
>             return;
>         }
> 
> We hit it, implying the CFA is deciding there's a contradiction:
> 
>   --> capitalize#AzCeyu:<0x117848e70, bc#39, Call, known callee: Cell: 0x117c18430 (0x10a93f270: Function, NonArray), numArgs+this = 3, stack >= r12>
>     34:           <!0:->    InlineStart(MustGen, bc#0)
>     35:  skipped  < 0:->    MovHint(@9<String>, r15(M~<String>), bc#1)
>     36:           <!0:->    CheckStructure(Cell:@9<String>, MustGen|CanExit, struct(0x10a93d2f0: NonArray), bc#4)

Can you post the whole IR?  I have no idea, from looking at a CheckStructure node in isolation from everything else, why there's a contradiction.

Also, to be clear, putting a RELEASE_ASSERT_NOT_REACHED() when we bail at the top of a basic block is not correct.  It's fine if you're using it for your testing but it's totally OK for the CFA to decide that a basic block is unreachable.  It happens a lot.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.