[Webkit-unassigned] [Bug 121710] REGRESSION(r153215): New iCloud site crashes

Fri Sep 20 15:03:16 PDT 2013

https://bugs.webkit.org/show_bug.cgi?id=121710


--- Comment #5 from Oliver Hunt <oliver at apple.com>  2013-09-20 15:02:21 PST ---
(In reply to comment #4)
> (In reply to comment #3)
> > If we bring back the assertion here:
> >     for (m_indexInBlock = 0; m_indexInBlock < block.size(); ++m_indexInBlock) {
> >         m_currentNode = block[m_indexInBlock];
> > 
> >         // We may have his a contradiction that the CFA was aware of but that the JIT
> >         // didn't cause directly.
> >         if (!m_state.isValid()) {
> >             RELEASE_ASSERT_NOT_REACHED(); <---
> >             bail();
> >             return;
> >         }
> > 
> > We hit it, implying the CFA is deciding there's a contradiction:
> > 
> >   --> capitalize#AzCeyu:<0x117848e70, bc#39, Call, known callee: Cell: 0x117c18430 (0x10a93f270: Function, NonArray), numArgs+this = 3, stack >= r12>
> >     34:           <!0:->    InlineStart(MustGen, bc#0)
> >     35:  skipped  < 0:->    MovHint(@9<String>, r15(M~<String>), bc#1)
> >     36:           <!0:->    CheckStructure(Cell:@9<String>, MustGen|CanExit, struct(0x10a93d2f0: NonArray), bc#4)
> 
> Can you post the whole IR?  I have no idea, from looking at a CheckStructure node in isolation from everything else, why there's a contradiction.
> 
> Also, to be clear, putting a RELEASE_ASSERT_NOT_REACHED() when we bail at the top of a basic block is not correct.  It's fine if you're using it for your testing but it's totally OK for the CFA to decide that a basic block is unreachable.  It happens a lot.

I was using it for testing (i'm currently on r153215)

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.