[Webkit-unassigned] [Bug 130106] DYEBench hits an assertion in JSC::DFG::DCEPhase::fixupBlock DFGDCEPhase.cpp(186)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 11 19:05:39 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=130106
--- Comment #3 from Filip Pizlo <fpizlo at apple.com> 2014-03-11 19:05:45 PST ---
(In reply to comment #2)
> It looks like m_graph.m_form is modified mid-way through the DCEPhase.
>
> I did
>
> + GraphForm originalForm = m_graph.m_form;
> if (m_graph.m_form == SSA) {
> // Need to process the graph in reverse DFS order, so that we get to the uses
> // of a node before we get to the node itself.
> Vector<BasicBlock*> depthFirst;
> m_graph.getBlocksInDepthFirstOrder(depthFirst);
> - for (unsigned i = depthFirst.size(); i--;)
> + for (unsigned i = depthFirst.size(); i--;) {
> fixupBlock(depthFirst[i]);
> + ASSERT(originalForm == m_graph.m_form);
> + }
> } else {
> RELEASE_ASSERT(m_graph.m_form == ThreadedCPS);
>
> - for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
> + for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
> fixupBlock(m_graph.block(blockIndex));
> + ASSERT(originalForm == m_graph.m_form);
> + }
>
> cleanVariables(m_graph.m_arguments);
>
> And I'm seeing this assertion being hit. Upon some investigation this is triggered by m_graph.dethread() added in the patch for the bug 130069.
Thanks for finding this. I will fix the other patch before landing and add a test. We don't need this bug since this bug doesn't apply to ToT.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list