[Webkit-unassigned] [Bug 130106] DYEBench hits an assertion in JSC::DFG::DCEPhase::fixupBlock DFGDCEPhase.cpp(186)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Mar 11 19:03:35 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=130106
--- Comment #2 from Ryosuke Niwa <rniwa at webkit.org> 2014-03-11 19:03:41 PST ---
It looks like m_graph.m_form is modified mid-way through the DCEPhase.
I did
+ GraphForm originalForm = m_graph.m_form;
if (m_graph.m_form == SSA) {
// Need to process the graph in reverse DFS order, so that we get to the uses
// of a node before we get to the node itself.
Vector<BasicBlock*> depthFirst;
m_graph.getBlocksInDepthFirstOrder(depthFirst);
- for (unsigned i = depthFirst.size(); i--;)
+ for (unsigned i = depthFirst.size(); i--;) {
fixupBlock(depthFirst[i]);
+ ASSERT(originalForm == m_graph.m_form);
+ }
} else {
RELEASE_ASSERT(m_graph.m_form == ThreadedCPS);
- for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex)
+ for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
fixupBlock(m_graph.block(blockIndex));
+ ASSERT(originalForm == m_graph.m_form);
+ }
cleanVariables(m_graph.m_arguments);
And I'm seeing this assertion being hit. Upon some investigation this is triggered by m_graph.dethread() added in the patch for the bug 130069.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list