[Webkit-unassigned] [Bug 152258] Enable FTL on FreeBSD

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Feb 11 23:32:53 PST 2016 

https://bugs.webkit.org/show_bug.cgi?id=152258

--- Comment #11 from Ting-Wei Lan <lantw44 at gmail.com> ---
The same crash problem can also be reproduced on GNU/Linux. It crashes when Octane Benchmark runs the TypeScript test. I think the crash is not FreeBSD-specific and I will upload a new patch to make FTL JIT build on FreeBSD.

Fedora 23 x86_64, WebKit trunk r196364.

ASSERTION FAILED: value.isUndefinedOrNull()
../../Source/JavaScriptCore/bytecode/SpeculatedType.cpp(394) : JSC::SpeculatedType JSC::speculationFromValue(JSC::JSValue)
1   0x7f4e86fc614d <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7f4e86fc614d]
2   0x7f4e866939da <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC20speculationFromValueENS_7JSValueE+0x13e) [0x7f4e866939da]
3   0x7f4e8663f6ca <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC16ValueProfileBaseILj1EE24computeUpdatedPredictionERKNS_19ConcurrentJITLockerE+0x6c) [0x7f4e8663f6ca]
4   0x7f4e86635c02 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock36updateAllPredictionsAndCountLivenessERjS1_+0xc0) [0x7f4e86635c02]
5   0x7f4e86635cc7 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock32updateAllValueProfilePredictionsEv+0x23) [0x7f4e86635cc7]
6   0x7f4e86635dd8 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC9CodeBlock20updateAllPredictionsEv+0x18) [0x7f4e86635dd8]
7   0x7f4e86b14c24 <webkit_trunk>/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x1ae0c24) [0x7f4e86b14c24]
8   0x7f4e1d0cf2d1 [0x7f4e1d0cf2d1]

[Backtrace provided by GDB]
Core was generated by `WebKitWebProcess'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f4e86fc6152 in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:321
#1  0x00007f4e866939da in JSC::speculationFromValue (value=...) at ../../Source/JavaScriptCore/bytecode/SpeculatedType.cpp:394
#2  0x00007f4e8663f6ca in JSC::ValueProfileBase<1u>::computeUpdatedPrediction (this=0x7f4d91d62ef8) at ../../Source/JavaScriptCore/bytecode/ValueProfile.h:145
#3  0x00007f4e86635c02 in JSC::CodeBlock::updateAllPredictionsAndCountLiveness (this=0x7f4e0280a520, numberOfLiveNonArgumentValueProfiles=@0x7ffe910dcdbc: 0, 
    numberOfSamplesInProfiles=@0x7ffe910dcdb8: 5) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3847
#4  0x00007f4e86635cc7 in JSC::CodeBlock::updateAllValueProfilePredictions (this=0x7f4e0280a520) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3863
#5  0x00007f4e86635dd8 in JSC::CodeBlock::updateAllPredictions (this=0x7f4e0280a520) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:3884
#6  0x00007f4e86b14c24 in JSC::operationOptimize (exec=0x7ffe910dd110, bytecodeIndex=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:1136
#7  0x00007f4e1d0cf2d1 in ?? ()
#8  0x00007ffe910dd030 in ?? ()
#9  0x00007f4e72805600 in ?? ()
#10 0x00007ffe910dd040 in ?? ()
#11 0x00007f4e8cf3a8dd in std::__get_helper<0ul, JSC::StructureIDTable::StructureOrOffset*, std::default_delete<JSC::StructureIDTable::StructureOrOffset []> > (
    __t=...) at /usr/include/c++/5.3.1/tuple:827
#12 0x00007f4e1d9b7b3e in ?? ()
#13 0x00007f4e0280a520 in ?? ()
#14 0x00007f4e0342f850 in ?? ()
#15 0x0000000100000008 in ?? ()
#16 0x00007f4e1a2b7c60 in ?? ()
#17 0xffff00007fe0fd2b in ?? ()
#18 0x00007f4d72ec3a90 in ?? ()
#19 0x0000000000000007 in ?? ()
#20 0x00007f4d00000006 in ?? ()
#21 0xffff000000000000 in ?? ()
#22 0xffff0000000faea3 in ?? ()
#23 0xffff0000000faeab in ?? ()
#24 0x00007f4d6e2e7e30 in ?? ()
#25 0x00007ffe910dd1d0 in ?? ()
#26 0x00007f4e8d7f8792 in JSC::JSArray::createWithButterfly (vm=..., structure=0x7ffe910dd270, butterfly=0xfae8c) at ../../Source/JavaScriptCore/runtime/JSArray.h:279
#27 0x00007f4e1de18d99 in ?? ()
#28 0x00007f4d91070100 in ?? ()
#29 0x00007f4e0342f8e0 in ?? ()
#30 0x0000000000000005 in ?? ()
#31 0x00007f4e1a2b7c60 in ?? ()
#32 0xffff00007fe0fd2b in ?? ()
#33 0x0000000000000007 in ?? ()
#34 0xffff000000000000 in ?? ()
#35 0x0000000000000006 in ?? ()
#36 0x00000001910dd2f0 in ?? ()
#37 0x00007f4e728055e8 in ?? ()
#38 0x00007ffe910dd300 in ?? ()
#39 0x00007f4e8cf39483 in JSC::JSCell::structure (this=0xffff000000000002) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:102
#40 0x00007f4e1cd220ba in ?? ()
#41 0x00007f4d934620e0 in ?? ()
#42 0x00007f4e0342f880 in ?? ()
#43 0x0000001000000005 in ?? ()
#44 0x00007f4e1a2b7c60 in ?? ()
#45 0xffff00007fe0fd2b in ?? ()
#46 0xffff000000000001 in ?? ()
#47 0x0000000000000007 in ?? ()
#48 0xffff000000000000 in ?? ()
#49 0x0000000000000006 in ?? ()
#50 0x000000000000000a in ?? ()
#51 0x0000000000000007 in ?? ()
#52 0x00007f4e8d25b1c4 in JSC::JSValue::isDouble (this=0xffff000000000002) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:420
#53 0x00007f4e1d0cfe9b in ?? ()
#54 0x00007f4dab8cc100 in ?? ()
#55 0x00007f4e0342fbe0 in ?? ()
#56 0x0000000500000002 in ?? ()
#57 0x00007f4e1a2b7c60 in ?? ()
#58 0xffff00007fe0fd2a in ?? ()
#59 0x00007f4e0389d6c0 in ?? ()
#60 0x00007f4e1aaa3580 in ?? ()
#61 0x00007f4e028e3e20 in ?? ()
#62 0xffff00000000001c in ?? ()
#63 0x00007f4dd5416be0 in ?? ()
#64 0x00007f4e0342fbe0 in ?? ()
#65 0x00007f4e030828c0 in ?? ()
#66 0x00007f4e028e3e20 in ?? ()
#67 0x00007f4e0389d6c0 in ?? ()
#68 0x00007f4e1aaa3580 in ?? ()
#69 0xffff000000000037 in ?? ()
#70 0x00007f4dd00cb8c0 in ?? ()
#71 0x000000000000000a in ?? ()
#72 0x000000000000000a in ?? ()
#73 0x00007f4d72ec3ac0 in ?? ()
#74 0x000000000000000a in ?? ()
#75 0xffff000000000000 in ?? ()
#76 0xffff0000000fae91 in ?? ()
#77 0x00007f4e1aaa3580 in ?? ()
#78 0x00007f4e1aaa3580 in ?? ()
#79 0xffff000000000002 in ?? ()
#80 0xffff000000000000 in ?? ()
#81 0xffff0000000fae8c in ?? ()
#82 0x00007ffe910dd7e0 in ?? ()
#83 0x00007f4e1d9b7b3e in ?? ()
#84 0x00007f4e0280a520 in ?? ()
#85 0x00007f4e0342f850 in ?? ()
#86 0x000001a700000008 in ?? ()
#87 0x00007f4e1a2b7c60 in ?? ()
#88 0xffff00007fe0fd2a in ?? ()
#89 0x00007f4dd5416be0 in ?? ()
#90 0x0000000000000007 in ?? ()
#91 0x00007f4d00000006 in ?? ()
#92 0xffff000000000000 in ?? ()
#93 0xffff0000000fae8c in ?? ()
#94 0xffff0000000fae90 in ?? ()
#95 0x00007f4d6e2e7e60 in ?? ()
#96 0x00007ffe910dd740 in ?? ()
#97 0x00007f4e8d7f8792 in JSC::JSArray::createWithButterfly (vm=..., structure=0xffff0000000fae91, butterfly=0xffff000000000000)
    at ../../Source/JavaScriptCore/runtime/JSArray.h:279

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160212/d713f210/attachment.html>

More information about the webkit-unassigned mailing list