[Webkit-unassigned] [Bug 229543] New: [JSC] ASSERT failed in stress/for-in-tests.js (32bit)

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Aug 26 01:26:51 PDT 2021 

https://bugs.webkit.org/show_bug.cgi?id=229543

            Bug ID: 229543
           Summary: [JSC] ASSERT failed in stress/for-in-tests.js (32bit)
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: xan.lopez at gmail.com

Very likely introduced by r280760, very likely making other tests fail. Stack trace:

ASSERTION FAILED: currentLowest != NUM_REGS && currentSpillOrder != SpillHintInvalid
../../Source/JavaScriptCore/dfg/DFGRegisterBank.h(137) : JSC::DFG::RegisterBank<BankInfo>::RegID JSC::DFG::RegisterBank<BankInfo>::allocate(JSC::VirtualRegister&) [with BankInfo = JSC::GPRInfo; JSC::DFG::RegisterBank<BankInfo>::RegID = JSC::ARMRegisters::RegisterID]

Thread 1 "jsc" received signal SIGABRT, Aborted.
__libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
47      ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: No such file or directory.
(gdb) bt
#0  __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47
#1  0xf5eeeea0 in __libc_signal_restore_set (set=0xfffebcac) at ../sysdeps/unix/sysv/linux/internal-signals.h:86
#2  __GI_raise (sig=sig at entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48
#3  0xf5edf7a2 in __GI_abort () at abort.c:79
#4  0xf629a090 in CRASH_WITH_INFO(...) () at WTF/Headers/wtf/Assertions.h:750
#5  0xf68d1e9e in JSC::DFG::RegisterBank<JSC::GPRInfo>::allocate (this=0xf23f6224, spillMe=...) at ../../Source/JavaScriptCore/dfg/DFGRegisterBank.h:137
#6  0xf68cc656 in JSC::DFG::SpeculativeJIT::allocate (this=0xf23f6000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:237
#7  0xf68788c2 in JSC::DFG::GPRTemporary::GPRTemporary (this=0xfffebfec, jit=0xf23f6000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1600
#8  0xf68789e0 in JSC::DFG::JSValueRegsTemporary::JSValueRegsTemporary (this=0xfffebfe4, jit=0xf23f6000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1635
#9  0xf68a6e80 in operator() (__closure=0xfffec73c) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13597
#10 0xf68c5010 in WTF::ScopedLambdaFunctor<std::tuple<JSC::JSValueRegs, JSC::DataFormat>(JSC::DataFormat), JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal(JSC::DFG::Node*)::<lambda(JSC::GPRReg)>::<lambda(JSC::DataFormat)> >::implFunction(void *, JSC::DataFormat) (argument=0xfffec734, arguments#0=JSC::DataFormatJS)
    at WTF/Headers/wtf/ScopedLambda.h:106
#11 0xf68d4ca0 in WTF::ScopedLambda<std::tuple<JSC::JSValueRegs, JSC::DataFormat> (JSC::DataFormat)>::operator()<JSC::DataFormat>(JSC::DataFormat&&) const (this=0xfffec734)
    at WTF/Headers/wtf/ScopedLambda.h:58
#12 0xf6a417be in JSC::DFG::SpeculativeJIT::compileGetByVal(JSC::DFG::Node*, WTF::ScopedLambda<std::tuple<JSC::JSValueRegs, JSC::DataFormat> (JSC::DataFormat)> const&) (
    this=0xf23f6000, node=0xf371aa20, prefix=...) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:1881
#13 0xf68a7592 in operator() (__closure=0xfffec7ec, baseCellGPR=JSC::ARMRegisters::r2) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13584
#14 0xf68a776c in JSC::DFG::SpeculativeJIT::compileEnumeratorGetByVal (this=0xf23f6000, node=0xf371aa20) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13674
#15 0xf6a4b548 in JSC::DFG::SpeculativeJIT::compile (this=0xf23f6000, node=0xf371aa20) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4232
#16 0xf687b9e0 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0xf23f6000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2291
#17 0xf687c042 in JSC::DFG::SpeculativeJIT::compile (this=0xf23f6000) at ../../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2401
#18 0xf673885e in JSC::DFG::JITCompiler::compileBody (this=0xfffed940) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:135
#19 0xf673a250 in JSC::DFG::JITCompiler::compileFunction (this=0xfffed940) at ../../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:437
#20 0xf67b59cc in JSC::DFG::Plan::compileInThreadImpl (this=0xf3799bc0) at ../../Source/JavaScriptCore/dfg/DFGPlan.cpp:343
#21 0xf6cb6f64 in JSC::JITPlan::compileInThread (this=0xf3799bc0, thread=0x0) at ../../Source/JavaScriptCore/jit/JITPlan.cpp:165
#22 0xf6cfe4e0 in JSC::JITWorklist::enqueue (this=0xf37c7360, plan=...) at ../../Source/JavaScriptCore/jit/JITWorklist.cpp:83
#23 0xf66de744 in JSC::DFG::compileImpl (vm=..., codeBlock=0xf1fad180, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., 
    mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:90
#24 0xf66de7f0 in JSC::DFG::compile (vm=..., codeBlock=0xf1fad180, profiledDFGCodeBlock=0x0, mode=JSC::JITCompilationMode::DFG, osrEntryBytecodeIndex=..., 
    mustHandleValues=..., callback=...) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:106
#25 0xf6cafb26 in JSC::operationOptimize (vmPointer=0xf25f5000, bytecodeIndexBits=0) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:2088
#26 0xf270d6bc in ?? ()

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20210826/aeb4e6d8/attachment-0001.htm>

More information about the webkit-unassigned mailing list