91074 – ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes

RESOLVED FIXED 91074

ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes

https://bugs.webkit.org/show_bug.cgi?id=91074

Summary ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes

Tomeu Vizoso

Reported 2012-07-12 04:47:22 PDT

[tomeu@cizrna (master) build]$ ./Programs/GtkLauncher --enable-webgl=1 --enable-accelerated-compositing=1 http://uglyhack.appspot.com/boingy/ ** Message: console message: http://uglyhack.appspot.com/boingy/ @99: THREE.WebGLRenderer ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2128) : void JSC::DFG::SpeculativeJIT::speculationCheck(JSC::DFG::ExitKind, JSC::DFG::JSValueSource, JSC::DFG::NodeIndex, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump) Program received signal SIGSEGV, Segmentation fault. 0x00007ffff23e71f1 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x7fffffff96b0, kind=JSC::DFG::BadType, jsValueSource=..., nodeIndex=169, jumpToFail=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2129 2129 ASSERT(at(m_compileIndex).canExit() || m_isCheckingArgumentTypes); (gdb) bt #0 0x00007ffff23e71f1 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x7fffffff96b0, kind=JSC::DFG::BadType, jsValueSource=..., nodeIndex=169, jumpToFail=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2129 #1 0x00007ffff23ccef0 in JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality (this=0x7fffffff96b0, leftChild=..., rightChild=..., branchNodeIndex=172, classInfo= 0x7ffff29d91e0, speculatedTypeChecker= 0x7ffff230405a <JSC::isFinalObjectSpeculation(unsigned int)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1665 #2 0x00007ffff23fd21a in JSC::DFG::SpeculativeJIT::compilePeepHoleBranch (this= 0x7fffffff96b0, node=..., condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation= 0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:891 #3 0x00007ffff2406e90 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffff96b0, node=..., condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation= 0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2656 #4 0x00007ffff23d1117 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, node=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2358 #5 0x00007ffff23fe1da in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, block=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1106 #6 0x00007ffff23ff7ef in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1328 #7 0x00007ffff239f82c in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa670, speculative=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:91 #8 0x00007ffff23a07ad in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa670, entry=..., entryWithArityCheck=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:268 #9 0x00007ffff239628a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec= 0x7fff7fc00370, codeBlock=0x23ab6d0, jitCode=..., jitCodeWithArityCheck=0x7fffa02fc878) at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:123 #10 0x00007ffff2395a6d in JSC::DFG::tryCompileFunction (exec=0x7fff7fc00370, codeBlock= 0x23ab6d0, jitCode=..., jitCodeWithArityCheck=...) at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:141 #11 0x00007ffff252648f in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff7fc00370, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable= @0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT, effort=JSC::JITCompilationCanFail) at ../Source/JavaScriptCore/jit/JITDriver.h:95 #12 0x00007ffff2526744 in JSC::prepareFunctionForExecution (exec=0x7fff7fc00370, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable= @0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT, kind=JSC::CodeForCall) at ../Source/JavaScriptCore/runtime/ExecutionHarness.h:64 #13 0x00007ffff252458e in JSC::FunctionExecutable::compileForCallInternal (this= 0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0, jitType=JSC::JITCode::DFGJIT) at ../Source/JavaScriptCore/runtime/Executable.cpp:529 #14 0x00007ffff25239df in JSC::FunctionExecutable::compileOptimizedForCall (this= 0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0) ---Type <return> to continue, or q <return> to quit---q at ../Source/JavaScripQuit (gdb) set height 0 (gdb) bt #0 0x00007ffff23e71f1 in JSC::DFG::SpeculativeJIT::speculationCheck (this=0x7fffffff96b0, kind=JSC::DFG::BadType, jsValueSource=..., nodeIndex=169, jumpToFail=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2129 #1 0x00007ffff23ccef0 in JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality (this=0x7fffffff96b0, leftChild=..., rightChild=..., branchNodeIndex=172, classInfo= 0x7ffff29d91e0, speculatedTypeChecker= 0x7ffff230405a <JSC::isFinalObjectSpeculation(unsigned int)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1665 #2 0x00007ffff23fd21a in JSC::DFG::SpeculativeJIT::compilePeepHoleBranch (this= 0x7fffffff96b0, node=..., condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation= 0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:891 #3 0x00007ffff2406e90 in JSC::DFG::SpeculativeJIT::compare (this=0x7fffffff96b0, node=..., condition=JSC::MacroAssemblerX86Common::Equal, doubleCondition=JSC::MacroAssemblerX86Common::DoubleEqual, operation= 0x7ffff23a96ea <JSC::DFG::operationCompareEq(JSC::ExecState*, JSC::EncodedJSValue, JSC::EncodedJSValue)>) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2656 #4 0x00007ffff23d1117 in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, node=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2358 #5 0x00007ffff23fe1da in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0, block=...) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1106 #6 0x00007ffff23ff7ef in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff96b0) at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1328 #7 0x00007ffff239f82c in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa670, speculative=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:91 #8 0x00007ffff23a07ad in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa670, entry=..., entryWithArityCheck=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:268 #9 0x00007ffff239628a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec= 0x7fff7fc00370, codeBlock=0x23ab6d0, jitCode=..., jitCodeWithArityCheck=0x7fffa02fc878) at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:123 #10 0x00007ffff2395a6d in JSC::DFG::tryCompileFunction (exec=0x7fff7fc00370, codeBlock= 0x23ab6d0, jitCode=..., jitCodeWithArityCheck=...) at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:141 #11 0x00007ffff252648f in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff7fc00370, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable= @0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT, effort=JSC::JITCompilationCanFail) at ../Source/JavaScriptCore/jit/JITDriver.h:95 #12 0x00007ffff2526744 in JSC::prepareFunctionForExecution (exec=0x7fff7fc00370, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable= @0x7fffa02fc8e8: 0x2340e90, jitType=JSC::JITCode::DFGJIT, kind=JSC::CodeForCall) at ../Source/JavaScriptCore/runtime/ExecutionHarness.h:64 #13 0x00007ffff252458e in JSC::FunctionExecutable::compileForCallInternal (this= 0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0, jitType=JSC::JITCode::DFGJIT) at ../Source/JavaScriptCore/runtime/Executable.cpp:529 #14 0x00007ffff25239df in JSC::FunctionExecutable::compileOptimizedForCall (this= 0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0) at ../Source/JavaScriptCore/runtime/Executable.cpp:440 #15 0x00007ffff22d977b in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fffa02fc820, exec=0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0, kind=JSC::CodeForCall) at ../Source/JavaScriptCore/runtime/Executable.h:611 #16 0x00007ffff22d5ea1 in JSC::FunctionCodeBlock::compileOptimized (this=0x2354b00, exec= 0x7fff7fc00370, scopeChainNode=0x7fffa8102ec0) at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2690 #17 0x00007ffff247bdff in JSC::cti_optimize (args=0x7fffffffca90) at ../Source/JavaScriptCore/jit/JITStubs.cpp:1990 #18 0x00007ffff2478387 in JSC::JITThunks::tryCacheGetByID (callFrame=0xffffc9a0, codeBlock= Python Exception <class 'gdb.error'> There is no member or method named m_hashAndFlags.: 0x7ffff22d977b, returnAddress=..., baseValue=..., propertyName=, slot=..., stubInfo= 0x7fff00000000) at ../Source/JavaScriptCore/jit/JITStubs.cpp:975 #19 0x00007fffffffcac0 in ?? () #20 0x00007fff00000000 in ?? () #21 0x00007fffa801c180 in ?? () #22 0x0000000000000002 in ?? () #23 0x00007fff00000004 in ?? () #24 0x00007fff7c177de0 in ?? () #25 0x00007fffffffcaf0 in ?? () #26 0x00007ffff229fa43 in JSC::JSValue::decode (ptr=0x45e7e8c78948104d) at ../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:336 Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Attachments
the patch (42.24 KB, patch) 2012-08-02 16:53 PDT, Filip Pizlo	mhahnenberg: review+ webkit.review.bot: commit-queue-	Details Formatted Diff Diff
Archive of layout-test-results from gce-cr-linux-03 (600.53 KB, application/zip) 2012-08-02 19:00 PDT, WebKit Review Bot	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Chang Shu

Comment 1 2012-07-30 11:28:39 PDT

I observed the same callstack with my local debug build on Mac.

Filip Pizlo

Comment 2 2012-07-30 11:55:41 PDT

(In reply to comment #1) > I observed the same callstack with my local debug build on Mac. Same website or different website?

Chang Shu

Comment 3 2012-07-30 12:42:57 PDT

(In reply to comment #2) > (In reply to comment #1) > > I observed the same callstack with my local debug build on Mac. > > Same website or different website? I was running a local javascript. I will see if I can simplify the code.

Chang Shu

Comment 4 2012-07-31 07:37:25 PDT

(In reply to comment #3) > (In reply to comment #2) > > (In reply to comment #1) > > > I observed the same callstack with my local debug build on Mac. > > > > Same website or different website? > > I was running a local javascript. I will see if I can simplify the code. I am not able to simplify the code yet. But what I know is this is a regression happened sometime after early April.

Filip Pizlo

Comment 5 2012-08-02 16:53:12 PDT

(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > (In reply to comment #1) > > > > I observed the same callstack with my local debug build on Mac. > > > > > > Same website or different website? > > > > I was running a local javascript. I will see if I can simplify the code. > > I am not able to simplify the code yet. But what I know is this is a regression happened sometime after early April. I found the bug, and came up with a reduced case. Patch forthcoming, with tests. Thanks for reporting this, btw. After fixing the bug I found myself flinging the boingy dude around for probably a whole 10 minutes. Cool stuff.

Filip Pizlo

Comment 6 2012-08-02 16:53:35 PDT

Created attachment 156206 [details] the patch

Mark Hahnenberg

Comment 7 2012-08-02 17:03:11 PDT

Comment on attachment 156206 [details] the patch r=me

WebKit Review Bot

Comment 8 2012-08-02 19:00:25 PDT

Comment on attachment 156206 [details] the patch Attachment 156206 [details] did not pass chromium-ews (chromium-xvfb): Output: http://queues.webkit.org/results/13430215 New failing tests: fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.html fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.html fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html

WebKit Review Bot

Comment 9 2012-08-02 19:00:29 PDT

Created attachment 156237 [details] Archive of layout-test-results from gce-cr-linux-03 The attached test failures were seen while running run-webkit-tests on the chromium-ews. Bot: gce-cr-linux-03 Port: <class 'webkitpy.common.config.ports.ChromiumXVFBPort'> Platform: Linux-2.6.39-gcg-201203291735-x86_64-with-Ubuntu-10.04-lucid

Filip Pizlo

Comment 10 2012-08-03 09:46:32 PDT

Landed in http://trac.webkit.org/changeset/124555, http://trac.webkit.org/changeset/124557, and http://trac.webkit.org/changeset/124558

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2012-07-12 04:47 PDT

Modified

2012-08-06 03:16 PDT History

CC List

5 users Show

URL

http://uglyhack.appspot.com/boingy/

Keywords

Depends on

93246

Blocks

Dependencies

tree graph