119794 2013-08-14 04:55:19 -0700 [DFG] isDouble(edge.useKind()) assertion fail 2013-08-16 02:37:28 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 jbriance webkit-unassigned commit-queue fpizlo ggaren kilvadyb mhahnenberg msaboff oliver oldest_to_newest 917084 0 jbriance 2013-08-14 04:55:19 -0700 On 32-bit sh4 and mips debug build, many SunSpider 1.0 JSC tests fail: ASSERTION FAILED: mode == ManualOperandSpeculation || isDouble(edge.useKind()) /local/jbriance/webkit-mips/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2694) : JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) FATAL ERROR: CRASH() called. Backtrace looks always the same. For instance, on my sh4 board: (gdb) bt #0 0x00000000 in ?? () #1 0x00a77d8a in WTFCrash () at /local/jbriance/webkit-dfg-sh4Source/WTF/wtf/Assertions.cpp:347 #2 0x00761eba in SpeculateDoubleOperand (this=0x7bec23d8, jit=0xedcb18, edge=..., mode=JSC::DFG::AutomaticOperandSpeculation) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2703 #3 0x0073f08a in JSC::DFG::SpeculativeJIT::compileDoubleAsInt32 (this=0xedcb18, node=0x2bc31814) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2456 #4 0x0078d9e2 in JSC::DFG::SpeculativeJIT::compile (this=0xedcb18, node=0x2bc31814) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2214 #5 0x0073ac68 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0xedcb18) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1804 #6 0x0073b538 in JSC::DFG::SpeculativeJIT::compile (this=0xedcb18) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1918 #7 0x006c7944 in JSC::DFG::JITCompiler::compileBody (this=0x7bec4778) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117 #8 0x006c9ea0 in JSC::DFG::JITCompiler::compileFunction (this=0x7bec4778) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382 #9 0x00716950 in JSC::DFG::Plan::compileInThreadImpl (this=0xee3e28, longLivedState=...) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGPlan.cpp:256 #10 0x007161ee in JSC::DFG::Plan::compileInThread (this=0xee3e28, longLivedState=...) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGPlan.cpp:113 #11 0x0069ba26 in compile (compileMode=JSC::DFG::CompileFunction, exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=0x2bbffacc, osrEntryBytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGDriver.cpp:127 #12 0x0069bba4 in JSC::DFG::tryCompileFunction (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGDriver.cpp:138 #13 0x0095b1c4 in JSC::jitCompileFunctionIfAppropriateImpl (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, effort=JSC::JITCompilationCanFail) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITDriver.h:98 #14 0x0095b620 in JSC::prepareFunctionForExecutionImpl (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/ExecutionHarness.h:84 #15 0x0095b6c2 in JSC::prepareFunctionForExecution (exec=0x2b62b130, sink=..., codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., numParameters=@0x2bbffab4, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/ExecutionHarness.h:138 #16 0x00958c0c in JSC::FunctionExecutable::compileForCallInternal (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, jitType=JSC::JITCode::DFGJIT, result=0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.cpp:561 #17 0x009581ec in JSC::FunctionExecutable::compileOptimizedForCall (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.cpp:480 #18 0x004c7716 in JSC::FunctionExecutable::compileOptimizedFor (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89, kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.h:691 #19 0x004be7ee in JSC::FunctionCodeBlock::compileOptimized (this=0xedeb30, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/bytecode/CodeBlock.cpp:2744 #20 0x00840b64 in JITStubThunked_optimize (args=0x7bec5060) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITStubs.cpp:1046 #21 0x008404bc in cti_optimize () at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITStubs.cpp:888 917085 1 jbriance 2013-08-14 04:58:22 -0700 I think the problem is not seen on X86 32-bit, X86 64-bit and Apple ARMv7S because of the following code in DFGFixupPhase.cpp: case ArithMod: { if (Node::shouldSpeculateIntegerForArithmetic(node->child1().node(), node->child2().node()) && node->canSpeculateInteger()) { if (isX86() || isARMv7s()) { setUseKindAndUnboxIfProfitable<Int32Use>(node->child1()); setUseKindAndUnboxIfProfitable<Int32Use>(node->child2()); break; } 917086 2 208715 jbriance 2013-08-14 05:15:44 -0700 Created attachment 208715 isDouble() and isNumerical() should return true with KnownNumberUse UseKind. This patch solves the issue for sh4 & mips, but as I'm clearly not an expert of this area in DFG, I'd like someone confirms this is the right way to fix this. 917711 3 208715 fpizlo 2013-08-15 14:38:26 -0700 Comment on attachment 208715 isDouble() and isNumerical() should return true with KnownNumberUse UseKind. Good, but please add tests. 917714 4 208715 fpizlo 2013-08-15 14:47:17 -0700 Comment on attachment 208715 isDouble() and isNumerical() should return true with KnownNumberUse UseKind. Let's land this puppy. But please add a layout test if at all possible. 917727 5 208715 commit-queue 2013-08-15 15:12:15 -0700 Comment on attachment 208715 isDouble() and isNumerical() should return true with KnownNumberUse UseKind. Clearing flags on attachment: 208715 Committed r154141: <http://trac.webkit.org/changeset/154141> 917728 6 commit-queue 2013-08-15 15:12:17 -0700 All reviewed patches have been landed. Closing bug. 917866 7 jbriance 2013-08-16 02:37:28 -0700 (In reply to comment #4) > (From update of attachment 208715 [details]) > Let's land this puppy. But please add a layout test if at all possible. Many layout tests are already covering this issue. For instance: - LayoutTests/fast/js/dfg-mod-by-neg1-and-then-or-zero-interesting-reg-alloc.js - LayoutTests/fast/js/dfg-mod-by-zero-and-then-or-zero-interesting-reg-alloc.js - LayoutTests/fast/js/dfg-mod-neg2tothe31-by-one-and-then-or-zero-with-interesting-reg-alloc.js Most of the SunSpider 1.0 tests too: - SunSpider/tests/sunspider-1.0/3d-raytrace.js - SunSpider/tests/sunspider-1.0/crypto-aes.js - SunSpider/tests/sunspider-1.0/crypto-md5.js - SunSpider/tests/sunspider-1.0/crypto-sha1.js - SunSpider/tests/sunspider-1.0/date-format-xparb.js - SunSpider/tests/sunspider-1.0/string-base64.js - SunSpider/tests/sunspider-1.0/string-fasta.js - SunSpider/tests/sunspider-1.0/string-unpack-code.js - SunSpider/tests/sunspider-1.0/string-validate-input.js - SunSpider/tests/sunspider-1.0/math-spectral-norm.js In fact, any test using modulo (ArithMod in DFGFixupPhase.cpp) on a debug build which is not X86 or ARMv7s will stimulate the issue. For instance, this dummy JavaScript test will stimulate it: result = 0; for (i=1; i<100000; i++) { result += i; result %= i; } Although the issue is already covered by many layout tests, do you think I should add another one ? 208715 2013-08-14 05:15:44 -0700 2013-08-15 15:12:15 -0700 isDouble() and isNumerical() should return true with KnownNumberUse UseKind. bug-119794.patch text/plain 1406 jbriance SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTU0MDQ1KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE2IEBA CisyMDEzLTA4LTE0ICBKdWxpZW4gQnJpYW5jZWF1ICA8amJyaWFuY2VhdUBuZHMuY29tPgorCisg ICAgICAgIFtERkddIGlzRG91YmxlKCkgYW5kIGlzTnVtZXJpY2FsKCkgc2hvdWxkIHJldHVybiB0 cnVlIHdpdGggS25vd25OdW1iZXJVc2UgVXNlS2luZC4KKyAgICAgICAgaHR0cHM6Ly9idWdzLndl YmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTExOTc5NAorCisgICAgICAgIFJldmlld2VkIGJ5IE5P Qk9EWSAoT09QUyEpLgorCisgICAgICAgIFRoaXMgcGF0Y2ggZml4ZXMgQVNTRVJUcyBmYWlsdXJl cyBpbiBkZWJ1ZyBidWlsZHMgZm9yIHNoNCBhbmQgbWlwcyBhcmNoaXRlY3R1cmUuCisKKyAgICAg ICAgKiBkZmcvREZHVXNlS2luZC5oOgorICAgICAgICAoSlNDOjpERkc6OmlzTnVtZXJpY2FsKToK KyAgICAgICAgKEpTQzo6REZHOjppc0RvdWJsZSk6CisKIDIwMTMtMDgtMTMgIEZpbGlwIFBpemxv ICA8ZnBpemxvQGFwcGxlLmNvbT4KIAogICAgICAgICBVbnJldmlld2VkLCBmaXggYnVpbGQuCklu ZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1VzZUtpbmQuaAo9PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0t LSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR1VzZUtpbmQuaAkocmV2aXNpb24gMTU0MDQz KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdVc2VLaW5kLmgJKHdvcmtpbmcgY29w eSkKQEAgLTEyNCw2ICsxMjQsNyBAQCBBTFdBWVNfSU5MSU5FIGJvb2wgaXNOdW1lcmljYWwoVXNl S2luZCBrCiAgICAgY2FzZSBLbm93bkludDMyVXNlOgogICAgIGNhc2UgUmVhbE51bWJlclVzZToK ICAgICBjYXNlIE51bWJlclVzZToKKyAgICBjYXNlIEtub3duTnVtYmVyVXNlOgogICAgICAgICBy ZXR1cm4gdHJ1ZTsKICAgICBkZWZhdWx0OgogICAgICAgICByZXR1cm4gZmFsc2U7CkBAIC0xMzYs NiArMTM3LDcgQEAgQUxXQVlTX0lOTElORSBib29sIGlzRG91YmxlKFVzZUtpbmQga2luZAogICAg IGNhc2UgS25vd25JbnQzMlVzZToKICAgICBjYXNlIFJlYWxOdW1iZXJVc2U6CiAgICAgY2FzZSBO dW1iZXJVc2U6CisgICAgY2FzZSBLbm93bk51bWJlclVzZToKICAgICAgICAgcmV0dXJuIHRydWU7 CiAgICAgZGVmYXVsdDoKICAgICAgICAgcmV0dXJuIGZhbHNlOwo=