126584 2014-01-07 10:51:03 -0800 ASSERT in compileArithNegate on pdfjs 2014-01-07 11:11:19 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 mhahnenberg fpizlo fpizlo mhahnenberg oldest_to_newest 965069 0 mhahnenberg 2014-01-07 10:51:03 -0800 Steps to repro: (1) Build a debug build (I used r161431). (2) Run pdfjs (3) ASSERT should fire 965070 1 fpizlo 2014-01-07 10:54:01 -0800 Backtrace? 965071 2 mhahnenberg 2014-01-07 10:54:21 -0800 ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit /Volumes/Data/WebKit-svn-clean/OpenSource/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(113) : void JSC::DFG::SpeculativeJIT::speculationCheck(JSC::ExitKind, JSC::JSValueSource, JSC::DFG::Node *, MacroAssembler::Jump) 1 0x100739c60 WTFCrash 2 0x1002a6f30 JSC::DFG::SpeculativeJIT::speculationCheck(JSC::ExitKind, JSC::JSValueSource, JSC::DFG::Node*, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump) 3 0x1002b63fb JSC::DFG::SpeculativeJIT::compileArithNegate(JSC::DFG::Node*) 4 0x1002f6a67 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 5 0x1002ada79 JSC::DFG::SpeculativeJIT::compileCurrentBlock() 6 0x1002ae276 JSC::DFG::SpeculativeJIT::compile() 7 0x100241034 JSC::DFG::JITCompiler::compileBody() 8 0x100242f60 JSC::DFG::JITCompiler::compileFunction() 9 0x1002a0e26 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 10 0x1002a05c2 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) 11 0x10033e7f4 JSC::DFG::Worklist::runThread() 12 0x10033d8d5 JSC::DFG::Worklist::threadFunction(void*) 13 0x100788108 WTF::threadEntryPoint(void*) 14 0x100788eb8 WTF::wtfThreadEntryPoint(void*) 15 0x7fff898b8899 _pthread_body 16 0x7fff898b872a _pthread_struct_init 17 0x7fff898bcfc9 thread_start 965072 3 mhahnenberg 2014-01-07 10:55:01 -0800 More useful backtrace: frame #0: 0x0000000100739c6a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:341 frame #1: 0x00000001002a6f30 JavaScriptCore`JSC::DFG::SpeculativeJIT::speculationCheck(this=0x0000000106822200, kind=NegativeZero, jsValueSource=JSValueSource at 0x000000010a54acc8, node=0x0000000000000000, jumpToFail=Jump at 0x000000010a54acb8) + 128 at DFGSpeculativeJIT.cpp:113 frame #2: 0x00000001002b63fb JavaScriptCore`JSC::DFG::SpeculativeJIT::compileArithNegate(this=0x0000000106822200, node=0x000000010cfa9d80) + 1179 at DFGSpeculativeJIT.cpp:2906 frame #3: 0x00000001002f6a67 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x0000000106822200, node=0x000000010cfa9d80) + 6663 at DFGSpeculativeJIT64.cpp:2419 frame #4: 0x00000001002ada79 JavaScriptCore`JSC::DFG::SpeculativeJIT::compileCurrentBlock(this=0x0000000106822200) + 1881 at DFGSpeculativeJIT.cpp:1431 frame #5: 0x00000001002ae276 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x0000000106822200) + 182 at DFGSpeculativeJIT.cpp:1543 frame #6: 0x0000000100241034 JavaScriptCore`JSC::DFG::JITCompiler::compileBody(this=0x000000010a54fe80) + 36 at DFGJITCompiler.cpp:111 frame #7: 0x0000000100242f60 JavaScriptCore`JSC::DFG::JITCompiler::compileFunction(this=0x000000010a54fe80) + 416 at DFGJITCompiler.cpp:336 frame #8: 0x00000001002a0e26 JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x00000001062a8a50, longLivedState=0x000000010a550d00) + 1622 at DFGPlan.cpp:250 frame #9: 0x00000001002a05c2 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x00000001062a8a50, longLivedState=0x000000010a550d00) + 242 at DFGPlan.cpp:124 frame #10: 0x000000010033e7f4 JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x000000010979e460) + 468 at DFGWorklist.cpp:240 frame #11: 0x000000010033d8d5 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x000000010979e460) + 21 at DFGWorklist.cpp:261 frame #12: 0x0000000100788108 JavaScriptCore`WTF::threadEntryPoint(contextData=0x000000010979c7f0) + 152 at Threading.cpp:69 frame #13: 0x0000000100788eb8 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x000000010979ca00) + 296 at ThreadingPthreads.cpp:195 frame #14: 0x00007fff898b8899 libsystem_pthread.dylib`_pthread_body + 138 frame #15: 0x00007fff898b872a libsystem_pthread.dylib`_pthread_start + 137 frame #16: 0x00007fff898bcfc9 libsystem_pthread.dylib`thread_start + 13 965078 4 220534 fpizlo 2014-01-07 11:01:14 -0800 Created attachment 220534 the patch 965080 5 220534 mhahnenberg 2014-01-07 11:01:49 -0800 Comment on attachment 220534 the patch Whoops! r=me 965083 6 fpizlo 2014-01-07 11:11:19 -0800 Landed in http://trac.webkit.org/changeset/161438 220534 2014-01-07 11:01:14 -0800 2014-01-07 11:01:48 -0800 the patch blah.patch text/plain 1950 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTYxNDM2KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE1IEBA CisyMDE0LTAxLTA3ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg QVNTRVJUIGluIGNvbXBpbGVBcml0aE5lZ2F0ZSBvbiBwZGZqcworICAgICAgICBodHRwczovL2J1 Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTI2NTg0CisKKyAgICAgICAgUmV2aWV3ZWQg YnkgTk9CT0RZIChPT1BTISkuCisgICAgICAgIAorICAgICAgICBDaGVjayBuZWdhdGl2ZSB6ZXJv IHdoZW4gd2Ugc2hvdWxkIGNoZWNrIGl0LCBub3Qgd2hlbiB3ZSBzaG91bGRuJ3QgY2hlY2sgaXQu IDotLworCisgICAgICAgICogZGZnL0RGR1NwZWN1bGF0aXZlSklULmNwcDoKKyAgICAgICAgKEpT Qzo6REZHOjpTcGVjdWxhdGl2ZUpJVDo6Y29tcGlsZUFyaXRoTmVnYXRlKToKKwogMjAxNC0wMS0w NiAgTWFyayBIYWhuZW5iZXJnICA8bWhhaG5lbmJlcmdAYXBwbGUuY29tPgogCiAgICAgICAgIEhl YXA6OmNvbGxlY3Qgc2hvdWxkbid0IGJlIHJlc3BvbnNpYmxlIGZvciBzd2VlcGluZwpJbmRleDog U291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVC5jcHAKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdTcGVjdWxhdGl2ZUpJVC5jcHAJKHJl dmlzaW9uIDE2MTQzNikKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHU3BlY3VsYXRp dmVKSVQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC0yOTAwLDcgKzI5MDAsNyBAQCB2b2lkIFNwZWN1 bGF0aXZlSklUOjpjb21waWxlQXJpdGhOZWdhdGUoCiAgICAgICAgICAgICBHUFJSZWcgcmVzdWx0 R1BSID0gcmVzdWx0LmdwcigpOwogICAgICAgICAgICAgbV9qaXQubW92ZShvcDFHUFIsIHJlc3Vs dEdQUik7CiAgICAgICAgICAgICBtX2ppdC5uZWc2NChyZXN1bHRHUFIpOwotICAgICAgICAgICAg aWYgKCFzaG91bGRDaGVja05lZ2F0aXZlWmVybyhub2RlLT5hcml0aE1vZGUoKSkpIHsKKyAgICAg ICAgICAgIGlmIChzaG91bGRDaGVja05lZ2F0aXZlWmVybyhub2RlLT5hcml0aE1vZGUoKSkpIHsK ICAgICAgICAgICAgICAgICBzcGVjdWxhdGlvbkNoZWNrKAogICAgICAgICAgICAgICAgICAgICBO ZWdhdGl2ZVplcm8sIEpTVmFsdWVSZWdzKCksIDAsCiAgICAgICAgICAgICAgICAgICAgIG1faml0 LmJyYW5jaFRlc3Q2NChNYWNyb0Fzc2VtYmxlcjo6WmVybywgcmVzdWx0R1BSKSk7CkBAIC0yOTE3 LDcgKzI5MTcsNyBAQCB2b2lkIFNwZWN1bGF0aXZlSklUOjpjb21waWxlQXJpdGhOZWdhdGUoCiAg ICAgICAgIHNwZWN1bGF0aW9uQ2hlY2soCiAgICAgICAgICAgICBJbnQ1Mk92ZXJmbG93LCBKU1Zh bHVlUmVncygpLCAwLAogICAgICAgICAgICAgbV9qaXQuYnJhbmNoTmVnNjQoTWFjcm9Bc3NlbWJs ZXI6Ok92ZXJmbG93LCByZXN1bHRHUFIpKTsKLSAgICAgICAgaWYgKCFzaG91bGRDaGVja05lZ2F0 aXZlWmVybyhub2RlLT5hcml0aE1vZGUoKSkpIHsKKyAgICAgICAgaWYgKHNob3VsZENoZWNrTmVn YXRpdmVaZXJvKG5vZGUtPmFyaXRoTW9kZSgpKSkgewogICAgICAgICAgICAgc3BlY3VsYXRpb25D aGVjaygKICAgICAgICAgICAgICAgICBOZWdhdGl2ZVplcm8sIEpTVmFsdWVSZWdzKCksIDAsCiAg ICAgICAgICAgICAgICAgbV9qaXQuYnJhbmNoVGVzdDY0KE1hY3JvQXNzZW1ibGVyOjpaZXJvLCBy ZXN1bHRHUFIpKTsK