Bug 112106

Summary: REGRESSION(r144131): It made fast/js/regress/string-repeat-arith.html assert on 32 bit
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: JavaScriptCoreAssignee: Mark Hahnenberg <mhahnenberg>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, kadam, mhahnenberg, oliver, ossy, zarvai
Priority: P1 Keywords: Qt, QtTriaged
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 79668, 110433    
Attachments:
Description Flags
Patch fpizlo: review-

Description Csaba Osztrogonác 2013-03-11 23:27:56 PDT 
r144131 made fast/js/regress/string-repeat-arith.html assert on 32 bit,
for example on Qt 32 bit debug bot. Here is a GDB backtrace to help
fixing the regression:

$ gdb WebKitBuild/Debug/bin/DumpRenderTree
GNU gdb (Ubuntu/Linaro 7.4-2012.02-0ubuntu2) 7.4-2012.02
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /home/oszi/WebKit/WebKitBuild/Debug/bin/DumpRenderTree...done.
(gdb) run LayoutTests/fast/js/regress/string-repeat-arith.html
Starting program: /home/oszi/WebKit/WebKitBuild/Debug/bin/DumpRenderTree LayoutTests/fast/js/regress/string-repeat-arith.html
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".
[New Thread 0xf00cab40 (LWP 16009)]
[New Thread 0xef6ffb40 (LWP 16011)]
[Thread 0xef6ffb40 (LWP 16011) exited]
[New Thread 0xef6ffb40 (LWP 16012)]
[New Thread 0xee860b40 (LWP 16013)]
ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit
/home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(308) : void JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution(JSC::ExitKind, JSC::DFG::JSValueRegs, JSC::DFG::Node*)
1   0xf608ce7e /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b97e7e) [0xf608ce7e]
2   0xf6094354 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b9f354) [0xf6094354]
3   0xf60945e1 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b9f5e1) [0xf60945e1]
4   0xf60be070 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1bc9070) [0xf60be070]
5   0xf60925e2 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b9d5e2) [0xf60925e2]
6   0xf6092ce6 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b9dce6) [0xf6092ce6]
7   0xf605e757 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b69757) [0xf605e757]
8   0xf605f641 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b6a641) [0xf605f641]
9   0xf60508a3 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b5b8a3) [0xf60508a3]
10  0xf605009e /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1b5b09e) [0xf605009e]
11  0xf61e4e48 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1cefe48) [0xf61e4e48]
12  0xf61e527b /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1cf027b) [0xf61e527b]
13  0xf61e1145 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1cec145) [0xf61e1145]
14  0xf61e0e15 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1cebe15) [0xf61e0e15]
15  0xf5f4cf3a /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1a57f3a) [0xf5f4cf3a]
16  0xf6136696 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1c41696) [0xf6136696]
17  0xf61334fe /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1c3e4fe) [0xf61334fe]
18  0x81735b0 [0x81735b0]
19  0xf60fdc27 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1c08c27) [0xf60fdc27]
20  0xf60fb4d5 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x1c064d5) [0xf60fb4d5]
21  0xf61d7d64 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(_ZN3JSC8evaluateEPNS_9ExecStateERKNS_10SourceCodeENS_7JSValueEPS5_+0x213) [0xf61d7d64]
22  0xf4af6112 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x601112) [0xf4af6112]
23  0xf4b13459 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x61e459) [0xf4b13459]
24  0xf4b1356a /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x61e56a) [0xf4b1356a]
25  0xf4e134c6 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0x91e4c6) [0xf4e134c6]
26  0xf4fb456a /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xabf56a) [0xf4fb456a]
27  0xf4fb43c8 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xabf3c8) [0xf4fb43c8]
28  0xf4fb48d5 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xabf8d5) [0xf4fb48d5]
29  0xf4fb489c /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xabf89c) [0xf4fb489c]
30  0xf4fa46e7 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xaaf6e7) [0xf4fa46e7]
31  0xf4fa47e6 /home/oszi/WebKit/WebKitBuild/Debug/lib/libQt5WebKit.so.5(+0xaaf7e6) [0xf4fa47e6]

Program received signal SIGSEGV, Segmentation fault.
0xf608ce88 in JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution (this=0xffffa1e8, kind=Uncountable, jsValueRegs=..., node=0x0)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:308
308         ASSERT(m_isCheckingArgumentTypes || m_canExit);
(gdb) bt
#0  0xf608ce88 in JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution (this=0xffffa1e8, kind=Uncountable, jsValueRegs=..., node=0x0)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:308
#1  0xf6094354 in JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32 (this=0xffffa1e8, node=0xede20984)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2102
#2  0xf60945e1 in JSC::DFG::SpeculativeJIT::compileValueToInt32 (this=0xffffa1e8, node=0xede20f6c)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2152
#3  0xf60be070 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) () at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2187
#4  0xf60925e2 in JSC::DFG::SpeculativeJIT::compile (this=0xffffa1e8, block=0x8196a00)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1757
#5  0xf6092ce6 in JSC::DFG::SpeculativeJIT::compile (this=0xffffa1e8) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1875
#6  0xf605e757 in JSC::DFG::JITCompiler::compileBody (this=0xffffb454, speculative=0xffffa1e8)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
#7  0xf605f641 in JSC::DFG::JITCompiler::compile (this=0xffffb454, entry=0xedeaeb4c) at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:250
#8  0xf60508a3 in JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) ()
    at /home/oszi/WebKit/Source/WTF/wtf/PrintStream.h:58
#9  0xf605009e in JSC::DFG::tryCompile (exec=0xee900058, codeBlock=0x8178340, jitCode=0xedeaeb4c, bytecodeIndex=<unknown type>)
    at /home/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:172
#10 0xf61e4e48 in bool JSC::jitCompileIfAppropriate<JSC::ProgramCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::ProgramCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) () at /home/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:260
#11 0xf61e527b in bool JSC::prepareForExecution<JSC::ProgramCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::ProgramCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int) () at /home/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:260
#12 0xf61e1145 in JSC::ProgramExecutable::compileInternal (this=0xedeaeb38, exec=0xee900058, scope=0xeee5f838, jitType=DFGJIT, bytecodeIndex=<unknown type>)
    at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:327
#13 0xf61e0e15 in JSC::ProgramExecutable::compileOptimized (this=0xedeaeb38, exec=0xee900058, scope=0xeee5f838, bytecodeIndex=<unknown type>)
    at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:295
#14 0xf5f4cf3a in JSC::ProgramCodeBlock::compileOptimized (this=0x818fa38, exec=0xee900058, scope=0xeee5f838, bytecodeIndex=<unknown type>)
    at /home/oszi/WebKit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2860
#15 0xf6136696 in cti_optimize (args=0xffffba20) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1899
#16 0xf61334fe in JSC::tryCacheGetByID (callFrame=0xee8dd300, codeBlock=0x8105a38, returnAddress=..., baseValue=..., propertyName=0x80fc300,
    slot=0xffffbaa8, stubInfo=0xf60fdf5b) at /home/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:996
#17 0x081735b0 in ?? ()
#18 0xf60fdc27 in JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::JSGlobalData*) () at /home/oszi/WebKit/Source/WTF/wtf/PrintStream.h:58
#19 0xf60fb4d5 in JSC::Interpreter::execute (this=0x8105a30, program=0xedeaeb38, callFrame=0xeee5f994, thisObj=0xeee9ffd8)
    at /home/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:987
#20 0xf61d7d64 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) ()
    at /home/oszi/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:75
#21 0xf4af6112 in WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) ()
    at /home/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#22 0xf4b13459 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) ()
    at /home/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#23 0xf4b1356a in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) () at /home/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#24 0xf4e134c6 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) () at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#25 0xf4fb456a in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) ()
    at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
---Type <return> to continue, or q <return> to quit---
#26 0xf4fb43c8 in WebCore::HTMLScriptRunner::executeParsingBlockingScript() () at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#27 0xf4fb48d5 in WebCore::HTMLScriptRunner::executeParsingBlockingScripts() () at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#28 0xf4fb489c in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) ()
    at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#29 0xf4fa46e7 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() () at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#30 0xf4fa47e6 in WebCore::HTMLDocumentParser::canTakeNextToken(WebCore::HTMLDocumentParser::SynchronousMode, WebCore::PumpSession&) ()
    at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#31 0xf4fa4e17 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) ()
    at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#32 0xf4fa4613 in WebCore::HTMLDocumentParser::resumeParsingAfterYield() () at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#33 0xf4fb1c2b in WebCore::HTMLParserScheduler::continueNextChunkTimerFired(WebCore::Timer<WebCore::HTMLParserScheduler>*) ()
    at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#34 0xf4fb1ec2 in WebCore::Timer<WebCore::HTMLParserScheduler>::fired() () at /home/oszi/WebKit/Source/WTF/wtf/MemoryInstrumentation.h:109
#35 0xf532e8a7 in WebCore::ThreadTimers::sharedTimerFiredInternal() () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#36 0xf532e7c3 in WebCore::ThreadTimers::sharedTimerFired() () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#37 0xf561571e in WebCore::SharedTimerQt::timerEvent(QTimerEvent*) () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#38 0xf379dec4 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#39 0xf3fd1e34 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#40 0xf3fd5844 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#41 0xf3773eee in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#42 0xf37c06a2 in QTimerInfoList::activateTimers() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#43 0xf37c0fe8 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#44 0xf2a5ccda in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#45 0xf2a5d0e5 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#46 0xf2a5d1c1 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#47 0xf37c16d8 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#48 0xf01de036 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/plugins/platforms/libqxcb.so
#49 0xf3772726 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#50 0xf3772b64 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#51 0xf37766b2 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#52 0xf3a29984 in QGuiApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Gui.so.5
#53 0xf3fccfe4 in QApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#54 0x0806e14d in main () at /usr/include/c++/4.6/bits/move.h:130
#55 0xf328f4d3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#56 0x08056bf1 in _start ()
(gdb)
Comment 1 Csaba Osztrogonác 2013-03-19 04:16:50 PDT 
ping?
Comment 2 Csaba Osztrogonác 2013-03-26 02:26:02 PDT 
ping?
Comment 3 Mark Hahnenberg 2013-03-26 10:04:25 PDT 
I can repro this running 32-bit DumpRenderTree on Mac.
Comment 4 Mark Hahnenberg 2013-03-26 10:19:27 PDT 
Looks like we're trying to compile a ValueToInt32 node, the node thinks it's a constant (isConstant() == true), but the internal JSValue says that it's a cell. Given the revision that caused the regression, looks like we're unboxing incorrectly somewhere.
Comment 5 Mark Hahnenberg 2013-03-26 10:35:55 PDT 
I think this has to do with alwaysUnboxSimplePrimitives introduced in this change and the fact that we always assume in our fixup of ValueToInt32 that if it's not speculated as Integer, Number, or Boolean, then we speculate NotCell, which seems wrong.
Comment 6 Mark Hahnenberg 2013-03-26 12:31:29 PDT 
Nevermind all that. The issue is that we get an empty type for the value during CFA, which guarantees that we're going to exit before we get to this later node (ValueToInt32). Because of this, ValueToInt32 is calling terminateSpeculativeExecution because it doesn't know what to do, when instead it should just abandon compilation of the current basic block.
Comment 7 Mark Hahnenberg 2013-03-26 12:41:07 PDT 
Created attachment 195144 [details]
Patch
Comment 8 Filip Pizlo 2013-03-26 12:45:54 PDT 
Comment on attachment 195144 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=195144&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2107
> -            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
> +            m_compileOkay = false;

I think this is wrong.  What if this is the first node to type check the child?  Then with your change, we'll tell the compiler that we stopped compiling even though the code is totally reachable.
Comment 9 Mark Hahnenberg 2013-03-26 16:48:27 PDT 
Committed r146945: <http://trac.webkit.org/changeset/146945>