Bug 114129

Summary: REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, msaboff, oliver
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch darin: review+

Description Chris Dumez 2013-04-07 12:51:44 PDT 
The following test cases are hitting an assertion on the EFL build bots:
  webgl/conformance/textures/tex-image-with-format-and-type.html
  fast/canvas/webgl/tex-image-with-format-and-type.html

crash log for WebProcess (pid <unknown>):
STDOUT: <empty>
STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
STDERR: 1   0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
STDERR: 2   0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr()
STDERR: 3   0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
STDERR: 4   0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
STDERR: 5   0x7f223d47911f JSC::DFG::SpeculativeJIT::compile()
STDERR: 6   0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
STDERR: 7   0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
STDERR: 8   0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
STDERR: 9   0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
STDERR: 10  0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
STDERR: 11  0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
STDERR: 12  0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
STDERR: 13  0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 14  0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
STDERR: 15  0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 16  0x7f223d5486b9
STDERR: 17  0x7f223d5456c7
STDERR: 18  0x7f20e3bf0060
Comment 1 Geoffrey Garen 2013-04-07 13:27:20 PDT 
Christophe, do you know when this started?
Comment 2 Chris Dumez 2013-04-07 13:46:05 PDT 
Started between r146663 and r146670.

http://trac.webkit.org/changeset/146669 seems like the most likely culprit.
Comment 3 Geoffrey Garen 2013-04-07 14:12:44 PDT 
<rdar://problem/13594898>
Comment 4 Filip Pizlo 2013-04-08 09:44:00 PDT 
(In reply to comment #0)
> The following test cases are hitting an assertion on the EFL build bots:
>   webgl/conformance/textures/tex-image-with-format-and-type.html
>   fast/canvas/webgl/tex-image-with-format-and-type.html
> 
> crash log for WebProcess (pid <unknown>):
> STDOUT: <empty>
> STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)
> STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> STDERR: 1   0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> STDERR: 2   0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr()
> STDERR: 3   0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
> STDERR: 4   0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
> STDERR: 5   0x7f223d47911f JSC::DFG::SpeculativeJIT::compile()
> STDERR: 6   0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)

Can you tell me what line you're at in this frame?

> STDERR: 7   0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
> STDERR: 8   0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
> STDERR: 9   0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
> STDERR: 10  0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
> STDERR: 11  0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
> STDERR: 12  0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
> STDERR: 13  0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int)
> STDERR: 14  0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
> STDERR: 15  0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
> STDERR: 16  0x7f223d5486b9
> STDERR: 17  0x7f223d5456c7
> STDERR: 18  0x7f20e3bf0060
Comment 5 Filip Pizlo 2013-04-08 09:58:54 PDT 
(In reply to comment #4)
> (In reply to comment #0)
> > The following test cases are hitting an assertion on the EFL build bots:
> >   webgl/conformance/textures/tex-image-with-format-and-type.html
> >   fast/canvas/webgl/tex-image-with-format-and-type.html
> > 
> > crash log for WebProcess (pid <unknown>):
> > STDOUT: <empty>
> > STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)
> > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> > STDERR: 1   0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> > STDERR: 2   0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr()
> > STDERR: 3   0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
> > STDERR: 4   0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
> > STDERR: 5   0x7f223d47911f JSC::DFG::SpeculativeJIT::compile()
> > STDERR: 6   0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
> 
> Can you tell me what line you're at in this frame?

Never mind, I can repro this!  Working on fix...

> 
> > STDERR: 7   0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
> > STDERR: 8   0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
> > STDERR: 9   0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
> > STDERR: 10  0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
> > STDERR: 11  0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
> > STDERR: 12  0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
> > STDERR: 13  0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int)
> > STDERR: 14  0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
> > STDERR: 15  0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
> > STDERR: 16  0x7f223d5486b9
> > STDERR: 17  0x7f223d5456c7
> > STDERR: 18  0x7f20e3bf0060
Comment 6 Filip Pizlo 2013-04-08 10:15:12 PDT 
Sadly those tests were skipped and so we missed this on Mac.  I will unskip because they are passing now.
Comment 7 Filip Pizlo 2013-04-08 10:19:38 PDT 
Created attachment 196868 [details]
the patch
Comment 8 Filip Pizlo 2013-04-08 10:47:10 PDT 
Landed in http://trac.webkit.org/changeset/147933