Bug 119405

Summary: REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT
Product: WebKit Reporter: Csaba Osztrogonác <ossy>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: abrhm, barraclough, fpizlo, ggaren, kadam, mark.lam, mhahnenberg, msaboff, oliver, ossy, webkit-bug-importer, zarvai
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 119140    
Bug Blocks:    
Attachments:
Description Flags
Patch for landing ggaren: review+

Csaba Osztrogonác
Reported 2013-08-01 11:56:38 PDT
STDERR: ASSERTION FAILED: currentLowest != NUM_REGS && currentSpillOrder != SpillHintInvalid STDERR: /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGRegisterBank.h(136) : JSC::DFG::RegisterBank<BankInfo>::RegID JSC::DFG::RegisterBank<BankInfo>::allocate(JSC::VirtualRegister&) [with BankInfo = JSC::DFG::GPRInfo, JSC::DFG::RegisterBank<BankInfo>::RegID = JSC::X86Registers::RegisterID] Program terminated with signal 11, Segmentation fault. #0 0xf59e9618 in WTFCrash () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) (gdb) bt #0 0xf59e9618 in WTFCrash () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:339 #1 0xf57f53b6 in JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::allocate(JSC::VirtualRegister&) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PrintStream.h:59 #2 0xf57f0368 in JSC::DFG::SpeculativeJIT::allocate() () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PrintStream.h:59 #3 0xf57d5ff3 in JSC::DFG::GPRTemporary::GPRTemporary (this=0xfff8ee64, jit=0x83094f0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1214 #4 0xf57da30f in JSC::DFG::SpeculativeJIT::compileGetByValOnString (this=0x83094f0, node=0xeb8b04ac) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2137 #5 0xf58118c8 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2665 #6 0xf57d878e in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x83094f0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1804 #7 0xf57d8e38 in JSC::DFG::SpeculativeJIT::compile (this=0x83094f0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1918 #8 0xf579d2e0 in JSC::DFG::JITCompiler::compileBody (this=0xfff91454) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117 #9 0xf579ed95 in JSC::DFG::JITCompiler::compileFunction (this=0xfff91454) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382 #10 0xf57c2649 in JSC::DFG::Plan::compileInThreadImpl (this=0x83285b0, longLivedState=0x827f790) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:256 #11 0xf57c214e in JSC::DFG::Plan::compileInThread (this=0x83285b0, longLivedState=0x827f790) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:113 #12 0xf578524d in JSC::DFG::compile (compileMode=CompileFunction, exec=0xe9d001f8, codeBlock=0x83035f8, jitCode=0xec23ea9c, jitCodeWithArityCheck=0xec23eaa4, osrEntryBytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:128 #13 0xf57852f2 in JSC::DFG::tryCompileFunction (exec=0xe9d001f8, codeBlock=0x83035f8, jitCode=0xec23ea9c, jitCodeWithArityCheck=0xec23eaa4, bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:139 #14 0xf5933125 in JSC::jitCompileFunctionIfAppropriateImpl(JSC::ExecState*, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:272 #15 0xf593346b in JSC::prepareFunctionForExecutionImpl(JSC::ExecState*, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:272 #16 0xf59334ad in JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::RefPtr<JSC::FunctionCodeBlock>&, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, int&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:272 #17 0xf59318c2 in JSC::FunctionExecutable::compileForCallInternal (this=0xec23ea88, exec=0xe9d001f8, scope=0xedc9fa38, jitType=DFGJIT, result=0xfff91db4, bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:561 #18 0xf5931185 in JSC::FunctionExecutable::compileOptimizedForCall (this=0xec23ea88, exec=0xe9d001f8, scope=0xedc9fa38, result=0xfff91db4, bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:480 #19 0xf567a218 in JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, JSC::CompilationResult&, unsigned int, JSC::CodeSpecializationKind) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PrintStream.h:59 #20 0xf5674f9a in JSC::FunctionCodeBlock::compileOptimized (this=0x8314ff8, exec=0xe9d001f8, scope=0xedc9fa38, result=0xfff91db4, bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2730 #21 0xf588492d in cti_optimize (args=0xfff91e10) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1044 #22 0xf5881c61 in JSC::tryCacheGetByID (callFrame=0xee619460, codeBlock=0x827d76c, returnAddress=..., baseValue=..., propertyName=0x8274780, slot=0xfff91e98, stubInfo=0xf584e076) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:274 #23 0xfff91e2c in ?? () #24 0xf586392a in JSC::JITCode::execute (this=0x8320a00, stack=0x827d76c, callFrame=0xe9d001a0, vm=0x8274780) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46 #25 0xf584d40f in JSC::Interpreter::execute (this=0x827d760, eval=0xec23e9d8, callFrame=0xe9d00148, thisValue=..., scope=0xeb83cd50) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1208 #26 0xf584849d in JSC::eval (callFrame=0xe9d00148) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:148 #27 0xf588875e in cti_op_call_eval (args=0xfff92900) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1965 #28 0xf5881c61 in JSC::tryCacheGetByID (callFrame=0xef986fc0, codeBlock=0x827d76c, returnAddress=..., baseValue=..., propertyName=0x8274780, slot=0xfff92988, stubInfo=0xf584e1d4) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:274 #29 0xe9d00058 in ?? () #30 0xf586392a in JSC::JITCode::execute (this=0x831b0e8, stack=0x827d76c, callFrame=0xe9d00058, vm=0x8274780) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46 #31 0xf584bb7e in JSC::Interpreter::execute (this=0x827d760, program=0xec23eae0, callFrame=0xedc9fa8c, thisObj=0xedcdffd8) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:856 #32 0xf5925768 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83 #33 0xf435e490 in WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #34 0xf437b621 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) () ---Type <return> to continue, or q <return> to quit--- at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #35 0xf437b71a in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #36 0xf462e936 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #37 0xf47bfbcf in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #38 0xf47bfa44 in WebCore::HTMLScriptRunner::executeParsingBlockingScript() () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #39 0xf47bfedb in WebCore::HTMLScriptRunner::executeParsingBlockingScripts() () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #40 0xf47c003e in WebCore::HTMLScriptRunner::executeScriptsWaitingForLoad(WebCore::CachedResource*) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #41 0xf47b1f17 in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83 #42 0xf49005c9 in WebCore::CachedResource::checkNotify (this=0x82e2f80) at /home/webkitbuildbot/oszi/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:369 #43 0xf49006b1 in WebCore::CachedResource::finishLoading (this=0x82e2f80) at /home/webkitbuildbot/oszi/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:385 #44 0xf49081b4 in WebCore::CachedScript::finishLoading(WebCore::ResourceBuffer*) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PageBlock.h:72 #45 0xf4959af0 in WebCore::SubresourceLoader::didFinishLoading (this=0x82e3320, finishTime=0) at /home/webkitbuildbot/oszi/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:282 #46 0xf4950ee1 in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PageBlock.h:72 #47 0xf4d9a0b8 in WebCore::QNetworkReplyHandler::finish() () at /usr/include/c++/4.6/bits/stl_algobase.h:218 #48 0xf4d98da0 in WebCore::QNetworkReplyHandlerCallQueue::flush() () at /usr/include/c++/4.6/bits/stl_algobase.h:218 #49 0xf4d98aec in WebCore::QNetworkReplyHandlerCallQueue::push(void (WebCore::QNetworkReplyHandler::*)()) () at /usr/include/c++/4.6/bits/stl_algobase.h:218 #50 0xf4d999a8 in WebCore::QNetworkReplyWrapper::didReceiveFinished() () at /usr/include/c++/4.6/bits/stl_algobase.h:218 #51 0xf4d9c09c in WebCore::QNetworkReplyWrapper::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) () at /usr/include/c++/4.6/bits/stl_algobase.h:218 #52 0xf2f8b9ad in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #53 0xf2f8c3cb in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #54 0xf3679fd5 in QNetworkReply::finished() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Network.so.5 #55 0xf367a250 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Network.so.5 #56 0xf2f89b53 in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #57 0xf2f8d062 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #58 0xf37c0e34 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #59 0xf37c4844 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #60 0xf2f62eee in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #61 0xf2f650b4 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #62 0xf2f6560c in QCoreApplication::sendPostedEvents(QObject*, int) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #63 0xf2fb02c4 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #64 0xf224bcda in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0 #65 0xf224c0e5 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0 #66 0xf224c1c1 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0 #67 0xf2fb06d8 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #68 0xef9cf036 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/plugins/platforms/libqxcb.so #69 0xf2f61726 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #70 0xf2f61b64 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #71 0xf2f656b2 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5 #72 0xf3218984 in QGuiApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Gui.so.5 #73 0xf37bbfe4 in QApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5 #74 0x0807b8db in main () at /usr/include/c++/4.6/bits/move.h:83 #75 0xf2a7e4d3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6 #76 0x080599d1 in _start ()
Attachments
Patch for landing (1.87 KB, patch)
2013-08-06 22:37 PDT, Michael Saboff 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Csaba Osztrogonác
Comment 1 2013-08-01 11:58:59 PDT
I forgot to mention that I got it after applying https://bugs.webkit.org/attachment.cgi?id=207937&action=review And the following fast/js tests assert: fast/js/dfg-string-out-of-bounds-check-structure.html [ Crash ] fast/js/dfg-string-out-of-bounds-cse.html [ Crash ] fast/js/dfg-string-out-of-bounds-negative-check-structure.html [ Crash ] fast/js/dfg-string-out-of-bounds-negative-proto-value.html [ Crash ] fast/js/regress/string-get-by-val-out-of-bounds-insane.html [ Crash ] fast/js/regress/string-get-by-val-out-of-bounds.html [ Crash ]
Csaba Osztrogonác
Comment 2 2013-08-01 11:59:26 PDT
... and the tests pass with disabled DFG JIT
Geoffrey Garen
Comment 3 2013-08-01 17:52:51 PDT
<rdar://problem/14627547>
Michael Saboff
Comment 4 2013-08-06 17:23:47 PDT
The ASSERT failure is because we run out of registers on X86 32 bit in SpeculativeJIT::compileGetByValOnString(). X86 32bit currently only has 5 allocated registers in the DFG. All other CPU types have 6 or more. One fix is to change compileGetByValOnString() to use a slow path instead of needing the extra register.
Michael Saboff
Comment 5 2013-08-06 22:37:42 PDT
Created attachment 208237 [details] Patch for landing Another way to fix this is to turn the indexed load into a shift, add the base address for the single character strings and then use that as the source address for the load with the destination the same register. Added this path for X86-32 only. This patch has been reviewed by Geoff Garen.
Geoffrey Garen
Comment 6 2013-08-07 08:45:37 PDT
Comment on attachment 208237 [details] Patch for landing r=me
Michael Saboff
Comment 7 2013-08-07 09:16:23 PDT
Committed r153789: <http://trac.webkit.org/changeset/153789>
Note You need to log in before you can comment on or make changes to this bug.