Bug 120167
| Summary: | ASSERT in dfg/DFGSpeculativeJIT.h SpeculateCellOperand ctor | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | sfa <afscian> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | UNCONFIRMED | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | Unspecified | ||
| URL: | http://www.wenxuecity.com | ||
sfa
ASSERT_UNUSED(mode, mode == ManualOperandSpeculation ... fails when visiting the website circa Aug-22. The edge.useKind() values will also fail the ASSERT.
(gdb) p edge.useKind()
$3 = JSC::DFG::UntypedUse
(gdb) p mode
$4 = JSC::DFG::AutomaticOperandSpeculation
The mode argument is the default arg value for the ctor, moving up to the caller, it doesn't specify the argument so this path will never execute properly in ASSERT-mode.
dfg/DFGSpeculativeJIT32_64.cpp
case GetById: {
3865│ if (!node->prediction()) {
3866│ terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
3867│ break;
3868│ }
3869│
3870│ if (isCellSpeculation(node->child1()->prediction())) {
3871├> SpeculateCellOperand base(this, node->child1()); <<<<<<<<
(gdb) bt 8
#0 0x02a3665c in JSC::DFG::SpeculateCellOperand::SpeculateCellOperand (this=0x77fbfc00, jit=0x77fc1128, edge=..., mode=JSC::DFG::AutomaticOperandSpeculation) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2930
#1 0x02a5850e in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128, node=0x771b5018) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3871
#2 0x02a22152 in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128, block=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762
#3 0x02a22742 in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880
#4 0x029f226c in JSC::DFG::JITCompiler::compileBody (this=0x77fc19f8, speculative=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108
#5 0x029f3152 in JSC::DFG::JITCompiler::compileFunction (this=0x77fc19f8, entry=..., entryWithArityCheck=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302
#6 0x029e302a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x2af596c8, codeBlock=0x7ffed5d8, jitCode=..., jitCodeWithArityCheck=0x7fddf584, osrEntryBytecodeIndex=0) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:161
#7 0x029e2944 in JSC::DFG::tryCompileFunction (exec=0x2af596c8, codeBlock=0x7ffed5d8, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:179
(More stack frames follow...)
Hopefully this is enough to reproduce and fix the problem.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
sfa
Looking at the source code for dfg/DFGSpeculativeJIT32_64.cpp, all the two arg var declarations of type SpeculateCellOperand will trigger the assert in the ctor. They should all be visited and corrected (or change the ASSERT in the ctor).