Bug 141111

Summary: Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, mmirman, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: Unspecified   
URL: http://experilous.com/1/planet-generator/2014-09-28/version-1
Attachments:
Description Flags
Patch fpizlo: review+

Michael Saboff
Reported 2015-01-30 23:45:45 PST
Steps to reproduce: 1. Go to http://experilous.com/1/planet-generator/2014-09-28/version-1 2. Click on "High", and then click on "Generate". 3. Let it run to completion when you'll see a globe. Let it sit for a bit. The crash will occur shortly after. Crash trace: DFG ASSERTION FAILED: Edge verification error: @3675->Check:Cell:@2 was expected to have type Cell but has type Other (536870912) /Volumes/Data/ws4/OpenSource/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h(112) : void JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node *, JSC::DFG::Edge) [AbstractStateType = JSC::DFG::InPlaceAbstractState] 1 0x1125c97d0 WTFCrashWithSecurityImplication 2 0x111efd243 JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*) 3 0x111efd2bb JSC::DFG::Graph::handleAssertionFailure(JSC::DFG::Node*, char const*, int, char const*, char const*) 4 0x111e45fd4 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node*, JSC::DFG::Edge) 5 0x111e40bfc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdges(JSC::DFG::Node*) 6 0x111e36205 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*) 7 0x111fb7cd3 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int) 8 0x1120b75d9 JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int) 9 0x1120b6a01 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*) 10 0x1120b4b48 JSC::FTL::LowerDFGToLLVM::lower() 11 0x1120b20ee JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&) 12 0x111f8a8a0 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 13 0x111f88e61 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) 14 0x112054c20 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) 15 0x112053204 JSC::DFG::Worklist::threadFunction(void*) 16 0x11261df19 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const 17 0x11261deec std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()() 18 0x112579aea std::__1::function<void ()>::operator()() const 19 0x11261ce6e WTF::threadEntryPoint(void*) 20 0x11261e878 WTF::wtfThreadEntryPoint(void*) 21 0x7fff97ce5268 _pthread_body 22 0x7fff97ce51e5 _pthread_body 23 0x7fff97ce341d thread_start rdar://problem/19252057
Attachments
Patch (7.55 KB, patch)
2015-01-31 00:27 PST, Michael Saboff 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2015-01-31 00:27:38 PST
Created attachment 245777 [details] Patch
Michael Saboff
Comment 2 2015-01-31 19:58:33 PST
Committed r179457: <http://trac.webkit.org/changeset/179457>
Note You need to log in before you can comment on or make changes to this bug.