Bug 141111

Summary: Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
Product: WebKit Reporter: Michael Saboff <msaboff>
Component: JavaScriptCoreAssignee: Michael Saboff <msaboff>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mark.lam, mmirman, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: Unspecified   
URL: http://experilous.com/1/planet-generator/2014-09-28/version-1
Attachments:
Description Flags
Patch fpizlo: review+

Description Michael Saboff 2015-01-30 23:45:45 PST 
Steps to reproduce:
1. Go to http://experilous.com/1/planet-generator/2014-09-28/version-1
2. Click on "High", and then click on "Generate".
3. Let it run to completion when you'll see a globe.  Let it sit for a bit.  The crash will occur shortly after.

Crash trace:

DFG ASSERTION FAILED: Edge verification error: @3675->Check:Cell:@2 was expected to have type Cell but has type Other (536870912)
/Volumes/Data/ws4/OpenSource/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h(112) : void JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node *, JSC::DFG::Edge) [AbstractStateType = JSC::DFG::InPlaceAbstractState]
1   0x1125c97d0 WTFCrashWithSecurityImplication
2   0x111efd243 JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*)
3   0x111efd2bb JSC::DFG::Graph::handleAssertionFailure(JSC::DFG::Node*, char const*, int, char const*, char const*)
4   0x111e45fd4 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node*, JSC::DFG::Edge)
5   0x111e40bfc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdges(JSC::DFG::Node*)
6   0x111e36205 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
7   0x111fb7cd3 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int)
8   0x1120b75d9 JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int)
9   0x1120b6a01 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*)
10  0x1120b4b48 JSC::FTL::LowerDFGToLLVM::lower()
11  0x1120b20ee JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&)
12  0x111f8a8a0 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
13  0x111f88e61 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
14  0x112054c20 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
15  0x112053204 JSC::DFG::Worklist::threadFunction(void*)
16  0x11261df19 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const
17  0x11261deec std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()()
18  0x112579aea std::__1::function<void ()>::operator()() const
19  0x11261ce6e WTF::threadEntryPoint(void*)
20  0x11261e878 WTF::wtfThreadEntryPoint(void*)
21  0x7fff97ce5268 _pthread_body
22  0x7fff97ce51e5 _pthread_body
23  0x7fff97ce341d thread_start

rdar://problem/19252057
Comment 1 Michael Saboff 2015-01-31 00:27:38 PST 
Created attachment 245777 [details]
Patch
Comment 2 Michael Saboff 2015-01-31 19:58:33 PST 
Committed r179457: <http://trac.webkit.org/changeset/179457>