Bug 189703

Summary: CheckStructureOrEmpty should pass in a tempGPR to emitStructureCheck since it may jump over that code
Product: WebKit Reporter: Dawei Fenton (:realdawei) <realdawei>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ews-watchlist, keith_miller, mark.lam, msaboff, ryanhaddad, saam, tsavell, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch none

Dawei Fenton (:realdawei)
Reported 2018-09-18 11:02:55 PDT
Debug JSC has an assertion failure on the following test: typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager sample output: https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/1509/steps/jscore-test/logs/stdio ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 270 in jump offset range 270..305 typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: !(low <= m_offset && m_offset <= high) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(818) : void JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) [AssemblerType = JSC::X86Assembler] typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 1 0x102db92c9 WTFCrash typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: ASSERTION FAILED: Unsafe branch over register allocation at instruction offset 276 in jump offset range 276..323 typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: !(low <= m_offset && m_offset <= high) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: /Volumes/Data/slave/highsierra-debug/build/Source/JavaScriptCore/assembler/AbstractMacroAssembler.h(818) : void JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) [AssemblerType = JSC::X86Assembler] typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 2 0x102f60c2d JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 1 0x102db92c9 WTFCrash typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 3 0x102f609cf JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 2 0x102f60c2d JSC::AbstractMacroAssembler<JSC::X86Assembler>::RegisterAllocationOffset::checkOffsets(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 4 0x102eb1a2c JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 3 0x102f609cf JSC::AbstractMacroAssembler<JSC::X86Assembler>::checkRegisterAllocationAgainstBranchRange(unsigned int, unsigned int) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 5 0x1030deea9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 4 0x102eb1a2c JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump::link(JSC::AbstractMacroAssembler<JSC::X86Assembler>*) const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 6 0x102ec1890 JSC::DFG::SpeculativeJIT::compileCurrentBlock() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 5 0x1030deea9 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 7 0x102ec3315 JSC::DFG::SpeculativeJIT::compile() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 6 0x102ec1890 JSC::DFG::SpeculativeJIT::compileCurrentBlock() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 8 0x103a1be57 JSC::DFG::JITCompiler::compileBody() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 7 0x102ec3315 JSC::DFG::SpeculativeJIT::compile() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 9 0x103a207a5 JSC::DFG::JITCompiler::compileFunction() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 8 0x103a1be57 JSC::DFG::JITCompiler::compileBody() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 10 0x103b5225a JSC::DFG::Plan::compileInThreadImpl() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 9 0x103a207a5 JSC::DFG::JITCompiler::compileFunction() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 11 0x103b4f852 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 10 0x103b5225a JSC::DFG::Plan::compileInThreadImpl() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 12 0x103c05436 JSC::DFG::Worklist::ThreadBody::work() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 11 0x103b4f852 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 13 0x102dcee9f WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 12 0x103c05436 JSC::DFG::Worklist::ThreadBody::work() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 14 0x102dcea89 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 13 0x102dcee9f WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 15 0x102de052d WTF::Function<void ()>::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 14 0x102dcea89 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 16 0x102e6a9b3 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 15 0x102de052d WTF::Function<void ()>::operator()() const typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 17 0x102e709b5 WTF::wtfThreadEntryPoint(void*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 16 0x102e6a9b3 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 18 0x7fff6eb48661 _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 17 0x102e709b5 WTF::wtfThreadEntryPoint(void*) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 19 0x7fff6eb4850d _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 18 0x7fff6eb48661 _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 20 0x7fff6eb47bf9 thread_start typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 19 0x7fff6eb4850d _pthread_body typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: 20 0x7fff6eb47bf9 thread_start typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: test_script_44127: line 2: 80592 Segmentation fault: 11 ( "$@" ../../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useIntlPluralRules\=true --useTypeProfiler\=true --useFTLJIT\=true --thresholdForJITAfterWarmUp\=10 --thresholdForJITSoon\=10 --thresholdForOptimizeAfterWarmUp\=20 --thresholdForOptimizeAfterLongWarmUp\=20 --thresholdForOptimizeSoon\=20 --thresholdForFTLOptimizeAfterWarmUp\=20 --thresholdForFTLOptimizeSoon\=20 --maximumEvalCacheableSourceLength\=150000 --useEagerCodeBlockJettisonTiming\=true type-profiler-gc.js ) typeProfiler.yaml/typeProfiler/type-profiler-gc.js.ftl-type-profiler-ftl-eager: ERROR: Unexpected exit code: 139
Attachments
patch (1.75 KB, patch)
2018-09-19 12:16 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryan Haddad
Comment 1 2018-09-18 13:29:37 PDT
This is the regression range according to the bot history: https://trac.webkit.org/log/webkit/?action=stop_on_copy&mode=stop_on_copy&rev=236096&stop_rev=236077&limit=100&verbose=on This was the only JSC change: https://trac.webkit.org/changeset/236089/webkit
Saam Barati
Comment 2 2018-09-18 13:33:11 PDT
Will fix. This is a preexisting bug.
Saam Barati
Comment 3 2018-09-19 12:03:59 PDT
Sorry was busy with a different bug, will look into this now.
Saam Barati
Comment 4 2018-09-19 12:16:05 PDT
Created attachment 350140 [details] patch
Mark Lam
Comment 5 2018-09-19 13:30:17 PDT
Comment on attachment 350140 [details] patch r=me
WebKit Commit Bot
Comment 6 2018-09-19 14:09:22 PDT
Comment on attachment 350140 [details] patch Clearing flags on attachment: 350140 Committed r236224: <https://trac.webkit.org/changeset/236224>
WebKit Commit Bot
Comment 7 2018-09-19 14:09:24 PDT
All reviewed patches have been landed. Closing bug.
Radar WebKit Bug Importer
Comment 8 2018-09-19 14:10:34 PDT
<rdar://problem/44615988>
Note You need to log in before you can comment on or make changes to this bug.