Bug 46077

Summary: ASSERT failure in YARR JIT
Product: WebKit Reporter: Gavin Barraclough <barraclough>
Component: JavaScriptCoreAssignee: Gavin Barraclough <barraclough>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, info, possessedpenguinbob
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Attachments:
Description Flags
The patch none

Description Gavin Barraclough 2010-09-20 00:27:17 PDT 
ASSERTION FAILED: to.m_offset != -1
(/Volumes/Data/CopperHead/JavaScriptCore/assembler/X86Assembler.h:1535 void JSC::X86Assembler::linkJump(JSC::X86Assembler::JmpSrc, JSC::X86Assembler::JmpDst))
Segmentation fault: 11

The problem is hit when there are multiple alternatives in the top level disjunction, the last disjunction is longer than the first, and all are BOL predicated, e.g.:
/^a|^bc/
Two optimizations are coming into conflict here.
Due to the BOL unrolling there is no need to ever loop, so no head of loop label has been set, however the optimized code path that loops without checking length is available (since we have already checked N+1 characters for the last alternative before looping) doesn't check the flag indicating whether a label has been set.
Comment 1 Gavin Barraclough 2010-09-20 00:47:09 PDT 
Created attachment 68056 [details]
The patch
Comment 2 WebKit Commit Bot 2010-09-20 11:31:33 PDT 
Comment on attachment 68056 [details]
The patch

Clearing flags on attachment: 68056

Committed r67867: <http://trac.webkit.org/changeset/67867>
Comment 3 WebKit Commit Bot 2010-09-20 11:31:38 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 4 Alexey Proskuryakov 2010-09-20 11:46:16 PDT 
*** Bug 46075 has been marked as a duplicate of this bug. ***
Comment 5 Alexey Proskuryakov 2011-02-22 13:13:47 PST 
*** Bug 46102 has been marked as a duplicate of this bug. ***