114129 – REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests

RESOLVED FIXED 114129

REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests

https://bugs.webkit.org/show_bug.cgi?id=114129

Summary REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculate...

Chris Dumez

Reported 2013-04-07 12:51:44 PDT

The following test cases are hitting an assertion on the EFL build bots: webgl/conformance/textures/tex-image-with-format-and-type.html fast/canvas/webgl/tex-image-with-format-and-type.html crash log for WebProcess (pid <unknown>): STDOUT: <empty> STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) STDERR: 1 0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) STDERR: 2 0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr() STDERR: 3 0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) STDERR: 4 0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) STDERR: 5 0x7f223d47911f JSC::DFG::SpeculativeJIT::compile() STDERR: 6 0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) STDERR: 7 0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) STDERR: 8 0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) STDERR: 9 0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) STDERR: 10 0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) STDERR: 11 0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) STDERR: 12 0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) STDERR: 13 0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 14 0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) STDERR: 15 0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 16 0x7f223d5486b9 STDERR: 17 0x7f223d5456c7 STDERR: 18 0x7f20e3bf0060

Attachments
the patch (4.68 KB, patch) 2013-04-08 10:19 PDT, Filip Pizlo	darin: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Geoffrey Garen

Comment 1 2013-04-07 13:27:20 PDT

Christophe, do you know when this started?

Chris Dumez

Comment 2 2013-04-07 13:46:05 PDT

Started between r146663 and r146670. http://trac.webkit.org/changeset/146669 seems like the most likely culprit.

Geoffrey Garen

Comment 3 2013-04-07 14:12:44 PDT

<rdar://problem/13594898>

Filip Pizlo

Comment 4 2013-04-08 09:44:00 PDT

(In reply to comment #0) > The following test cases are hitting an assertion on the EFL build bots: > webgl/conformance/textures/tex-image-with-format-and-type.html > fast/canvas/webgl/tex-image-with-format-and-type.html > > crash log for WebProcess (pid <unknown>): > STDOUT: <empty> > STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell) > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) > STDERR: 1 0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) > STDERR: 2 0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr() > STDERR: 3 0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) > STDERR: 4 0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) > STDERR: 5 0x7f223d47911f JSC::DFG::SpeculativeJIT::compile() > STDERR: 6 0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) Can you tell me what line you're at in this frame? > STDERR: 7 0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) > STDERR: 8 0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) > STDERR: 9 0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) > STDERR: 10 0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) > STDERR: 11 0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) > STDERR: 12 0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) > STDERR: 13 0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int) > STDERR: 14 0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) > STDERR: 15 0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) > STDERR: 16 0x7f223d5486b9 > STDERR: 17 0x7f223d5456c7 > STDERR: 18 0x7f20e3bf0060

Filip Pizlo

Comment 5 2013-04-08 09:58:54 PDT

(In reply to comment #4) > (In reply to comment #0) > > The following test cases are hitting an assertion on the EFL build bots: > > webgl/conformance/textures/tex-image-with-format-and-type.html > > fast/canvas/webgl/tex-image-with-format-and-type.html > > > > crash log for WebProcess (pid <unknown>): > > STDOUT: <empty> > > STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell) > > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) > > STDERR: 1 0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge) > > STDERR: 2 0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr() > > STDERR: 3 0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) > > STDERR: 4 0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) > > STDERR: 5 0x7f223d47911f JSC::DFG::SpeculativeJIT::compile() > > STDERR: 6 0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) > > Can you tell me what line you're at in this frame? Never mind, I can repro this! Working on fix... > > > STDERR: 7 0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) > > STDERR: 8 0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) > > STDERR: 9 0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) > > STDERR: 10 0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) > > STDERR: 11 0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) > > STDERR: 12 0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) > > STDERR: 13 0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int) > > STDERR: 14 0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) > > STDERR: 15 0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) > > STDERR: 16 0x7f223d5486b9 > > STDERR: 17 0x7f223d5456c7 > > STDERR: 18 0x7f20e3bf0060

Filip Pizlo

Comment 6 2013-04-08 10:15:12 PDT

Sadly those tests were skipped and so we missed this on Mac. I will unskip because they are passing now.

Filip Pizlo

Comment 7 2013-04-08 10:19:38 PDT

Created attachment 196868 [details] the patch

Filip Pizlo

Comment 8 2013-04-08 10:47:10 PDT

Landed in http://trac.webkit.org/changeset/147933

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2013-04-07 12:51 PDT

Modified

2013-04-08 10:47 PDT History

CC List

4 users Show

URL

Keywords InRadar

Depends on

Blocks