114129 – REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests

Bug 114129 - REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculateCell() running webgl tests

Summary: REGRESSION(r146669): Assertion hit in JSC::DFG::SpeculativeJIT::fillSpeculate...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2013-04-07 12:51 PDT by Chris Dumez
Modified:	2013-04-08 10:47 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
the patch (4.68 KB, patch) 2013-04-08 10:19 PDT, Filip Pizlo	darin: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Chris Dumez 2013-04-07 12:51:44 PDT

The following test cases are hitting an assertion on the EFL build bots:
  webgl/conformance/textures/tex-image-with-format-and-type.html
  fast/canvas/webgl/tex-image-with-format-and-type.html

crash log for WebProcess (pid <unknown>):
STDOUT: <empty>
STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)
STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
STDERR: 1   0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
STDERR: 2   0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr()
STDERR: 3   0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
STDERR: 4   0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
STDERR: 5   0x7f223d47911f JSC::DFG::SpeculativeJIT::compile()
STDERR: 6   0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
STDERR: 7   0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
STDERR: 8   0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
STDERR: 9   0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
STDERR: 10  0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
STDERR: 11  0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
STDERR: 12  0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
STDERR: 13  0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 14  0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
STDERR: 15  0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
STDERR: 16  0x7f223d5486b9
STDERR: 17  0x7f223d5456c7
STDERR: 18  0x7f20e3bf0060

Comment 1 Geoffrey Garen 2013-04-07 13:27:20 PDT

Christophe, do you know when this started?

Comment 2 Chris Dumez 2013-04-07 13:46:05 PDT

Started between r146663 and r146670.

http://trac.webkit.org/changeset/146669 seems like the most likely culprit.

Comment 3 Geoffrey Garen 2013-04-07 14:12:44 PDT

<rdar://problem/13594898>

Comment 4 Filip Pizlo 2013-04-08 09:44:00 PDT

(In reply to comment #0)
> The following test cases are hitting an assertion on the EFL build bots:
>   webgl/conformance/textures/tex-image-with-format-and-type.html
>   fast/canvas/webgl/tex-image-with-format-and-type.html
> 
> crash log for WebProcess (pid <unknown>):
> STDOUT: <empty>
> STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)
> STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> STDERR: 1   0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> STDERR: 2   0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr()
> STDERR: 3   0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
> STDERR: 4   0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
> STDERR: 5   0x7f223d47911f JSC::DFG::SpeculativeJIT::compile()
> STDERR: 6   0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)

Can you tell me what line you're at in this frame?

> STDERR: 7   0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
> STDERR: 8   0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
> STDERR: 9   0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
> STDERR: 10  0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
> STDERR: 11  0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
> STDERR: 12  0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
> STDERR: 13  0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int)
> STDERR: 14  0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
> STDERR: 15  0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
> STDERR: 16  0x7f223d5486b9
> STDERR: 17  0x7f223d5456c7
> STDERR: 18  0x7f20e3bf0060

Comment 5 Filip Pizlo 2013-04-08 09:58:54 PDT

(In reply to comment #4)
> (In reply to comment #0)
> > The following test cases are hitting an assertion on the EFL build bots:
> >   webgl/conformance/textures/tex-image-with-format-and-type.html
> >   fast/canvas/webgl/tex-image-with-format-and-type.html
> > 
> > crash log for WebProcess (pid <unknown>):
> > STDOUT: <empty>
> > STDERR: ASSERTION FAILED: (edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)
> > STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug-wk2/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp(1128) : JSC::DFG::GPRReg JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> > STDERR: 1   0x7f223d4a178c JSC::DFG::SpeculativeJIT::fillSpeculateCell(JSC::DFG::Edge)
> > STDERR: 2   0x7f223d48ef80 JSC::DFG::SpeculateCellOperand::gpr()
> > STDERR: 3   0x7f223d4b1a9c JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*)
> > STDERR: 4   0x7f223d4789b7 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)
> > STDERR: 5   0x7f223d47911f JSC::DFG::SpeculativeJIT::compile()
> > STDERR: 6   0x7f223d445a4c JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)
> 
> Can you tell me what line you're at in this frame?

Never mind, I can repro this!  Working on fix...

> 
> > STDERR: 7   0x7f223d446c79 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)
> > STDERR: 8   0x7f223d433770 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)
> > STDERR: 9   0x7f223d432ff4 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)
> > STDERR: 10  0x7f223d5f5baf JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)
> > STDERR: 11  0x7f223d5f5ea4 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)
> > STDERR: 12  0x7f223d5f4354 JSC::FunctionExecutable::compileForConstructInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)
> > STDERR: 13  0x7f223d5f39ab JSC::FunctionExecutable::compileOptimizedForConstruct(JSC::ExecState*, JSC::JSScope*, unsigned int)
> > STDERR: 14  0x7f223d343da7 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)
> > STDERR: 15  0x7f223d33dcd2 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)
> > STDERR: 16  0x7f223d5486b9
> > STDERR: 17  0x7f223d5456c7
> > STDERR: 18  0x7f20e3bf0060

Comment 6 Filip Pizlo 2013-04-08 10:15:12 PDT

Sadly those tests were skipped and so we missed this on Mac.  I will unskip because they are passing now.

Comment 7 Filip Pizlo 2013-04-08 10:19:38 PDT

Created attachment 196868 [details]
the patch

Comment 8 Filip Pizlo 2013-04-08 10:47:10 PDT

Landed in http://trac.webkit.org/changeset/147933