117135 – ASSERTION FAILED: !(forNode(edge).m_type & ~typeFilterFor(edge.useKind())) in JSC::DFG::AbstractState::filterEdgeByUse

RESOLVED WORKSFORME 117135

ASSERTION FAILED: !(forNode(edge).m_type & ~typeFilterFor(edge.useKind())) in JSC::DFG::AbstractState::filterEdgeByUse

https://bugs.webkit.org/show_bug.cgi?id=117135

Summary ASSERTION FAILED: !(forNode(edge).m_type & ~typeFilterFor(edge.useKind())) in...

Renata Hodovan

Reported 2013-06-03 01:59:05 PDT

The following tests fails in debug webkit: function test() { for (var regexp2 = / /g; ; --regexp2) { regexp2[regexp2 >> 2] = regexp2; } } test(); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00000000007fb8e5 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:339 #1 0x0000000000549d8f in JSC::DFG::AbstractState::filterEdgeByUse (this=0x7fffffffaef0, node=0x7fffb2110a10, edge=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGAbstractState.h:194 #2 0x0000000000540f3f in JSC::DFG::AbstractState::executeEdges (this=0x7fffffffaef0, node=0x7fffb2110a10) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:253 #3 0x0000000000546811 in JSC::DFG::AbstractState::execute (this=0x7fffffffaef0, indexInBlock=7) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1578 #4 0x000000000058e78b in JSC::DFG::ConstantFoldingPhase::foldConstants (this=0x7fffffffaee0, blockIndex=1) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:324 #5 0x000000000058d3d1 in JSC::DFG::ConstantFoldingPhase::run (this=0x7fffffffaee0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:62 #6 0x000000000058f5a6 in JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase> (phase=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:75 #7 0x000000000058f2a1 in JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase> (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:85 #8 0x000000000058cfc3 in JSC::DFG::performConstantFolding (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:464 #9 0x000000000059aafd in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fffb21c20a0, codeBlock=0xf42e30, jitCode=..., jitCodeWithArityCheck=0x7fffb217fdc0, osrEntryBytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:140 #10 0x000000000059a424 in JSC::DFG::tryCompileFunction (exec=0x7fffb21c20a0, codeBlock=0xf42e30, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:182 #11 0x00000000007355af in JSC::jitCompileFunctionIfAppropriate (exec=0x7fffb21c20a0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=4, effort=JSC::JITCompilationCanFail) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITDriver.h:95 #12 0x00000000007358a1 in JSC::prepareFunctionForExecution (exec=0x7fffb21c20a0, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=4, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/ExecutionHarness.h:68 #13 0x0000000000733c40 in JSC::FunctionExecutable::compileForCallInternal (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:539 #14 0x0000000000733441 in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.cpp:464 #15 0x000000000048430c in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fffb217fd70, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=4, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/runtime/Executable.h:679 #16 0x000000000047e87c in JSC::FunctionCodeBlock::compileOptimized (this=0xf51be0, exec=0x7fffb21c20a0, scope=0x7ffff7f5f970, bytecodeIndex=4) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2843 #17 0x0000000000677f24 in JSC::cti_optimize (args=0x7fffffffccd0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1964 #18 0x00000000006750f9 in JSC::tryCacheGetByID (callFrame=0x7fffb21c20a0, codeBlock=0x7ffff7f5f970, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7ff9000000000004) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITStubs.cpp:1068

Attachments
Add attachment proposed patch, testcase, etc.

Renata Hodovan

Comment 1 2015-06-26 09:46:01 PDT

Cannot repro this anymore.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WORKSFORME

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2013-06-03 01:59 PDT

Modified

2015-06-26 09:46 PDT History

CC List

4 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph