119405 – REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT

Bug 119405 - REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT

Summary: REGRESSION(FTL merge): Assertion fail on 32 bit with enabled DFG JIT

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:	119140
Blocks:
	Show dependency tree / graph

Reported:	2013-08-01 11:56 PDT by Csaba Osztrogonác
Modified:	2013-08-07 09:16 PDT (History)
CC List:	12 users (show)

See Also:

Attachments
Patch for landing (1.87 KB, patch) 2013-08-06 22:37 PDT, Michael Saboff	ggaren: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Csaba Osztrogonác 2013-08-01 11:56:38 PDT

STDERR: ASSERTION FAILED: currentLowest != NUM_REGS && currentSpillOrder != SpillHintInvalid
STDERR: /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGRegisterBank.h(136) : JSC::DFG::RegisterBank<BankInfo>::RegID JSC::DFG::RegisterBank<BankInfo>::allocate(JSC::VirtualRegister&) [with BankInfo = JSC::DFG::GPRInfo, JSC::DFG::RegisterBank<BankInfo>::RegID = JSC::X86Registers::RegisterID]

Program terminated with signal 11, Segmentation fault.
#0  0xf59e9618 in WTFCrash () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:339
339         *(int *)(uintptr_t)0xbbadbeef = 0;
(gdb)
(gdb) bt
#0  0xf59e9618 in WTFCrash () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/Assertions.cpp:339
#1  0xf57f53b6 in JSC::DFG::RegisterBank<JSC::DFG::GPRInfo>::allocate(JSC::VirtualRegister&) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PrintStream.h:59
#2  0xf57f0368 in JSC::DFG::SpeculativeJIT::allocate() () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PrintStream.h:59
#3  0xf57d5ff3 in JSC::DFG::GPRTemporary::GPRTemporary (this=0xfff8ee64, jit=0x83094f0)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1214
#4  0xf57da30f in JSC::DFG::SpeculativeJIT::compileGetByValOnString (this=0x83094f0, node=0xeb8b04ac)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2137
#5  0xf58118c8 in JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2665
#6  0xf57d878e in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0x83094f0)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1804
#7  0xf57d8e38 in JSC::DFG::SpeculativeJIT::compile (this=0x83094f0) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1918
#8  0xf579d2e0 in JSC::DFG::JITCompiler::compileBody (this=0xfff91454) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117
#9  0xf579ed95 in JSC::DFG::JITCompiler::compileFunction (this=0xfff91454)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382
#10 0xf57c2649 in JSC::DFG::Plan::compileInThreadImpl (this=0x83285b0, longLivedState=0x827f790)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:256
#11 0xf57c214e in JSC::DFG::Plan::compileInThread (this=0x83285b0, longLivedState=0x827f790)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGPlan.cpp:113
#12 0xf578524d in JSC::DFG::compile (compileMode=CompileFunction, exec=0xe9d001f8, codeBlock=0x83035f8, jitCode=0xec23ea9c,
    jitCodeWithArityCheck=0xec23eaa4, osrEntryBytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:128
#13 0xf57852f2 in JSC::DFG::tryCompileFunction (exec=0xe9d001f8, codeBlock=0x83035f8, jitCode=0xec23ea9c, jitCodeWithArityCheck=0xec23eaa4,
    bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/dfg/DFGDriver.cpp:139
#14 0xf5933125 in JSC::jitCompileFunctionIfAppropriateImpl(JSC::ExecState*, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:272
#15 0xf593346b in JSC::prepareFunctionForExecutionImpl(JSC::ExecState*, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) () at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:272
#16 0xf59334ad in JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::RefPtr<JSC::FunctionCodeBlock>&, JSC::FunctionCodeBlock*, WTF::RefPtr<JSC::JITCode>&, JSC::MacroAssemblerCodePtr&, int&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/SpeculatedType.h:272
#17 0xf59318c2 in JSC::FunctionExecutable::compileForCallInternal (this=0xec23ea88, exec=0xe9d001f8, scope=0xedc9fa38, jitType=DFGJIT, result=0xfff91db4,
    bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:561
#18 0xf5931185 in JSC::FunctionExecutable::compileOptimizedForCall (this=0xec23ea88, exec=0xe9d001f8, scope=0xedc9fa38, result=0xfff91db4,
    bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Executable.cpp:480
#19 0xf567a218 in JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, JSC::CompilationResult&, unsigned int, JSC::CodeSpecializationKind) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PrintStream.h:59
#20 0xf5674f9a in JSC::FunctionCodeBlock::compileOptimized (this=0x8314ff8, exec=0xe9d001f8, scope=0xedc9fa38, result=0xfff91db4,
    bytecodeIndex=<unknown type>) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/bytecode/CodeBlock.cpp:2730
#21 0xf588492d in cti_optimize (args=0xfff91e10) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1044
#22 0xf5881c61 in JSC::tryCacheGetByID (callFrame=0xee619460, codeBlock=0x827d76c, returnAddress=..., baseValue=..., propertyName=0x8274780,
    slot=0xfff91e98, stubInfo=0xf584e076) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:274
#23 0xfff91e2c in ?? ()
#24 0xf586392a in JSC::JITCode::execute (this=0x8320a00, stack=0x827d76c, callFrame=0xe9d001a0, vm=0x8274780)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46
#25 0xf584d40f in JSC::Interpreter::execute (this=0x827d760, eval=0xec23e9d8, callFrame=0xe9d00148, thisValue=..., scope=0xeb83cd50)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:1208
#26 0xf584849d in JSC::eval (callFrame=0xe9d00148) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:148
#27 0xf588875e in cti_op_call_eval (args=0xfff92900) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:1965
#28 0xf5881c61 in JSC::tryCacheGetByID (callFrame=0xef986fc0, codeBlock=0x827d76c, returnAddress=..., baseValue=..., propertyName=0x8274780,
    slot=0xfff92988, stubInfo=0xf584e1d4) at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITStubs.cpp:274
#29 0xe9d00058 in ?? ()
#30 0xf586392a in JSC::JITCode::execute (this=0x831b0e8, stack=0x827d76c, callFrame=0xe9d00058, vm=0x8274780)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/jit/JITCode.cpp:46
#31 0xf584bb7e in JSC::Interpreter::execute (this=0x827d760, program=0xec23eae0, callFrame=0xedc9fa8c, thisObj=0xedcdffd8)
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:856
#32 0xf5925768 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83
#33 0xf435e490 in WebCore::JSMainThreadExecState::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#34 0xf437b621 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld*) ()
---Type <return> to continue, or q <return> to quit---
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#35 0xf437b71a in WebCore::ScriptController::evaluate(WebCore::ScriptSourceCode const&) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#36 0xf462e936 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#37 0xf47bfbcf in WebCore::HTMLScriptRunner::executePendingScriptAndDispatchEvent(WebCore::PendingScript&) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#38 0xf47bfa44 in WebCore::HTMLScriptRunner::executeParsingBlockingScript() () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#39 0xf47bfedb in WebCore::HTMLScriptRunner::executeParsingBlockingScripts() () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#40 0xf47c003e in WebCore::HTMLScriptRunner::executeScriptsWaitingForLoad(WebCore::CachedResource*) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#41 0xf47b1f17 in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PassOwnArrayPtr.h:83
#42 0xf49005c9 in WebCore::CachedResource::checkNotify (this=0x82e2f80)
    at /home/webkitbuildbot/oszi/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:369
#43 0xf49006b1 in WebCore::CachedResource::finishLoading (this=0x82e2f80)
    at /home/webkitbuildbot/oszi/WebKit/Source/WebCore/loader/cache/CachedResource.cpp:385
#44 0xf49081b4 in WebCore::CachedScript::finishLoading(WebCore::ResourceBuffer*) () at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PageBlock.h:72
#45 0xf4959af0 in WebCore::SubresourceLoader::didFinishLoading (this=0x82e3320, finishTime=0)
    at /home/webkitbuildbot/oszi/WebKit/Source/WebCore/loader/SubresourceLoader.cpp:282
#46 0xf4950ee1 in WebCore::ResourceLoader::didFinishLoading(WebCore::ResourceHandle*, double) ()
    at /home/webkitbuildbot/oszi/WebKit/Source/WTF/wtf/PageBlock.h:72
#47 0xf4d9a0b8 in WebCore::QNetworkReplyHandler::finish() () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#48 0xf4d98da0 in WebCore::QNetworkReplyHandlerCallQueue::flush() () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#49 0xf4d98aec in WebCore::QNetworkReplyHandlerCallQueue::push(void (WebCore::QNetworkReplyHandler::*)()) () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#50 0xf4d999a8 in WebCore::QNetworkReplyWrapper::didReceiveFinished() () at /usr/include/c++/4.6/bits/stl_algobase.h:218
#51 0xf4d9c09c in WebCore::QNetworkReplyWrapper::qt_static_metacall(QObject*, QMetaObject::Call, int, void**) ()
    at /usr/include/c++/4.6/bits/stl_algobase.h:218
#52 0xf2f8b9ad in QMetaObject::activate(QObject*, int, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#53 0xf2f8c3cb in QMetaObject::activate(QObject*, QMetaObject const*, int, void**) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#54 0xf3679fd5 in QNetworkReply::finished() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Network.so.5
#55 0xf367a250 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Network.so.5
#56 0xf2f89b53 in QMetaCallEvent::placeMetaCall(QObject*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#57 0xf2f8d062 in QObject::event(QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#58 0xf37c0e34 in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#59 0xf37c4844 in QApplication::notify(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#60 0xf2f62eee in QCoreApplication::notifyInternal(QObject*, QEvent*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#61 0xf2f650b4 in QCoreApplicationPrivate::sendPostedEvents(QObject*, int, QThreadData*) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#62 0xf2f6560c in QCoreApplication::sendPostedEvents(QObject*, int) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#63 0xf2fb02c4 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#64 0xf224bcda in g_main_context_dispatch () from /lib/i386-linux-gnu/libglib-2.0.so.0
#65 0xf224c0e5 in ?? () from /lib/i386-linux-gnu/libglib-2.0.so.0
#66 0xf224c1c1 in g_main_context_iteration () from /lib/i386-linux-gnu/libglib-2.0.so.0
#67 0xf2fb06d8 in QEventDispatcherGlib::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#68 0xef9cf036 in ?? () from /usr/local/Trolltech/Qt5/Qt-5.0.1/plugins/platforms/libqxcb.so
#69 0xf2f61726 in QEventLoop::processEvents(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#70 0xf2f61b64 in QEventLoop::exec(QFlags<QEventLoop::ProcessEventsFlag>) () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#71 0xf2f656b2 in QCoreApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Core.so.5
#72 0xf3218984 in QGuiApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Gui.so.5
#73 0xf37bbfe4 in QApplication::exec() () from /usr/local/Trolltech/Qt5/Qt-5.0.1/lib/libQt5Widgets.so.5
#74 0x0807b8db in main () at /usr/include/c++/4.6/bits/move.h:83
#75 0xf2a7e4d3 in __libc_start_main () from /lib/i386-linux-gnu/libc.so.6
#76 0x080599d1 in _start ()

Comment 1 Csaba Osztrogonác 2013-08-01 11:58:59 PDT

I forgot to mention that I got it after applying https://bugs.webkit.org/attachment.cgi?id=207937&action=review

And the following fast/js tests assert:
  fast/js/dfg-string-out-of-bounds-check-structure.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-cse.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-negative-check-structure.html [ Crash ]
  fast/js/dfg-string-out-of-bounds-negative-proto-value.html [ Crash ]
  fast/js/regress/string-get-by-val-out-of-bounds-insane.html [ Crash ]
  fast/js/regress/string-get-by-val-out-of-bounds.html [ Crash ]

Comment 2 Csaba Osztrogonác 2013-08-01 11:59:26 PDT

... and the tests pass with disabled DFG JIT

Comment 3 Geoffrey Garen 2013-08-01 17:52:51 PDT

<rdar://problem/14627547>

Comment 4 Michael Saboff 2013-08-06 17:23:47 PDT

The ASSERT failure is because we run out of registers on X86 32 bit in SpeculativeJIT::compileGetByValOnString().  X86 32bit currently only has 5 allocated registers in the DFG.  All other CPU types have 6 or more.

One fix is to change compileGetByValOnString() to use a slow path instead of needing the extra register.

Comment 5 Michael Saboff 2013-08-06 22:37:42 PDT

Created attachment 208237 [details]
Patch for landing

Another way to fix this is to turn the indexed load into a shift, add the base address for the single character strings and then use that as the source address for the load with the destination the same register. Added this path for X86-32 only.

This patch has been reviewed by Geoff Garen.

Comment 6 Geoffrey Garen 2013-08-07 08:45:37 PDT

Comment on attachment 208237 [details]
Patch for landing

r=me

Comment 7 Michael Saboff 2013-08-07 09:16:23 PDT

Committed r153789: <http://trac.webkit.org/changeset/153789>