RESOLVED FIXED Bug 119794
[DFG] isDouble(edge.useKind()) assertion fail 
https://bugs.webkit.org/show_bug.cgi?id=119794
Summary [DFG] isDouble(edge.useKind()) assertion fail
Julien Brianceau
Reported 2013-08-14 04:55:19 PDT
On 32-bit sh4 and mips debug build, many SunSpider 1.0 JSC tests fail: ASSERTION FAILED: mode == ManualOperandSpeculation || isDouble(edge.useKind()) /local/jbriance/webkit-mips/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2694) : JSC::DFG::SpeculateDoubleOperand::SpeculateDoubleOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) FATAL ERROR: CRASH() called. Backtrace looks always the same. For instance, on my sh4 board: (gdb) bt #0 0x00000000 in ?? () #1 0x00a77d8a in WTFCrash () at /local/jbriance/webkit-dfg-sh4Source/WTF/wtf/Assertions.cpp:347 #2 0x00761eba in SpeculateDoubleOperand (this=0x7bec23d8, jit=0xedcb18, edge=..., mode=JSC::DFG::AutomaticOperandSpeculation) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2703 #3 0x0073f08a in JSC::DFG::SpeculativeJIT::compileDoubleAsInt32 (this=0xedcb18, node=0x2bc31814) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2456 #4 0x0078d9e2 in JSC::DFG::SpeculativeJIT::compile (this=0xedcb18, node=0x2bc31814) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2214 #5 0x0073ac68 in JSC::DFG::SpeculativeJIT::compileCurrentBlock (this=0xedcb18) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1804 #6 0x0073b538 in JSC::DFG::SpeculativeJIT::compile (this=0xedcb18) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1918 #7 0x006c7944 in JSC::DFG::JITCompiler::compileBody (this=0x7bec4778) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:117 #8 0x006c9ea0 in JSC::DFG::JITCompiler::compileFunction (this=0x7bec4778) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:382 #9 0x00716950 in JSC::DFG::Plan::compileInThreadImpl (this=0xee3e28, longLivedState=...) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGPlan.cpp:256 #10 0x007161ee in JSC::DFG::Plan::compileInThread (this=0xee3e28, longLivedState=...) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGPlan.cpp:113 #11 0x0069ba26 in compile (compileMode=JSC::DFG::CompileFunction, exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=0x2bbffacc, osrEntryBytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGDriver.cpp:127 #12 0x0069bba4 in JSC::DFG::tryCompileFunction (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/dfg/DFGDriver.cpp:138 #13 0x0095b1c4 in JSC::jitCompileFunctionIfAppropriateImpl (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, effort=JSC::JITCompilationCanFail) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITDriver.h:98 #14 0x0095b620 in JSC::prepareFunctionForExecutionImpl (exec=0x2b62b130, codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/ExecutionHarness.h:84 #15 0x0095b6c2 in JSC::prepareFunctionForExecution (exec=0x2b62b130, sink=..., codeBlock=0xee3670, jitCode=..., jitCodeWithArityCheck=..., numParameters=@0x2bbffab4, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=89, kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/ExecutionHarness.h:138 #16 0x00958c0c in JSC::FunctionExecutable::compileForCallInternal (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, jitType=JSC::JITCode::DFGJIT, result=0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.cpp:561 #17 0x009581ec in JSC::FunctionExecutable::compileOptimizedForCall (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.cpp:480 #18 0x004c7716 in JSC::FunctionExecutable::compileOptimizedFor (this=0x2bbffab0, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89, kind=JSC::CodeForCall) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/runtime/Executable.h:691 #19 0x004be7ee in JSC::FunctionCodeBlock::compileOptimized (this=0xedeb30, exec=0x2b62b130, scope=0x2ba7fc38, result=@0x7bec5004, bytecodeIndex=89) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/bytecode/CodeBlock.cpp:2744 #20 0x00840b64 in JITStubThunked_optimize (args=0x7bec5060) at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITStubs.cpp:1046 #21 0x008404bc in cti_optimize () at /local/jbriance/webkit-dfg-sh4Source/JavaScriptCore/jit/JITStubs.cpp:888
Attachments
isDouble() and isNumerical() should return true with KnownNumberUse UseKind. (1.37 KB, patch)
2013-08-14 05:15 PDT, Julien Brianceau 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Julien Brianceau
Comment 1 2013-08-14 04:58:22 PDT
I think the problem is not seen on X86 32-bit, X86 64-bit and Apple ARMv7S because of the following code in DFGFixupPhase.cpp: case ArithMod: { if (Node::shouldSpeculateIntegerForArithmetic(node->child1().node(), node->child2().node()) && node->canSpeculateInteger()) { if (isX86() || isARMv7s()) { setUseKindAndUnboxIfProfitable<Int32Use>(node->child1()); setUseKindAndUnboxIfProfitable<Int32Use>(node->child2()); break; }
Julien Brianceau
Comment 2 2013-08-14 05:15:44 PDT
Created attachment 208715 [details] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. This patch solves the issue for sh4 & mips, but as I'm clearly not an expert of this area in DFG, I'd like someone confirms this is the right way to fix this.
Filip Pizlo
Comment 3 2013-08-15 14:38:26 PDT
Comment on attachment 208715 [details] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. Good, but please add tests.
Filip Pizlo
Comment 4 2013-08-15 14:47:17 PDT
Comment on attachment 208715 [details] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. Let's land this puppy. But please add a layout test if at all possible.
WebKit Commit Bot
Comment 5 2013-08-15 15:12:15 PDT
Comment on attachment 208715 [details] isDouble() and isNumerical() should return true with KnownNumberUse UseKind. Clearing flags on attachment: 208715 Committed r154141: <http://trac.webkit.org/changeset/154141>
WebKit Commit Bot
Comment 6 2013-08-15 15:12:17 PDT
All reviewed patches have been landed. Closing bug.
Julien Brianceau
Comment 7 2013-08-16 02:37:28 PDT
(In reply to comment #4) > (From update of attachment 208715 [details]) > Let's land this puppy. But please add a layout test if at all possible. Many layout tests are already covering this issue. For instance: - LayoutTests/fast/js/dfg-mod-by-neg1-and-then-or-zero-interesting-reg-alloc.js - LayoutTests/fast/js/dfg-mod-by-zero-and-then-or-zero-interesting-reg-alloc.js - LayoutTests/fast/js/dfg-mod-neg2tothe31-by-one-and-then-or-zero-with-interesting-reg-alloc.js Most of the SunSpider 1.0 tests too: - SunSpider/tests/sunspider-1.0/3d-raytrace.js - SunSpider/tests/sunspider-1.0/crypto-aes.js - SunSpider/tests/sunspider-1.0/crypto-md5.js - SunSpider/tests/sunspider-1.0/crypto-sha1.js - SunSpider/tests/sunspider-1.0/date-format-xparb.js - SunSpider/tests/sunspider-1.0/string-base64.js - SunSpider/tests/sunspider-1.0/string-fasta.js - SunSpider/tests/sunspider-1.0/string-unpack-code.js - SunSpider/tests/sunspider-1.0/string-validate-input.js - SunSpider/tests/sunspider-1.0/math-spectral-norm.js In fact, any test using modulo (ArithMod in DFGFixupPhase.cpp) on a debug build which is not X86 or ARMv7s will stimulate the issue. For instance, this dummy JavaScript test will stimulate it: result = 0; for (i=1; i<100000; i++) { result += i; result %= i; } Although the issue is already covered by many layout tests, do you think I should add another one ?
Note You need to log in before you can comment on or make changes to this bug.