UNCONFIRMED 120167
ASSERT in dfg/DFGSpeculativeJIT.h SpeculateCellOperand ctor 
https://bugs.webkit.org/show_bug.cgi?id=120167
Summary ASSERT in dfg/DFGSpeculativeJIT.h SpeculateCellOperand ctor
sfa
Reported 2013-08-22 12:26:09 PDT
ASSERT_UNUSED(mode, mode == ManualOperandSpeculation ... fails when visiting the website circa Aug-22. The edge.useKind() values will also fail the ASSERT. (gdb) p edge.useKind() $3 = JSC::DFG::UntypedUse (gdb) p mode $4 = JSC::DFG::AutomaticOperandSpeculation The mode argument is the default arg value for the ctor, moving up to the caller, it doesn't specify the argument so this path will never execute properly in ASSERT-mode. dfg/DFGSpeculativeJIT32_64.cpp case GetById: { 3865│ if (!node->prediction()) { 3866│ terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0); 3867│ break; 3868│ } 3869│ 3870│ if (isCellSpeculation(node->child1()->prediction())) { 3871├> SpeculateCellOperand base(this, node->child1()); <<<<<<<< (gdb) bt 8 #0 0x02a3665c in JSC::DFG::SpeculateCellOperand::SpeculateCellOperand (this=0x77fbfc00, jit=0x77fc1128, edge=..., mode=JSC::DFG::AutomaticOperandSpeculation) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2930 #1 0x02a5850e in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128, node=0x771b5018) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3871 #2 0x02a22152 in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128, block=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1762 #3 0x02a22742 in JSC::DFG::SpeculativeJIT::compile (this=0x77fc1128) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1880 #4 0x029f226c in JSC::DFG::JITCompiler::compileBody (this=0x77fc19f8, speculative=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:108 #5 0x029f3152 in JSC::DFG::JITCompiler::compileFunction (this=0x77fc19f8, entry=..., entryWithArityCheck=...) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:302 #6 0x029e302a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x2af596c8, codeBlock=0x7ffed5d8, jitCode=..., jitCodeWithArityCheck=0x7fddf584, osrEntryBytecodeIndex=0) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:161 #7 0x029e2944 in JSC::DFG::tryCompileFunction (exec=0x2af596c8, codeBlock=0x7ffed5d8, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at /Users/ascian/dev/webkit/Source/JavaScriptCore/dfg/DFGDriver.cpp:179 (More stack frames follow...) Hopefully this is enough to reproduce and fix the problem.
Attachments
Add attachment proposed patch, testcase, etc.
sfa
Comment 1 2013-08-22 12:36:26 PDT
Looking at the source code for dfg/DFGSpeculativeJIT32_64.cpp, all the two arg var declarations of type SpeculateCellOperand will trigger the assert in the ctor. They should all be visited and corrected (or change the ASSERT in the ctor).
Note You need to log in before you can comment on or make changes to this bug.