NEW 124371
ASSERT(divisor != 1) in JSC::DFG::SpeculativeJIT::compileArithMod 
https://bugs.webkit.org/show_bug.cgi?id=124371
Summary ASSERT(divisor != 1) in JSC::DFG::SpeculativeJIT::compileArithMod
Joseph Pecoraro
Reported 2013-11-14 10:47:04 PST
At WebKit r159272. Test: (assert.js) function foo(a, b) { var h = parseFloat(a); var l = parseFloat(b); h % 1 } var result; for (var i = 0; i < 1000; ++i) result = foo(360, 100) shell> DYLD_FRAMEWORK_PATH=`pwd` ./jsc /Users/pecoraro/Desktop/assert.js ASSERTION FAILED: divisor != 1 shell> DYLD_FRAMEWORK_PATH=`pwd` ./jsc -p foo.txt /Users/pecoraro/Desktop/assert.js ASSERTION FAILED: divisor != 1 /Volumes/Data/Code/safari/OpenSource/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3543) : void JSC::DFG::SpeculativeJIT::compileArithMod(JSC::DFG::Node *) 1 0x1052d35d0 WTFCrash 2 0x104ed35f8 JSC::DFG::SpeculativeJIT::compileArithMod(JSC::DFG::Node*) 3 0x104f10f65 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 4 0x104ec929c JSC::DFG::SpeculativeJIT::compileCurrentBlock() 5 0x104ec9a96 JSC::DFG::SpeculativeJIT::compile() 6 0x104e5fe24 JSC::DFG::JITCompiler::compileBody() 7 0x104e61c4b JSC::DFG::JITCompiler::compileFunction() 8 0x104ebbe95 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 9 0x104ebb672 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) 10 0x104f56274 JSC::DFG::Worklist::runThread() 11 0x104f55355 JSC::DFG::Worklist::threadFunction(void*) 12 0x105322738 WTF::threadEntryPoint(void*) 13 0x1053234e8 WTF::wtfThreadEntryPoint(void*) 14 0x7fff8fb94899 _pthread_body 15 0x7fff8fb9472a _pthread_struct_init 16 0x7fff8fb98fc9 thread_start Segmentation fault: 11 Assert was added back with: <http://trac.webkit.org/changeset/153186> <https://webkit.org/b/116793> fourthTier: clean up ArithDiv/ArithMod in the DFG
Attachments
Add attachment proposed patch, testcase, etc.
Note You need to log in before you can comment on or make changes to this bug.