Steps to repro: (1) Build a debug build (I used r161431). (2) Run pdfjs (3) ASSERT should fire
Backtrace?
ASSERTION FAILED: m_isCheckingArgumentTypes || m_canExit /Volumes/Data/WebKit-svn-clean/OpenSource/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(113) : void JSC::DFG::SpeculativeJIT::speculationCheck(JSC::ExitKind, JSC::JSValueSource, JSC::DFG::Node *, MacroAssembler::Jump) 1 0x100739c60 WTFCrash 2 0x1002a6f30 JSC::DFG::SpeculativeJIT::speculationCheck(JSC::ExitKind, JSC::JSValueSource, JSC::DFG::Node*, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump) 3 0x1002b63fb JSC::DFG::SpeculativeJIT::compileArithNegate(JSC::DFG::Node*) 4 0x1002f6a67 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 5 0x1002ada79 JSC::DFG::SpeculativeJIT::compileCurrentBlock() 6 0x1002ae276 JSC::DFG::SpeculativeJIT::compile() 7 0x100241034 JSC::DFG::JITCompiler::compileBody() 8 0x100242f60 JSC::DFG::JITCompiler::compileFunction() 9 0x1002a0e26 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 10 0x1002a05c2 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) 11 0x10033e7f4 JSC::DFG::Worklist::runThread() 12 0x10033d8d5 JSC::DFG::Worklist::threadFunction(void*) 13 0x100788108 WTF::threadEntryPoint(void*) 14 0x100788eb8 WTF::wtfThreadEntryPoint(void*) 15 0x7fff898b8899 _pthread_body 16 0x7fff898b872a _pthread_struct_init 17 0x7fff898bcfc9 thread_start
More useful backtrace: frame #0: 0x0000000100739c6a JavaScriptCore`WTFCrash + 42 at Assertions.cpp:341 frame #1: 0x00000001002a6f30 JavaScriptCore`JSC::DFG::SpeculativeJIT::speculationCheck(this=0x0000000106822200, kind=NegativeZero, jsValueSource=JSValueSource at 0x000000010a54acc8, node=0x0000000000000000, jumpToFail=Jump at 0x000000010a54acb8) + 128 at DFGSpeculativeJIT.cpp:113 frame #2: 0x00000001002b63fb JavaScriptCore`JSC::DFG::SpeculativeJIT::compileArithNegate(this=0x0000000106822200, node=0x000000010cfa9d80) + 1179 at DFGSpeculativeJIT.cpp:2906 frame #3: 0x00000001002f6a67 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x0000000106822200, node=0x000000010cfa9d80) + 6663 at DFGSpeculativeJIT64.cpp:2419 frame #4: 0x00000001002ada79 JavaScriptCore`JSC::DFG::SpeculativeJIT::compileCurrentBlock(this=0x0000000106822200) + 1881 at DFGSpeculativeJIT.cpp:1431 frame #5: 0x00000001002ae276 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x0000000106822200) + 182 at DFGSpeculativeJIT.cpp:1543 frame #6: 0x0000000100241034 JavaScriptCore`JSC::DFG::JITCompiler::compileBody(this=0x000000010a54fe80) + 36 at DFGJITCompiler.cpp:111 frame #7: 0x0000000100242f60 JavaScriptCore`JSC::DFG::JITCompiler::compileFunction(this=0x000000010a54fe80) + 416 at DFGJITCompiler.cpp:336 frame #8: 0x00000001002a0e26 JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x00000001062a8a50, longLivedState=0x000000010a550d00) + 1622 at DFGPlan.cpp:250 frame #9: 0x00000001002a05c2 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x00000001062a8a50, longLivedState=0x000000010a550d00) + 242 at DFGPlan.cpp:124 frame #10: 0x000000010033e7f4 JavaScriptCore`JSC::DFG::Worklist::runThread(this=0x000000010979e460) + 468 at DFGWorklist.cpp:240 frame #11: 0x000000010033d8d5 JavaScriptCore`JSC::DFG::Worklist::threadFunction(argument=0x000000010979e460) + 21 at DFGWorklist.cpp:261 frame #12: 0x0000000100788108 JavaScriptCore`WTF::threadEntryPoint(contextData=0x000000010979c7f0) + 152 at Threading.cpp:69 frame #13: 0x0000000100788eb8 JavaScriptCore`WTF::wtfThreadEntryPoint(param=0x000000010979ca00) + 296 at ThreadingPthreads.cpp:195 frame #14: 0x00007fff898b8899 libsystem_pthread.dylib`_pthread_body + 138 frame #15: 0x00007fff898b872a libsystem_pthread.dylib`_pthread_start + 137 frame #16: 0x00007fff898bcfc9 libsystem_pthread.dylib`thread_start + 13
Created attachment 220534 [details] the patch
Comment on attachment 220534 [details] the patch Whoops! r=me
Landed in http://trac.webkit.org/changeset/161438