126913 – ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= insertion.index() in JSC::DFG::InsertionSet::insert

NEW 126913

ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= insertion.index() in JSC::DFG::InsertionSet::insert

https://bugs.webkit.org/show_bug.cgi?id=126913

Summary ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= inse...

Renata Hodovan

Reported 2014-01-13 09:56:33 PST

Created attachment 221058 [details] Test case The assertion failure happens with the following test case (on ubuntu 13.10, x86_64): function function_0 (var_1) { do { } while (var_1 != "M" ); delete [ var_1 >>> ( new Number(0).NaN = delete [ var_1 << var_1 ] ) ]; } function_0(); GDB backtrace: ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= insertion.index() /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h(50) : JSC::DFG::Node* JSC::DFG::InsertionSet::insert(const Insertion&) 1 0x7ffff74a6000 WTFCrash 2 0x7ffff705df0e JSC::DFG::InsertionSet::insert(WTF::Insertion<JSC::DFG::Node*> const&) 3 0x7ffff705df76 JSC::DFG::InsertionSet::insert(unsigned long, JSC::DFG::Node*) 4 0x7ffff7060ee6 JSC::DFG::Node* JSC::DFG::InsertionSet::insertNode<JSC::DFG::NodeType, JSC::CodeOrigin, JSC::DFG::Edge>(unsigned long, unsigned int, JSC::DFG::NodeType const&, JSC::CodeOrigin const&, JSC::DFG::Edge const&) 5 0x7ffff70d7fb7 JSC::DFG::DCEPhase::fixupBlock(JSC::DFG::BasicBlock*) 6 0x7ffff70d7b26 JSC::DFG::DCEPhase::run() 7 0x7ffff70d8b1f bool JSC::DFG::runAndLog<JSC::DFG::DCEPhase>(JSC::DFG::DCEPhase&) 8 0x7ffff70d86c3 bool JSC::DFG::runPhase<JSC::DFG::DCEPhase>(JSC::DFG::Graph&) 9 0x7ffff70d70bf JSC::DFG::performDCE(JSC::DFG::Graph&) 10 0x7ffff7162c6e JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 11 0x7ffff7162616 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) 12 0x7ffff70e93a0 13 0x7ffff70e943b JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>, JSC::DFG::Worklist*) 14 0x7ffff725bdd7 15 0x7fffea58dc20 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff74a6005 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff74a6005 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff705df0e in JSC::DFG::InsertionSet::insert (this=0x7fffffffb320, insertion=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:50 #2 0x00007ffff705df76 in JSC::DFG::InsertionSet::insert (this=0x7fffffffb320, index=27, element=0x7fffa9762300) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:57 #3 0x00007ffff7060ee6 in JSC::DFG::InsertionSet::insertNode<JSC::DFG::NodeType, JSC::CodeOrigin, JSC::DFG::Edge> (this=0x7fffffffb320, index=27, type=0, _DFG_value1=@0x7fffffffade0: JSC::DFG::Phantom, _DFG_value2=..., _DFG_value3=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:65 #4 0x00007ffff70d7fb7 in JSC::DFG::DCEPhase::fixupBlock (this=0x7fffffffaf00, block=0x673a50) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:221 #5 0x00007ffff70d7b26 in JSC::DFG::DCEPhase::run (this=0x7fffffffaf00) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:119 #6 0x00007ffff70d8b1f in JSC::DFG::runAndLog<JSC::DFG::DCEPhase> (phase=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:75 #7 0x00007ffff70d86c3 in JSC::DFG::runPhase<JSC::DFG::DCEPhase> (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:85 #8 0x00007ffff70d70bf in JSC::DFG::performDCE (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:279 #9 0x00007ffff7162c6e in JSC::DFG::Plan::compileInThreadImpl (this=0x6759a0, longLivedState=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:242 #10 0x00007ffff7162616 in JSC::DFG::Plan::compileInThread (this=0x6759a0, longLivedState=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:124 #11 0x00007ffff70e93a0 in JSC::DFG::compileImpl (vm=..., codeBlock=0x6766b0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=1, mustHandleValues=..., callback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:100 #12 0x00007ffff70e943b in JSC::DFG::compile (vm=..., codeBlock=0x6766b0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=1, mustHandleValues=..., passedCallback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:119 #13 0x00007ffff725bdd7 in JSC::operationOptimize (exec=0x7fffa9d4df38, bytecodeIndex=1) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:1152 #14 0x00007fffea58dc20 in ?? () #15 0x00007fffaa58e8e0 in ?? () #16 0x0000000000652868 in ?? () #17 0x0000000000000000 in ?? ()

Attachments
Test case (155 bytes, application/javascript) 2014-01-13 09:56 PST, Renata Hodovan	no flags	Details
JSCGraph log (212.52 KB, text/x-log) 2014-01-14 07:07 PST, Renata Hodovan	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2014-01-13 13:05:11 PST

When I run this test case it just runs for forever. What revision are you on? If you can still reproduce, can you enable per-phase DFG dumps, either by "export JSC_dumpGraphAtEachPhase=true" or the "--dumpGraphAtEachPhase=true" jsc command-line option?

Renata Hodovan

Comment 2 2014-01-14 07:06:31 PST

(In reply to comment #1) > When I run this test case it just runs for forever. > > What revision are you on? If you can still reproduce, can you enable per-phase DFG dumps, either by "export JSC_dumpGraphAtEachPhase=true" or the "--dumpGraphAtEachPhase=true" jsc command-line option? Yes, I can still reproduce it with the ToTT debug efl build (r161958). The log with the flags above is attached.

Renata Hodovan

Comment 3 2014-01-14 07:07:32 PST

Created attachment 221160 [details] JSCGraph log

Brent Fulgham

Comment 4 2016-08-03 13:32:31 PDT

This does seem like it just runs forever. Is there any action we want to take here?

Oliver Hunt

Comment 5 2016-08-03 21:56:03 PDT

(In reply to comment #4) > This does seem like it just runs forever. Is there any action we want to > take here? just to verify - are you running with debug jsc?

Brent Fulgham

Comment 6 2016-08-03 21:58:24 PDT

(In reply to comment #5) > (In reply to comment #4) > > This does seem like it just runs forever. Is there any action we want to > > take here? > > just to verify - are you running with debug I was running Debug WebKit/JavaScriptCore, not the jsc command line utility. But, yes.

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware PC

OS Linux

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2014-01-13 09:56 PST

Modified

2016-08-03 21:58 PDT History

CC List

6 users Show

URL

Keywords

Depends on

Blocks

116980

Dependencies

tree graph