Created attachment 221058 [details] Test case The assertion failure happens with the following test case (on ubuntu 13.10, x86_64): function function_0 (var_1) { do { } while (var_1 != "M" ); delete [ var_1 >>> ( new Number(0).NaN = delete [ var_1 << var_1 ] ) ]; } function_0(); GDB backtrace: ASSERTION FAILED: !m_insertions.size() || m_insertions.last().index() <= insertion.index() /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h(50) : JSC::DFG::Node* JSC::DFG::InsertionSet::insert(const Insertion&) 1 0x7ffff74a6000 WTFCrash 2 0x7ffff705df0e JSC::DFG::InsertionSet::insert(WTF::Insertion<JSC::DFG::Node*> const&) 3 0x7ffff705df76 JSC::DFG::InsertionSet::insert(unsigned long, JSC::DFG::Node*) 4 0x7ffff7060ee6 JSC::DFG::Node* JSC::DFG::InsertionSet::insertNode<JSC::DFG::NodeType, JSC::CodeOrigin, JSC::DFG::Edge>(unsigned long, unsigned int, JSC::DFG::NodeType const&, JSC::CodeOrigin const&, JSC::DFG::Edge const&) 5 0x7ffff70d7fb7 JSC::DFG::DCEPhase::fixupBlock(JSC::DFG::BasicBlock*) 6 0x7ffff70d7b26 JSC::DFG::DCEPhase::run() 7 0x7ffff70d8b1f bool JSC::DFG::runAndLog<JSC::DFG::DCEPhase>(JSC::DFG::DCEPhase&) 8 0x7ffff70d86c3 bool JSC::DFG::runPhase<JSC::DFG::DCEPhase>(JSC::DFG::Graph&) 9 0x7ffff70d70bf JSC::DFG::performDCE(JSC::DFG::Graph&) 10 0x7ffff7162c6e JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) 11 0x7ffff7162616 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&) 12 0x7ffff70e93a0 13 0x7ffff70e943b JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::DFG::CompilationMode, unsigned int, JSC::Operands<JSC::JSValue, JSC::OperandValueTraits<JSC::JSValue> > const&, WTF::PassRefPtr<JSC::DeferredCompilationCallback>, JSC::DFG::Worklist*) 14 0x7ffff725bdd7 15 0x7fffea58dc20 Program received signal SIGSEGV, Segmentation fault. 0x00007ffff74a6005 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 333 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x00007ffff74a6005 in WTFCrash () at /home/reni/Data/REPOS/webkit_sec/Source/WTF/wtf/Assertions.cpp:333 #1 0x00007ffff705df0e in JSC::DFG::InsertionSet::insert (this=0x7fffffffb320, insertion=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:50 #2 0x00007ffff705df76 in JSC::DFG::InsertionSet::insert (this=0x7fffffffb320, index=27, element=0x7fffa9762300) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:57 #3 0x00007ffff7060ee6 in JSC::DFG::InsertionSet::insertNode<JSC::DFG::NodeType, JSC::CodeOrigin, JSC::DFG::Edge> (this=0x7fffffffb320, index=27, type=0, _DFG_value1=@0x7fffffffade0: JSC::DFG::Phantom, _DFG_value2=..., _DFG_value3=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGInsertionSet.h:65 #4 0x00007ffff70d7fb7 in JSC::DFG::DCEPhase::fixupBlock (this=0x7fffffffaf00, block=0x673a50) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:221 #5 0x00007ffff70d7b26 in JSC::DFG::DCEPhase::run (this=0x7fffffffaf00) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:119 #6 0x00007ffff70d8b1f in JSC::DFG::runAndLog<JSC::DFG::DCEPhase> (phase=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:75 #7 0x00007ffff70d86c3 in JSC::DFG::runPhase<JSC::DFG::DCEPhase> (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPhase.h:85 #8 0x00007ffff70d70bf in JSC::DFG::performDCE (graph=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDCEPhase.cpp:279 #9 0x00007ffff7162c6e in JSC::DFG::Plan::compileInThreadImpl (this=0x6759a0, longLivedState=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:242 #10 0x00007ffff7162616 in JSC::DFG::Plan::compileInThread (this=0x6759a0, longLivedState=...) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGPlan.cpp:124 #11 0x00007ffff70e93a0 in JSC::DFG::compileImpl (vm=..., codeBlock=0x6766b0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=1, mustHandleValues=..., callback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:100 #12 0x00007ffff70e943b in JSC::DFG::compile (vm=..., codeBlock=0x6766b0, mode=JSC::DFG::DFGMode, osrEntryBytecodeIndex=1, mustHandleValues=..., passedCallback=..., worklist=0x0) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/dfg/DFGDriver.cpp:119 #13 0x00007ffff725bdd7 in JSC::operationOptimize (exec=0x7fffa9d4df38, bytecodeIndex=1) at /home/reni/Data/REPOS/webkit_sec/Source/JavaScriptCore/jit/JITOperations.cpp:1152 #14 0x00007fffea58dc20 in ?? () #15 0x00007fffaa58e8e0 in ?? () #16 0x0000000000652868 in ?? () #17 0x0000000000000000 in ?? ()
When I run this test case it just runs for forever. What revision are you on? If you can still reproduce, can you enable per-phase DFG dumps, either by "export JSC_dumpGraphAtEachPhase=true" or the "--dumpGraphAtEachPhase=true" jsc command-line option?
(In reply to comment #1) > When I run this test case it just runs for forever. > > What revision are you on? If you can still reproduce, can you enable per-phase DFG dumps, either by "export JSC_dumpGraphAtEachPhase=true" or the "--dumpGraphAtEachPhase=true" jsc command-line option? Yes, I can still reproduce it with the ToTT debug efl build (r161958). The log with the flags above is attached.
Created attachment 221160 [details] JSCGraph log
This does seem like it just runs forever. Is there any action we want to take here?
(In reply to comment #4) > This does seem like it just runs forever. Is there any action we want to > take here? just to verify - are you running with debug jsc?
(In reply to comment #5) > (In reply to comment #4) > > This does seem like it just runs forever. Is there any action we want to > > take here? > > just to verify - are you running with debug I was running Debug WebKit/JavaScriptCore, not the jsc command line utility. But, yes.