135025 – 32-bit failures of the ftlopt branch

Bug 135025 - 32-bit failures of the ftlopt branch

Summary: 32-bit failures of the ftlopt branch

Status:	RESOLVED DUPLICATE of bug 135323

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Hahnenberg

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-07-17 14:25 PDT by Mark Hahnenberg
Modified:	2014-07-29 15:45 PDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Hahnenberg 2014-07-17 14:25:42 PDT

The following tests are currently failing in debug builds on the ftlopt branch:

stress/prune-multi-put-by-offset-replace-or-transition-variant.js.dfg-eager
stress/prune-multi-put-by-offset-replace-or-transition-variant.js.ftl-eager

Here's the backtrace:

* thread #1: tid = 0x636d33, 0x008ca122 JavaScriptCore`WTFCrash + 50 at Assertions.cpp:333, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0xbbadbeef)
  * frame #0: 0x008ca122 JavaScriptCore`WTFCrash + 50 at Assertions.cpp:333
    frame #1: 0x0006f0e7 JavaScriptCore`JSC::JSValue::asCell(this=0xbfff8d48) const + 103 at JSCJSValueInlines.h:299
    frame #2: 0x0020d3d5 JavaScriptCore`JSC::DFG::Node::asCell(this=0x05a68b14) + 53 at DFGNode.h:588
    frame #3: 0x0038884d JavaScriptCore`JSC::DFG::SpeculativeJIT::silentSavePlanForGPR(this=0x020daa00, spillMe=(m_virtualRegister = -9), source=ebx) + 1213 at DFGSpeculativeJIT.cpp:345
    frame #4: 0x003c98b0 JavaScriptCore`void JSC::DFG::SpeculativeJIT::silentSpillAllRegistersImpl<WTF::Vector<JSC::DFG::SilentRegisterSavePlan, 0ul, WTF::CrashOnOverflow> >(this=0x020daa00, doSpill=true, plans=0x020db0ec, exclude=-1, exclude2=-1, fprExclude=-1) + 368 at DFGSpeculativeJIT.h:348
    frame #5: 0x003b094d JavaScriptCore`JSC::DFG::SpeculativeJIT::silentSpillAllRegisters(this=0x020daa00, exclude=-1, exclude2=-1, fprExclude=-1) + 93 at DFGSpeculativeJIT.h:383
    frame #6: 0x003aa113 JavaScriptCore`JSC::DFG::SpeculativeJIT::storeToWriteBarrierBuffer(this=0x020daa00, cell=ebx, scratch1=eax, scratch2=edx) + 931 at DFGSpeculativeJIT.cpp:5476
    frame #7: 0x003a9d4a JavaScriptCore`JSC::DFG::SpeculativeJIT::writeBarrier(this=0x020daa00, ownerGPR=ebx, scratch1=eax, scratch2=edx) + 90 at DFGSpeculativeJIT.cpp:5522
    frame #8: 0x003a9aba JavaScriptCore`JSC::DFG::SpeculativeJIT::compileStoreBarrier(this=0x020daa00, node=0x05a6f90c) + 314 at DFGSpeculativeJIT.cpp:5430
    frame #9: 0x003f9558 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x020daa00, node=0x05a6f90c) + 99704 at DFGSpeculativeJIT32_64.cpp:4547
    frame #10: 0x0038ee2b JavaScriptCore`JSC::DFG::SpeculativeJIT::compileCurrentBlock(this=0x020daa00) + 1883 at DFGSpeculativeJIT.cpp:1452
    frame #11: 0x0038f752 JavaScriptCore`JSC::DFG::SpeculativeJIT::compile(this=0x020daa00) + 226 at DFGSpeculativeJIT.cpp:1564
    frame #12: 0x00309f80 JavaScriptCore`JSC::DFG::JITCompiler::compileBody(this=0xbfffdc58) + 48 at DFGJITCompiler.cpp:113
    frame #13: 0x0030bb0e JavaScriptCore`JSC::DFG::JITCompiler::compile(this=0xbfffdc58) + 286 at DFGJITCompiler.cpp:293
    frame #14: 0x0037aaf8 JavaScriptCore`JSC::DFG::Plan::compileInThreadImpl(this=0x01a34910, longLivedState=0x03f249c0) + 1848 at DFGPlan.cpp:298
    frame #15: 0x00379fd4 JavaScriptCore`JSC::DFG::Plan::compileInThread(this=0x01a34910, longLivedState=0x03f249c0, threadData=0x00000000) + 436 at DFGPlan.cpp:160
    frame #16: 0x002bf8fd JavaScriptCore`JSC::DFG::compileImpl(vm=0x020ba000, codeBlock=0x01a34790, profiledDFGCodeBlock=0x00000000, mode=DFGMode, osrEntryBytecodeIndex=495, mustHandleValues=0xbfffe7c8, callback=0xbfffe658) + 1853 at DFGDriver.cpp:104
    frame #17: 0x002bf152 JavaScriptCore`JSC::DFG::compile(vm=0x020ba000, codeBlock=0x01a34790, profiledDFGCodeBlock=0x00000000, mode=DFGMode, osrEntryBytecodeIndex=495, mustHandleValues=0xbfffe7c8, passedCallback=0xbfffe788) + 194 at DFGDriver.cpp:122
    frame #18: 0x00534e19 JavaScriptCore`operationOptimize(exec=0xbfffe998, bytecodeIndex=495) + 2793 at JITOperations.cpp:1203
    frame #19: 0x05a82cad
    frame #20: 0x0068a924 JavaScriptCore`callToJavaScript + 292
    frame #21: 0x0051d400 JavaScriptCore`JSC::JITCode::execute(this=0x01a2c7d0, vm=0x020ba000, protoCallFrame=0xbfffec20) + 64 at JITCode.cpp:47
    frame #22: 0x004f981f JavaScriptCore`JSC::Interpreter::execute(this=0x03f246c0, program=0x05a1fe80, callFrame=0x019cfa6c, thisObj=0x019dfb60) + 5455 at Interpreter.cpp:933
    frame #23: 0x0018035f JavaScriptCore`JSC::evaluate(exec=0x019cfa6c, source=0xbffff860, thisValue=JSValue at 0xbffff7b8, returnedException=0xbffff880) + 607 at Completion.cpp:82
    frame #24: 0x00002c36 jsc`runWithScripts(globalObject=0x019cfa40, scripts=0xbffff964, dump=false) + 534 at jsc.cpp:1066
    frame #25: 0x00002110 jsc`jscmain(argc=10, argv=0xbffffa14) + 432 at jsc.cpp:1283
    frame #26: 0x00001e89 jsc`main(argc=10, argv=0xbffffa14) + 233 at jsc.cpp:1024
    frame #27: 0x96a75701 libdyld.dylib`start + 1

Comment 1 Mark Hahnenberg 2014-07-29 15:45:51 PDT


*** This bug has been marked as a duplicate of bug 135323 ***