Bug 141111 - Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://experilous.com/1/planet-generator/2014-09-28/version-1
Summary: Crash (DFG assertion) beneath AbstractInterpreter::verifyEdge() @ http://expe...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All Unspecified
: P2 Normal
Assignee: Michael Saboff
URL: http://experilous.com/1/planet-genera...
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2015-01-30 23:45 PST by Michael Saboff
Modified: 2015-01-31 19:58 PST (History)
5 users (show)

See Also:

Attachments
Patch (7.55 KB, patch)
2015-01-31 00:27 PST, Michael Saboff 		fpizlo: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2015-01-30 23:45:45 PST 
Steps to reproduce:
1. Go to http://experilous.com/1/planet-generator/2014-09-28/version-1
2. Click on "High", and then click on "Generate".
3. Let it run to completion when you'll see a globe.  Let it sit for a bit.  The crash will occur shortly after.

Crash trace:

DFG ASSERTION FAILED: Edge verification error: @3675->Check:Cell:@2 was expected to have type Cell but has type Other (536870912)
/Volumes/Data/ws4/OpenSource/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h(112) : void JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node *, JSC::DFG::Edge) [AbstractStateType = JSC::DFG::InPlaceAbstractState]
1   0x1125c97d0 WTFCrashWithSecurityImplication
2   0x111efd243 JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*)
3   0x111efd2bb JSC::DFG::Graph::handleAssertionFailure(JSC::DFG::Node*, char const*, int, char const*, char const*)
4   0x111e45fd4 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdge(JSC::DFG::Node*, JSC::DFG::Edge)
5   0x111e40bfc JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::verifyEdges(JSC::DFG::Node*)
6   0x111e36205 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int, JSC::DFG::Node*)
7   0x111fb7cd3 JSC::DFG::AbstractInterpreter<JSC::DFG::InPlaceAbstractState>::executeEffects(unsigned int)
8   0x1120b75d9 JSC::FTL::LowerDFGToLLVM::compileNode(unsigned int)
9   0x1120b6a01 JSC::FTL::LowerDFGToLLVM::compileBlock(JSC::DFG::BasicBlock*)
10  0x1120b4b48 JSC::FTL::LowerDFGToLLVM::lower()
11  0x1120b20ee JSC::FTL::lowerDFGToLLVM(JSC::FTL::State&)
12  0x111f8a8a0 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&)
13  0x111f88e61 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*)
14  0x112054c20 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*)
15  0x112053204 JSC::DFG::Worklist::threadFunction(void*)
16  0x11261df19 WTF::createThread(void (*)(void*), void*, char const*)::$_0::operator()() const
17  0x11261deec std::__1::__function::__func<WTF::createThread(void (*)(void*), void*, char const*)::$_0, std::__1::allocator<WTF::createThread(void (*)(void*), void*, char const*)::$_0>, void ()>::operator()()
18  0x112579aea std::__1::function<void ()>::operator()() const
19  0x11261ce6e WTF::threadEntryPoint(void*)
20  0x11261e878 WTF::wtfThreadEntryPoint(void*)
21  0x7fff97ce5268 _pthread_body
22  0x7fff97ce51e5 _pthread_body
23  0x7fff97ce341d thread_start

rdar://problem/19252057
Comment 1 Michael Saboff 2015-01-31 00:27:38 PST 
Created attachment 245777 [details]
Patch
Comment 2 Michael Saboff 2015-01-31 19:58:33 PST 
Committed r179457: <http://trac.webkit.org/changeset/179457>