Bug 157099 - REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
Summary: REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Michael Saboff
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2016-04-27 12:53 PDT by Michael Saboff
Modified: 2016-04-27 13:37 PDT (History)
5 users (show)

See Also:

Attachments
Patch (1.69 KB, patch)
2016-04-27 12:58 PDT, Michael Saboff 		saam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Michael Saboff 2016-04-27 12:53:56 PDT 
Debug build crash in lowerDFGToB3::compileStringReplace() during compilation:

Thread 8 Crashed:: FTL Worklist Worker Thread
0   com.apple.JavaScriptCore      	0x00000001046942e5 0x103bf6000 + 11133669
1   com.apple.JavaScriptCore      	0x0000000103f29bfc JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*) + 412
2   com.apple.JavaScriptCore      	0x0000000103f29c9f JSC::DFG::Graph::handleAssertionFailure(JSC::DFG::Node*, char const*, int, char const*, char const*) + 159
3   com.apple.JavaScriptCore      	0x00000001040ee935 JSC::FTL::(anonymous namespace)::LowerDFGToB3::lowJSValue(JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) + 1237 (FTLLowerDFGToB3.cpp:9455)
4   com.apple.JavaScriptCore      	0x00000001040a2ea6 JSC::FTL::(anonymous namespace)::LowerDFGToB3::compileNode(unsigned int) + 5830 (FTLLowerDFGToB3.cpp:6861)
5   com.apple.JavaScriptCore      	0x000000010409ef78 JSC::FTL::lowerDFGToB3(JSC::FTL::State&) + 7880 (FTLLowerDFGToB3.cpp:390)
6   com.apple.JavaScriptCore      	0x0000000103fc6bb1 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1969 (DFGPlan.cpp:163)
7   com.apple.JavaScriptCore      	0x0000000103fc60c1 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 577 (DFGPlan.cpp:182)
8   com.apple.JavaScriptCore      	0x000000010407c2e3 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 1059 (RefPtr.h:69)
9   com.apple.JavaScriptCore      	0x00000001046c8d42 WTF::threadEntryPoint(void*) + 178 (functional:1742)
10  com.apple.JavaScriptCore      	0x00000001046c90ef WTF::wtfThreadEntryPoint(void*) + 15 (memory:2657)
11  libsystem_pthread.dylib       	0x00007fff995a699d _pthread_body + 131
12  libsystem_pthread.dylib       	0x00007fff995a691a _pthread_start + 168
13  libsystem_pthread.dylib       	0x00007fff995a4351 thread_start + 13
Comment 1 Radar WebKit Bug Importer 2016-04-27 12:54:29 PDT 
<rdar://problem/25963453>
Comment 2 Michael Saboff 2016-04-27 12:58:08 PDT 
Created attachment 277529 [details]
Patch
Comment 3 Saam Barati 2016-04-27 13:02:50 PDT 
Comment on attachment 277529 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=277529&action=review

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:6942
> +        // The Edge for Child2 may have been fixed up as StringUse.

not sure this comment adds much
Comment 4 Michael Saboff 2016-04-27 13:04:23 PDT 
(In reply to comment #3)
> Comment on attachment 277529 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=277529&action=review
> 
> > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:6942
> > +        // The Edge for Child2 may have been fixed up as StringUse.
> 
> not sure this comment adds much

Removed locally.
Comment 5 Keith Miller 2016-04-27 13:17:42 PDT 
r=me too. Fixes my crash.
Comment 6 Michael Saboff 2016-04-27 13:37:20 PDT 
Committed r200147: <http://trac.webkit.org/changeset/200147>