RESOLVED FIXED 157099
REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace() 
https://bugs.webkit.org/show_bug.cgi?id=157099
Summary REGRESSION(r200117): Crash in lowerDFGToB3::compileStringReplace()
Michael Saboff
Reported 2016-04-27 12:53:56 PDT
Debug build crash in lowerDFGToB3::compileStringReplace() during compilation: Thread 8 Crashed:: FTL Worklist Worker Thread 0 com.apple.JavaScriptCore 0x00000001046942e5 0x103bf6000 + 11133669 1 com.apple.JavaScriptCore 0x0000000103f29bfc JSC::DFG::crash(JSC::DFG::Graph&, WTF::CString const&, char const*, int, char const*, char const*) + 412 2 com.apple.JavaScriptCore 0x0000000103f29c9f JSC::DFG::Graph::handleAssertionFailure(JSC::DFG::Node*, char const*, int, char const*, char const*) + 159 3 com.apple.JavaScriptCore 0x00000001040ee935 JSC::FTL::(anonymous namespace)::LowerDFGToB3::lowJSValue(JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) + 1237 (FTLLowerDFGToB3.cpp:9455) 4 com.apple.JavaScriptCore 0x00000001040a2ea6 JSC::FTL::(anonymous namespace)::LowerDFGToB3::compileNode(unsigned int) + 5830 (FTLLowerDFGToB3.cpp:6861) 5 com.apple.JavaScriptCore 0x000000010409ef78 JSC::FTL::lowerDFGToB3(JSC::FTL::State&) + 7880 (FTLLowerDFGToB3.cpp:390) 6 com.apple.JavaScriptCore 0x0000000103fc6bb1 JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 1969 (DFGPlan.cpp:163) 7 com.apple.JavaScriptCore 0x0000000103fc60c1 JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 577 (DFGPlan.cpp:182) 8 com.apple.JavaScriptCore 0x000000010407c2e3 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 1059 (RefPtr.h:69) 9 com.apple.JavaScriptCore 0x00000001046c8d42 WTF::threadEntryPoint(void*) + 178 (functional:1742) 10 com.apple.JavaScriptCore 0x00000001046c90ef WTF::wtfThreadEntryPoint(void*) + 15 (memory:2657) 11 libsystem_pthread.dylib 0x00007fff995a699d _pthread_body + 131 12 libsystem_pthread.dylib 0x00007fff995a691a _pthread_start + 168 13 libsystem_pthread.dylib 0x00007fff995a4351 thread_start + 13
Attachments
Patch (1.69 KB, patch)
2016-04-27 12:58 PDT, Michael Saboff 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2016-04-27 12:54:29 PDT
<rdar://problem/25963453>
Michael Saboff
Comment 2 2016-04-27 12:58:08 PDT
Created attachment 277529 [details] Patch
Saam Barati
Comment 3 2016-04-27 13:02:50 PDT
Comment on attachment 277529 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=277529&action=review > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:6942 > + // The Edge for Child2 may have been fixed up as StringUse. not sure this comment adds much
Michael Saboff
Comment 4 2016-04-27 13:04:23 PDT
(In reply to comment #3) > Comment on attachment 277529 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=277529&action=review > > > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:6942 > > + // The Edge for Child2 may have been fixed up as StringUse. > > not sure this comment adds much Removed locally.
Keith Miller
Comment 5 2016-04-27 13:17:42 PDT
r=me too. Fixes my crash.
Michael Saboff
Comment 6 2016-04-27 13:37:20 PDT
Committed r200147: <http://trac.webkit.org/changeset/200147>
Note You need to log in before you can comment on or make changes to this bug.