RESOLVED FIXED 211096
compilePeepHoleBigInt32Branch needs to handle all conditions 
https://bugs.webkit.org/show_bug.cgi?id=211096
Summary compilePeepHoleBigInt32Branch needs to handle all conditions
Ryan Haddad
Reported 2020-04-27 14:51:45 PDT
The following assertion failure is seen with microbenchmarks/sunspider-sha1-big-int.js on the debug JSC bot: ASSERTION FAILED: mode == ManualOperandSpeculation || edge.useKind() == UntypedUse /Volumes/Data/slave/catalina-debug/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(1765) : JSC::DFG::JSValueOperand::JSValueOperand(JSC::DFG::SpeculativeJIT *, JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) 1 0x10161da39 WTFCrash 2 0x101d9ef1b WTFCrashWithInfo(int, char const*, char const*, int) 3 0x1018202ed JSC::DFG::JSValueOperand::JSValueOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) 4 0x1017945bb JSC::DFG::JSValueOperand::JSValueOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge, JSC::DFG::OperandSpeculationMode) 5 0x10179b419 JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch(JSC::DFG::Node*, JSC::DFG::Node*, JSC::MacroAssemblerX86Common::RelationalCondition, unsigned long (*)(JSC::JSGlobalObject*, long long, long long)) 6 0x10179b075 JSC::DFG::SpeculativeJIT::compilePeepHoleBranch(JSC::DFG::Node*, JSC::MacroAssemblerX86Common::RelationalCondition, JSC::MacroAssemblerX86Common::DoubleCondition, unsigned long (*)(JSC::JSGlobalObject*, long long, long long)) 7 0x1017c2c28 JSC::DFG::SpeculativeJIT::compare(JSC::DFG::Node*, JSC::MacroAssemblerX86Common::RelationalCondition, JSC::MacroAssemblerX86Common::DoubleCondition, unsigned long (*)(JSC::JSGlobalObject*, long long, long long)) 8 0x10196ff0b JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 9 0x10179c91a JSC::DFG::SpeculativeJIT::compileCurrentBlock() 10 0x10179e688 JSC::DFG::SpeculativeJIT::compile() 11 0x1024f99c6 JSC::DFG::JITCompiler::compileBody() 12 0x1024fcc07 JSC::DFG::JITCompiler::compileFunction() 13 0x1025aaecd JSC::DFG::Plan::compileInThreadImpl() 14 0x1025a87c8 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 15 0x10270929e JSC::DFG::Worklist::ThreadBody::work() 16 0x1016344b3 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const 17 0x10163409e WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() 18 0x101648012 WTF::Function<void ()>::operator()() const 19 0x1016ffcc8 WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 20 0x10170d158 WTF::wtfThreadEntryPoint(void*) 21 0x7fff68d17109 _pthread_start 22 0x7fff68d12b8b thread_start https://build.webkit.org/builders/Apple-Catalina-Debug-JSC-Tests/builds/765/steps/jscore-test/logs/stdio
Attachments
patch (3.86 KB, patch)
2020-04-27 15:55 PDT, Saam Barati 		ysuzuki: review+
DetailsFormatted DiffDiff
patch for landing (3.93 KB, patch)
2020-04-27 16:07 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2020-04-27 14:52:13 PDT
<rdar://problem/62469971>
Ryan Haddad
Comment 2 2020-04-27 14:56:41 PDT
This test was added with https://trac.webkit.org/changeset/260683/webkit
Saam Barati
Comment 3 2020-04-27 15:55:09 PDT
Created attachment 397756 [details] patch
Yusuke Suzuki
Comment 4 2020-04-27 15:58:39 PDT
Comment on attachment 397756 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=397756&action=review r=me > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1782 > I recommend putting GPRReg op1GPR = op1.gpr(); GPRReg op2GPR = op2.gpr(); And use op1GPR and op2GPR.
Saam Barati
Comment 5 2020-04-27 16:07:34 PDT
Created attachment 397757 [details] patch for landing
EWS
Comment 6 2020-04-27 17:35:49 PDT
Committed r260802: <https://trac.webkit.org/changeset/260802> All reviewed patches have been landed. Closing bug and clearing flags on attachment 397757 [details].
Note You need to log in before you can comment on or make changes to this bug.