RESOLVED FIXED290039
ASSERTION FAILED: tmpData.spillCost() != unspillableCost in JavaScriptCore B3::Air. 
https://bugs.webkit.org/show_bug.cgi?id=290039
Summary ASSERTION FAILED: tmpData.spillCost() != unspillableCost in JavaScriptCore B3...
EntryHi
Reported 2025-03-19 05:45:07 PDT
Hello, I found a crash in JSC (commit id: b602c49c2b9f3a896acd327d0f0a13afb2e3c7db). test.js: ``` function opt(a1, a2) { try { undefined(a1); } catch(e) {} ([1, 2, 3]).copyWithin(); function test() { "test" + a2; } for (let i = 0; i < 100; i++) { test("source"); } for (let j = 0; j < 100; j++) { try { undefined.asin(); } catch(e) {} for (let k = 0; k < 100; k++) {} } } for (let m = 0; m < 100; m++) { opt(m, opt); } ``` Run args: ./jsc --useConcurrentJIT=0 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 test.js Result: ASSERTION FAILED: tmpData.spillCost() != unspillableCost /webkit_latest/Source/JavaScriptCore/b3/air/AirAllocateRegistersByGreedy.cpp(1483) : bool JSC::B3::Air::Greedy::GreedyAllocator::tryEvict(Tmp, TmpData &) [bank = JSC::B3::GP] Stack trace: (lldb) bt * thread #1, name = 'jsc', stop reason = signal SIGABRT * frame #0: 0x00007ffff56afe5c libc.so.6`__pthread_kill_implementation + 268 frame #1: 0x00007ffff565fa76 libc.so.6`raise + 22 frame #2: 0x00007ffff56497fc libc.so.6`abort + 215 frame #3: 0x0000555556b7c40b jsc`WTFCrashWithInfo((null)=1483, (null)="/webkit_latest/Source/JavaScriptCore/b3/air/AirAllocateRegistersByGreedy.cpp", (null)="bool JSC::B3::Air::Greedy::GreedyAllocator::tryEvict(Tmp, TmpData &) [bank = JSC::B3::GP]", (null)=2898) at Assertions.h:931:5 frame #4: 0x0000555557bc4ef1 jsc`bool JSC::B3::Air::Greedy::GreedyAllocator::tryEvict<(JSC::B3::Bank)0>(this=0x00007fffffff84b8, tmp=(m_value = 36), tmpData=0x00007fffe910cd80) at AirAllocateRegistersByGreedy.cpp:1483:13 frame #5: 0x0000555557bae7c4 jsc`void JSC::B3::Air::Greedy::GreedyAllocator::allocateRegisters<(JSC::B3::Bank)0>(this=0x00007fffffff84b8) at AirAllocateRegistersByGreedy.cpp:1336:57 frame #6: 0x0000555557ad323d jsc`JSC::B3::Air::Greedy::GreedyAllocator::run(this=0x00007fffffff84b8) at AirAllocateRegistersByGreedy.cpp:611:9 frame #7: 0x0000555557ad2efa jsc`JSC::B3::Air::allocateRegistersByGreedy(code=0x00007fffeb0b0900) at AirAllocateRegistersByGreedy.cpp:2038:15 frame #8: 0x00005555579c6145 jsc`JSC::B3::Air::prepareForGeneration(code=0x00007fffeb0b0900) at AirGenerate.cpp:145:13 frame #9: 0x00005555579aa131 jsc`JSC::B3::prepareForGeneration(procedure=0x00007fffeb070b00) at B3Generate.cpp:61:5 frame #10: 0x0000555557944308 jsc`JSC::FTL::compile(state=0x00007fffffff9120, safepointResult=0x00007fffffff91a8) at FTLCompile.cpp:70:9 frame #11: 0x00005555575f134b jsc`JSC::DFG::Plan::compileInThreadImpl(this=0x00007fffeb052980) at DFGPlan.cpp:484:9 frame #12: 0x000055555813f9b2 jsc`JSC::JITPlan::compileInThread(this=0x00007fffeb052980, thread=0x0000000000000000) at JITPlan.cpp:207:28 frame #13: 0x0000555558196227 jsc`JSC::JITWorklist::enqueue(this=0x00007fffeb0a81a0, plan=Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan>, WTF::DefaultRefDerefTraits<JSC::JITPlan> > @ 0x00007fffffffc158) at JITWorklist.cpp:91:15 frame #14: 0x000055555733d289 jsc`JSC::DFG::compileImpl(vm=0x00007fffe9400000, codeBlock=0x00007fffe90f87b0, profiledDFGCodeBlock=0x00007fffe90f8590, mode=FTL, osrEntryBytecodeIndex=(m_packedBits = 4294967295), mustHandleValues=0x00007fffffffc2b0, callback=0x00007fffffffc220) at DFGDriver.cpp:88:21 frame #15: 0x000055555733cdf3 jsc`JSC::DFG::compile(vm=0x00007fffe9400000, codeBlock=0x00007fffe90f87b0, profiledDFGCodeBlock=0x00007fffe90f8590, mode=FTL, osrEntryBytecodeIndex=(m_packedBits = 4294967295), mustHandleValues=0x00007fffffffc2b0, callback=0x00007fffffffc2a8) at DFGDriver.cpp:104:12 frame #16: 0x00005555574de72e jsc`JSC::DFG::triggerFTLReplacementCompile(vm=0x00007fffe9400000, codeBlock=0x00007fffe90f8590, jitCode=0x00007fffeb080840) at DFGOperations.cpp:5139:5 frame #17: 0x00005555574df712 jsc`JSC::DFG::tierUpCommon(vm=0x00007fffe9400000, callFrame=0x00007fffffffc760, originBytecodeIndex=(m_packedBits = 564), canOSREnterHere=true) at DFGOperations.cpp:5390:9 frame #18: 0x00005555574dfc3f jsc`::operationTriggerOSREntryNow(vmPointer=0x00007fffe9400000, bytecodeIndexBits=564) at DFGOperations.cpp:5463:12 frame #19: 0x00007fffa8e63738 frame #20: 0x0000555556efcc06 jsc`llint_op_call + 213 frame #21: 0x0000555556ed62a7 jsc`llint_call_javascript + 6 frame #22: 0x0000555558045db7 jsc`JSC::Interpreter::executeProgram(this=0x00007fffe9416528, source=0x00007fffffffd740, (null)=0x00007fffe903a088, thisObj=0x00007fffeb01e248) at Interpreter.cpp:1189:28 frame #23: 0x0000555558492b7b jsc`JSC::evaluate(globalObject=0x00007fffe903a088, source=0x00007fffffffd740, thisValue=JSValue @ 0x00007fffffffd640, returnedException=0x00007fffffffd760) at Completion.cpp:138:37 frame #24: 0x0000555556c1b4f6 jsc`runWithOptions(globalObject=0x00007fffe903a088, options=0x0000555559899040, success=0x00007fffffffdb93) at jsc.cpp:3824:35 frame #25: 0x0000555556bc140c jsc`jscmain(this=0x00007fffffffdc60, vm=0x00007fffe9400000, globalObject=0x00007fffe903a088, success=0x00007fffffffdb93)::$_0::operator()(JSC::VM&, GlobalObject*, bool&) const at jsc.cpp:4513:13 frame #26: 0x0000555556b8256d jsc`int runJSC<jscmain(int, char**)::$_0>(options=0x0000555559899040, isWorker=false, func=0x00007fffffffdc60)::$_0 const&) at jsc.cpp:4304:13 frame #27: 0x0000555556b7fdf6 jsc`jscmain(argc=8, argv=0x00007fffffffdde8) at jsc.cpp:4506:18 frame #28: 0x0000555556b7fb4c jsc`main(argc=8, argv=0x00007fffffffdde8) at jsc.cpp:3580:15 frame #29: 0x00007ffff564a510 libc.so.6`__libc_start_call_main + 128 frame #30: 0x00007ffff564a5c9 libc.so.6`__libc_start_main@@GLIBC_2.34 + 137 frame #31: 0x0000555556b79b25 jsc`_start + 37
Attachments
Dump for airGreedyRegAlloc. (305.29 KB, text/plain)
2025-03-20 18:55 PDT, EntryHi 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-03-19 10:02:40 PDT
<rdar://problem/147419532>
Dan Hecht
Comment 2 2025-03-20 12:06:22 PDT
<rdar://146125985>
Dan Hecht
Comment 3 2025-03-20 15:50:01 PDT
Hi EntryHi, this isn't reproducing for me. Could you reproduce with the jsc option --airGreedyRegAllocVerbose=true and upload the resulting output? Thanks!
EntryHi
Comment 4 2025-03-20 18:55:51 PDT
Created attachment 474658 [details] Dump for airGreedyRegAlloc.
EntryHi
Comment 5 2025-03-20 18:57:08 PDT
Hello, I have uploaded a dump file. This is my compile commands: Tools/Scripts/build-webkit --jsc-only --debug --cmakeargs="-DENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='clang' -DCMAKE_CXX_COMPILER='clang++' -DDEVELOPER_MODE_FATAL_WARNINGS=OFF "
Dan Hecht
Comment 6 2025-03-20 19:19:00 PDT
<rdar://problem/147419532>
Dan Hecht
Comment 7 2025-03-20 21:30:32 PDT
Pull request: https://github.com/WebKit/WebKit/pull/42793
EWS
Comment 8 2025-03-21 10:33:03 PDT
Committed 292484@main (259a8560a7d2): <https://commits.webkit.org/292484@main> Reviewed commits have been landed. Closing PR #42793 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.