Bug 91082 - ASSERTION FAILED: use.useKind() != DoubleUse
Summary: ASSERTION FAILED: use.useKind() != DoubleUse
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Filip Pizlo
URL: http://ro.me/
Keywords:
Depends on:
Blocks:
 
Reported: 2012-07-12 05:50 PDT by Tomeu Vizoso
Modified: 2012-07-13 16:55 PDT (History)
2 users (show)

See Also:

Attachments
the patch (11.08 KB, patch)
2012-07-13 16:50 PDT, Filip Pizlo 		ggaren: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tomeu Vizoso 2012-07-12 05:50:00 PDT 
To reproduce it, click the "Enter" button in the page.

[tomeu@cizrna (master) build]$ gdb --args ./Programs/GtkLauncher --enable-webgl=1 --enable-accelerated-compositing=1 http://ro.me/

ASSERTION FAILED: use.useKind() != DoubleUse
../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h(2756) : JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)

#0  0x00007ffff23e837e in JSC::DFG::SpeculateIntegerOperand::SpeculateIntegerOperand (this=
    0x7fffffff76a0, jit=0x7fffffff9790, use=...)
    at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:2756
#1  0x00007ffff23d563b in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff9790, node=...)
    at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2943
#2  0x00007ffff23fe1da in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff9790, block=...)
    at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1106
#3  0x00007ffff23ff7ef in JSC::DFG::SpeculativeJIT::compile (this=0x7fffffff9790)
    at ../Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1328
#4  0x00007ffff239f82c in JSC::DFG::JITCompiler::compileBody (this=0x7fffffffa750, 
    speculative=...) at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:91
#5  0x00007ffff23a07ad in JSC::DFG::JITCompiler::compileFunction (this=0x7fffffffa750, 
    entry=..., entryWithArityCheck=...)
    at ../Source/JavaScriptCore/dfg/DFGJITCompiler.cpp:268
#6  0x00007ffff239628a in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=
    0x7fff7fc002d8, codeBlock=0x40debb0, jitCode=..., jitCodeWithArityCheck=0x7fff79f171d8)
    at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:123
#7  0x00007ffff2395a6d in JSC::DFG::tryCompileFunction (exec=0x7fff7fc002d8, codeBlock=
    0x40debb0, jitCode=..., jitCodeWithArityCheck=...)
    at ../Source/JavaScriptCore/dfg/DFGDriver.cpp:141
#8  0x00007ffff252648f in JSC::jitCompileFunctionIfAppropriate (exec=0x7fff7fc002d8, 
    codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=
    @0x7fff79f17248: 0x2202b40, jitType=JSC::JITCode::DFGJIT, 
    effort=JSC::JITCompilationCanFail) at ../Source/JavaScriptCore/jit/JITDriver.h:95
#9  0x00007ffff2526744 in JSC::prepareFunctionForExecution (exec=0x7fff7fc002d8, 
    codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=
    @0x7fff79f17248: 0x2202b40, jitType=JSC::JITCode::DFGJIT, kind=JSC::CodeForCall)
    at ../Source/JavaScriptCore/runtime/ExecutionHarness.h:64
#10 0x00007ffff252458e in JSC::FunctionExecutable::compileForCallInternal (this=
    0x7fff79f17180, exec=0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80, 
    jitType=JSC::JITCode::DFGJIT) at ../Source/JavaScriptCore/runtime/Executable.cpp:529
#11 0x00007ffff25239df in JSC::FunctionExecutable::compileOptimizedForCall (this=
    0x7fff79f17180, exec=0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80)
    at ../Source/JavaScriptCore/runtime/Executable.cpp:440
#12 0x00007ffff22d977b in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fff79f17180, 
    exec=0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80, kind=JSC::CodeForCall)
    at ../Source/JavaScriptCore/runtime/Executable.h:611
#13 0x00007ffff22d5ea1 in JSC::FunctionCodeBlock::compileOptimized (this=0x29a8830, exec=
    0x7fff7fc002d8, scopeChainNode=0x7fff4d3f0f80)
    at ../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2690
#14 0x00007ffff247bdff in JSC::cti_optimize (args=0x7fffffffcb70)
    at ../Source/JavaScriptCore/jit/JITStubs.cpp:1990
#15 0x00007ffff2478387 in JSC::JITThunks::tryCacheGetByID (callFrame=0xffffca80, codeBlock=
Python Exception <class 'gdb.error'> There is no member or method named m_hashAndFlags.: 
    0x7ffff22d977b, returnAddress=..., baseValue=..., propertyName=, slot=..., stubInfo=
    0x7fff00000589) at ../Source/JavaScriptCore/jit/JITStubs.cpp:975
#16 0x00007fffffffcba0 in ?? ()
#17 0x00007fff00000589 in ?? ()
#18 0x0000000001d8a128 in ?? ()
#19 0x00007fff4d0a8d80 in ?? ()
#20 0x00007fff00000004 in ?? ()
#21 0x00007fff79ef1a80 in ?? ()
#22 0x00007fffffffcbd0 in ?? ()
#23 0x00007ffff229fa43 in JSC::JSValue::decode (ptr=0x45e7e8c78948104d)
    at ../Source/JavaScriptCore/runtime/JSValueInlineMethods.h:336
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Comment 1 Filip Pizlo 2012-07-13 15:33:24 PDT 
Yup, this is scary easy to repro.  Looking for a fix now.
Comment 2 Filip Pizlo 2012-07-13 16:50:12 PDT 
Created attachment 152375 [details]
the patch
Comment 3 Geoffrey Garen 2012-07-13 16:52:57 PDT 
Comment on attachment 152375 [details]
the patch

r=me
Comment 4 Filip Pizlo 2012-07-13 16:55:41 PDT 
Landed in http://trac.webkit.org/changeset/122646