RESOLVED FIXED 97656
ASSERTION in m_graph[tailNodeIndex].op() == Flush || m_graph[tailNodeIndex].op() == SetLocal on plus.google.com 
https://bugs.webkit.org/show_bug.cgi?id=97656
Summary ASSERTION in m_graph[tailNodeIndex].op() == Flush || m_graph[tailNodeIndex].o...
Sergio Villar Senin
Reported 2012-09-26 04:42:48 PDT
I got this when clicking on the chat box in plus.google.com ASSERTION FAILED: m_graph[tailNodeIndex].op() == Flush || m_graph[tailNodeIndex].op() == SetLocal ../../Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp(182) : bool JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BlockIndex) 1 0x7f34bbcf7133 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG20ConstantFoldingPhase13foldConstantsEj+0x8d3) [0x7f34bbcf7133] 2 0x7f34bbcf6816 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG20ConstantFoldingPhase3runEv+0x9a) [0x7f34bbcf6816] 3 0x7f34bbcf74f4 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG9runAndLogINS0_20ConstantFoldingPhaseEEEbRT_+0x18) [0x7f34bbcf74f4] 4 0x7f34bbcf74bf /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG8runPhaseINS0_20ConstantFoldingPhaseEEEbRNS0_5GraphE+0x3b) [0x7f34bbcf74bf] 5 0x7f34bbcf65d7 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG22performConstantFoldingERNS0_5GraphE+0x2b) [0x7f34bbcf65d7] 6 0x7f34bbcfe606 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG7compileENS0_11CompileModeEPNS_9ExecStateEPNS_9CodeBlockERNS_7JITCodeEPNS_21MacroAssemblerCodePtrEj+0x3d4) [0x7f34bbcfe606] 7 0x7f34bbcfdf20 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC3DFG18tryCompileFunctionEPNS_9ExecStateEPNS_9CodeBlockERNS_7JITCodeERNS_21MacroAssemblerCodePtrEj+0x42) [0x7f34bbcfdf20] 8 0x7f34bbe9badb /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC31jitCompileFunctionIfAppropriateEPNS_9ExecStateERN3WTF6OwnPtrINS_17FunctionCodeBlockEEERNS_7JITCodeERNS_21MacroAssemblerCodePtrERNS_12WriteBarrierINS_17SharedSymbolTableEEENS7_7JITTypeEjNS_20JITCompilationEffortE+0x114) [0x7f34bbe9badb] 9 0x7f34bbe9bdd3 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC27prepareFunctionForExecutionEPNS_9ExecStateERN3WTF6OwnPtrINS_17FunctionCodeBlockEEERNS_7JITCodeERNS_21MacroAssemblerCodePtrERNS_12WriteBarrierINS_17SharedSymbolTableEEENS7_7JITTypeEjNS_22CodeSpecializationKindE+0xb7) [0x7f34bbe9bdd3] 10 0x7f34bbe99cd3 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC18FunctionExecutable22compileForCallInternalEPNS_9ExecStateEPNS_7JSScopeENS_7JITCode7JITTypeEj+0x2c7) [0x7f34bbe99cd3] 11 0x7f34bbe990fd /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC18FunctionExecutable23compileOptimizedForCallEPNS_9ExecStateEPNS_7JSScopeEj+0x12b) [0x7f34bbe990fd] 12 0x7f34bbc36d81 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC18FunctionExecutable19compileOptimizedForEPNS_9ExecStateEPNS_7JSScopeEjNS_22CodeSpecializationKindE+0x141) [0x7f34bbc36d81] 13 0x7f34bbc32f06 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(_ZN3JSC17FunctionCodeBlock16compileOptimizedEPNS_9ExecStateEPNS_7JSScopeEj+0x96) [0x7f34bbc32f06] 14 0x7f34bbdf0552 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(+0x6b1552) [0x7f34bbdf0552] 15 0x7f34bbdec8f5 /home/sergio/WebKit/WebKitBuild/Debug/.libs/libjavascriptcoregtk-3.0.so.0(+0x6ad8f5) [0x7f34bbdec8f5] 16 0x7fff7d5d7400 [0x7fff7d5d7400]
Attachments
the patch (13.40 KB, patch)
2012-09-28 13:45 PDT, Filip Pizlo 		mhahnenberg: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2012-09-27 11:00:11 PDT
Can you please tell what revision you were on? Is this reproducible at all?
Sergio Villar Senin
Comment 2 2012-09-27 13:43:39 PDT
(In reply to comment #1) > Can you please tell what revision you were on? I was using trunk when filled the bug so I guess around r129600 > Is this reproducible at all? I could reproduce it always.
Filip Pizlo
Comment 3 2012-09-28 13:01:27 PDT
I can repro just by logging into plus.google.com.
Filip Pizlo
Comment 4 2012-09-28 13:45:38 PDT
Created attachment 166308 [details] the patch
WebKit Review Bot
Comment 5 2012-09-28 13:49:58 PDT
Attachment 166308 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/fast..." exit_code: 1 Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:182: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:183: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 2 in 8 files If any of these errors are false positives, please file a bug against check-webkit-style.
Mark Hahnenberg
Comment 6 2012-09-28 13:54:59 PDT
Comment on attachment 166308 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=166308&action=review r=me > Source/JavaScriptCore/ChangeLog:10 > + 1) In case of multiple GetLocals to the same captured variable, the bytecode parser would linke the first, s/linke/link/
Filip Pizlo
Comment 7 2012-09-28 13:58:30 PDT
Landed in http://trac.webkit.org/changeset/129948
Note You need to log in before you can comment on or make changes to this bug.