WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
99470
GetScopedVar CSE matches dead GetScopedVar's leading to IR corruption
https://bugs.webkit.org/show_bug.cgi?id=99470
Summary
GetScopedVar CSE matches dead GetScopedVar's leading to IR corruption
Xan Lopez
Reported
2012-10-16 08:49:47 PDT
I can get this entering and deleting text in gmail's search entry, 100%. Debug build, ToT: At @77: validation (myRefCounts[nodeIndex] = 1) == (node.adjustedRefCount() = 0) (../../Source/JavaScriptCore/dfg/DFGValidate.cpp:132) failed. Graph at time of failure: Block #0 (bc#0): (OSR target) Predecessors: Phi Nodes: vars before: (None, [], []) (OthercellOtherobjFinalArrayInt8arrayInt16arrayInt32arrayUint8arrayUint8clampedarrayUint16arrayUint32arrayFloat32arrayFloat64arrayFunctionMyargumentsForeignargumentsString, TOP, TOP) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: @0 @1 : - - - - - - - - - - - - - - - - - - - - - 0: skipped < 0:-> SetArgument(<empty>, arg0(A), bc#0) 1: < 3:-> SetArgument(arg1(ED<Final>), bc#0) predicting Final 2: skipped < 0:-> JSConstant(JS|PureInt|CanExit, $4 = Undefined, bc#0) 3: skipped < 0:-> SetLocal(@2, <empty>, r0(C), bc#0) 4: skipped < 0:-> SetLocal(@2, <empty>, r1(D), bc#0) 5: skipped < 0:-> SetLocal(@2, <empty>, r2(E), bc#0) 6: skipped < 0:-> SetLocal(@2, <empty>, r3(F), bc#0) 7: skipped < 0:-> SetLocal(@2, <empty>, r4(G), bc#0) 8: < 2:-> GetLocal(@1, JS, arg1(ED<Final>), bc#1) predicting Final 9: <!0:-> CheckStructure(@8<Final>, MustGen|CanExit, struct(0x7fff595b5540), bc#1) 10: < 1:-> GetByOffset(@8<Final>, JS, id0{B}, 4, bc#1) predicting Final 11: skipped < 0:-> SetLocal(@10<Final>, <empty>, r5(H), bc#1) 12: <!0:-> Branch(@10<Final>, MustGen|CanExit, T:#11, F:#1, bc#10) vars after: (None, [], []) (Final, [0x7fff595b5540], [0x7fff595b5540]) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: @0 @8 : @3 @4 @5 @6 @7 @11 - - - - - - - - - - - - - - - Block #1 (bc#13): Predecessors: #0 Phi Nodes: @13->(@1) vars before: (None, [], []) (Final, [0x7fff595b5540], [0x7fff595b5540]) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: - @14 : - - - - - - - - - - - - - - - - - - - - - 14: < 10:-> GetLocal(@13, JS, arg1(ED<Final>), bc#13) predicting Final 15: skipped < 0:-> SetLocal(@14<Final>, <empty>, r5(J), bc#13) 16: < 1:-> GetScope(JS, bc#16) 17: < 1:-> GetScopeRegisters(@16<Cell>, Storage|PureInt, bc#16) 18: < 1:-> GetScopedVar(@17<Other>, JS, var61, bc#16) predicting Function 19: skipped < 0:-> SetLocal(@18<Function>, <empty>, r6(K), bc#16) 20: <!1:-> Construct(@18<Function>, JS|MustGen|VarArgs|Clobbers|CanExit, bc#21) predicting Final 21: skipped < 0:-> SetLocal(@20<Final>, <empty>, r8(L), bc#21) 22: <!0:-> CheckStructure(@14<Final>, MustGen|CanExit, struct(0x7fff595b6080), bc#30) 23: < 2:-> WeakJSConstant(JS, 0x7fff724f5b00, bc#30) 24: <!0:-> StructureTransitionWatchpoint(@23<Final>, MustGen|CanExit, struct(0x7fff595b61c0), bc#30) 25: < 2:-> WeakJSConstant(JS, 0x7fff9922ffc0, bc#30) 26: <!0:-> StructureTransitionWatchpoint(@25<Object>, MustGen|CanExit, struct(0x7fff5969f720), bc#30) 27: <!0:-> PutStructure(@14<Final>, MustGen, struct(0x7fff595b6080 -> 0x7fff595b55e0), bc#30) 28: <!0:-> PutByOffset(@14<Final>, @14<Final>, @20<Final>, MustGen, id0{B}, 4, bc#30) 29: < 1:-> JSConstant(JS, $0 = Int32: 0, bc#39) 30: <!0:-> Phantom(@14<Final>, MustGen, bc#39) 31: <!0:-> Phantom(@23<Final>, MustGen, bc#39) 32: <!0:-> Phantom(@25<Object>, MustGen, bc#39) 33: <!0:-> PutStructure(@14<Final>, MustGen, struct(0x7fff595b55e0 -> 0x7fff595b5540), bc#39) 34: <!0:-> PutByOffset(@14<Final>, @14<Final>, @29<Int32>, MustGen, id1{ea}, 5, bc#39) 35: <!0:-> StructureTransitionWatchpoint(@14<Final>, MustGen|CanExit, struct(0x7fff595b5540), bc#48) 36: < 1:-> GetByOffset(@14<Final>, JS, id2{O}, 2, bc#48) predicting Other 37: skipped < 0:-> SetLocal(@36<Other>, <empty>, r5(M), bc#48) 38: <!0:-> Branch(@36<Other>, MustGen|CanExit, T:#2, F:#11, bc#57) vars after: (None, [], []) (Final, [0x7fff595b5540], [0x7fff595b5540]) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: - @14 : - - - - - @37 @19 - @21 - - - - - - - - - - - - Block #2 (bc#60): Predecessors: #1 Phi Nodes: @40->(@13) vars before: (None, [], []) (Final, [0x7fff595b5540], [0x7fff595b5540]) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: - @41 : - - - - - - - - - - - - - - - - - - - - - 39: <!0:-> ForceOSRExit(MustGen|CanExit, bc#60) 41: < 1:-> GetLocal(@40, JS|CanExit, arg1(ED<Final>), bc#60) predicting Final 42: <!2:-> GetById(@41<Final>, JS|MustGen|Clobbers|CanExit, id2{O}, bc#60) predicting None 43: skipped < 0:-> SetLocal(@42, <empty>, r7(O), bc#60) 44: <!0:-> ForceOSRExit(MustGen|CanExit, bc#69) 45: <!1:-> GetById(@42, JS|MustGen|Clobbers|CanExit, id3{split}, bc#69) predicting None 46: skipped < 0:-> SetLocal(@45, <empty>, r5(P), bc#69) 47: < 1:-> JSConstant(JS|CanExit, $1 = Cell: 0x7fff9a5a23e0 (0x7fffa008fcc0: string, NonArray), bc#79) 48: skipped < 0:-> SetLocal(@47<String>, <empty>, r6(Q), bc#79) 49: <!0:-> ForceOSRExit(MustGen|CanExit, bc#82) 50: <!2:-> Call(@45, @42, @47<String>, JS|MustGen|VarArgs|Clobbers|CanExit, bc#82) predicting None 51: < 1:-> SetLocal(@50, <empty>, r0(CD), bc#82) predicting None 52: < 2:-> JSConstant(JS|UseAsInt|CanExit, $0 = Int32: 0, bc#91) 53: < 1:-> SetLocal(@52<Int32>, <empty>, r1(AD<Int32>), bc#91) predicting Int 54: <!0:-> ForceOSRExit(MustGen|CanExit, bc#94) 55: <!1:-> GetById(@50, JS|MustGen|Clobbers|CanExit, id4{length}, bc#94) predicting None 56: skipped < 0:-> SetLocal(@55, <empty>, r5(T), bc#94) 57: <!1:-> CompareLess(@52<Int32>, @55, Boolean|MustGen|MightClobber|CanExit, bc#103) 58: <!0:-> Branch(@57<Boolean>, MustGen|CanExit, T:#3, F:#11, bc#103) vars after: (None, [], []) (None, [], []) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: - @41 : @51 @53 - - - @56 @48 @43 - - - - - - - - - - - - - Block #3 (bc#107): (OSR target) Predecessors: #2 #9 Phi Nodes: @61->(@51, @222), @63->(@53, @210), @244->(@40, @239) vars before: <empty> var links: - @244 : @62 @64 - - - - - - - - - - - - - - - - - - - 59: <!0:-> Phantom(MustGen|CanExit, bc#107) 60: <!0:-> ForceOSRExit(MustGen|CanExit, bc#108) 62: < 1:-> GetLocal(@61, JS|CanExit, r0(CD), bc#108) predicting None 64: < 1:-> GetLocal(@63, JS|PureNum|UseAsInt|CanExit, r1(AD<Int32>), bc#108) predicting Int 245: <!0:-> ForceOSRExit(MustGen|CanExit, bc#108) 65: <!2:-> GetByVal(@62, @64<Int32>, JS|MustGen|MightClobber|CanExit, ForceExit, bc#108) predicting None 66: skipped < 0:-> SetLocal(@65, <empty>, r7(W), bc#108) 67: <!0:-> ForceOSRExit(MustGen|CanExit, bc#114) 68: <!1:-> GetById(@65, JS|MustGen|Clobbers|CanExit, id5{indexOf}, bc#114) predicting None 69: skipped < 0:-> SetLocal(@68, <empty>, r5(X), bc#114) 70: < 1:-> JSConstant(JS|CanExit, $2 = Cell: 0x7fff9a5a23c0 (0x7fffa008fcc0: string, NonArray), bc#124) 71: skipped < 0:-> SetLocal(@70<String>, <empty>, r6(Y), bc#124) 72: <!0:-> ForceOSRExit(MustGen|CanExit, bc#127) 73: <!2:-> Call(@68, @65, @70<String>, JS|MustGen|VarArgs|Clobbers|CanExit, bc#127) predicting None 74: < 1:-> SetLocal(@73, <empty>, r2(HB), bc#127) predicting None 75: <!0:-> ForceOSRExit(MustGen|CanExit, bc#136) 76: skipped < 0:-> GetScope(JS|PureInt|CanExit, bc#136) 77: skipped < 0:-> GetScopeRegisters(@76, Storage|PureInt|CanExit, bc#136) 78: < 1:-> GetScopedVar(@77, JS|PureInt|CanExit, var5, bc#136) predicting None 79: skipped < 0:-> SetLocal(@78, <empty>, r3(AB), bc#136) 80: <!0:-> ForceOSRExit(MustGen|CanExit, bc#141) 81: < 1:-> GetScope(JS|CanExit, bc#141) 82: < 1:-> GetScopeRegisters(@81<Cell>, Storage|PureInt|CanExit, bc#141) 83: <!0:-> Phantom(@82<Other>, MustGen|CanExit, bc#141) 84: < 1:-> SetLocal(@78, <empty>, r4(OC), bc#141) predicting None 85: < 1:-> JSConstant(JS|CanExit, $0 = Int32: 0, bc#146) 86: <!1:-> CompareLessEq(@85<Int32>, @73, Boolean|MustGen|MightClobber|CanExit, bc#146) 87: <!0:-> Branch(@86<Boolean>, MustGen|CanExit, T:#4, F:#5, bc#146) vars after: <empty> var links: - @244 : @62 @64 @74 @79 @84 @69 @71 @66 - - - - - - - - - - - - - Block #4 (bc#150): Predecessors: #3 Phi Nodes: @89->(@61), @91->(@63), @100->(@74), @243->(@244) vars before: <empty> var links: - @243 : @90 @92 @101 - - - - - - - - - - - - - - - - - - 88: <!0:-> ForceOSRExit(MustGen|CanExit, bc#150) 90: < 2:-> GetLocal(@89, JS|CanExit, r0(CD), bc#150) predicting None 92: < 2:-> GetLocal(@91, JS|PureNum|UseAsInt|CanExit, r1(AD<Int32>), bc#150) predicting Int 246: <!0:-> ForceOSRExit(MustGen|CanExit, bc#150) 93: <!2:-> GetByVal(@90, @92<Int32>, JS|MustGen|MightClobber|CanExit, ForceExit, bc#150) predicting None 94: skipped < 0:-> SetLocal(@93, <empty>, r9(EB), bc#150) 95: <!0:-> ForceOSRExit(MustGen|CanExit, bc#156) 96: <!1:-> GetById(@93, JS|MustGen|Clobbers|CanExit, id6{substring}, bc#156) predicting None 97: skipped < 0:-> SetLocal(@96, <empty>, r6(FB), bc#156) 98: < 1:-> JSConstant(JS|CanExit, $0 = Int32: 0, bc#166) 99: skipped < 0:-> SetLocal(@98<Int32>, <empty>, r8(GB), bc#166) 101: < 2:-> GetLocal(@100, JS|CanExit, r2(HB), bc#169) predicting None 102: skipped < 0:-> SetLocal(@101, <empty>, r7(IB), bc#169) 103: <!0:-> ForceOSRExit(MustGen|CanExit, bc#172) 104: <!1:-> Call(@96, @93, @98<Int32>, @101, JS|MustGen|VarArgs|Clobbers|CanExit, bc#172) predicting None 105: < 1:-> SetLocal(@104, <empty>, r3(VB), bc#172) predicting None 106: <!0:-> ForceOSRExit(MustGen|CanExit, bc#181) 247: <!0:-> ForceOSRExit(MustGen|CanExit, bc#181) 107: <!2:-> GetByVal(@90, @92<Int32>, JS|MustGen|MightClobber|CanExit, ForceExit, bc#181) predicting None 108: skipped < 0:-> SetLocal(@107, <empty>, r8(KB), bc#181) 109: <!0:-> ForceOSRExit(MustGen|CanExit, bc#187) 110: <!1:-> GetById(@107, JS|MustGen|Clobbers|CanExit, id6{substring}, bc#187) predicting None 111: skipped < 0:-> SetLocal(@110, <empty>, r6(LB), bc#187) 112: < 1:-> JSConstant(JS|CanExit, $3 = Int32: 1, bc#197) 113: <!1:-> ValueAdd(@101, @112<Int32>, JS|MustGen|MightClobber|CanExit, bc#197) 114: skipped < 0:-> SetLocal(@113, <empty>, r7(MB), bc#197) 115: <!0:-> ForceOSRExit(MustGen|CanExit, bc#202) 116: <!1:-> Call(@110, @107, @113, JS|MustGen|VarArgs|Clobbers|CanExit, bc#202) predicting None 117: < 1:-> SetLocal(@116, <empty>, r4(OC), bc#202) predicting None 118: skipped < 0:-> SetLocal(@116, <empty>, r5(OB), bc#211) 119: <!0:-> Jump(MustGen|CanExit, T:#6, bc#214) vars after: <empty> var links: - @243 : @90 @92 @101 @105 @117 @118 @111 @114 @108 @94 - - - - - - - - - - - Block #5 (bc#216): Predecessors: #3 Phi Nodes: @121->(@61), @123->(@63), @236->(@84), @242->(@244) vars before: <empty> var links: - @242 : @122 @124 - - @236 - - - - - - - - - - - - - - - - 120: <!0:-> ForceOSRExit(MustGen|CanExit, bc#216) 122: < 1:-> GetLocal(@121, JS|CanExit, r0(CD), bc#216) predicting None 124: < 1:-> GetLocal(@123, JS|PureNum|UseAsInt|CanExit, r1(AD<Int32>), bc#216) predicting Int 248: <!0:-> ForceOSRExit(MustGen|CanExit, bc#216) 125: <!1:-> GetByVal(@122, @124<Int32>, JS|MustGen|MightClobber|CanExit, ForceExit, bc#216) predicting None 126: < 1:-> SetLocal(@125, <empty>, r3(VB), bc#216) predicting None 127: skipped < 0:-> SetLocal(@125, <empty>, r5(SB), bc#222) 128: <!0:-> Jump(MustGen|CanExit, T:#6, bc#225) vars after: <empty> var links: - @242 : @122 @124 - @126 @236 @127 - - - - - - - - - - - - - - - Block #6 (bc#225): Predecessors: #5 #4 Phi Nodes: @134->(@126, @105), @156->(@242, @243), @168->(@236, @117), @225->(@121, @89), @229->(@123, @91) vars before: <empty> var links: - @157 : @225 @229 - @135 @169 - - - - - - - - - - - - - - - - 129: < 2:-> JSConstant(JS|CanExit, $4 = Undefined, bc#225) 130: skipped < 0:-> SetLocal(@129<Other>, <empty>, r7(TB), bc#225) 131: <!0:-> ForceOSRExit(MustGen|CanExit, bc#228) 132: <!1:-> ResolveGlobal(JS|MustGen|Clobbers|CanExit, bc#228) predicting None 133: skipped < 0:-> SetLocal(@132, <empty>, r5(UB), bc#228) 135: < 2:-> GetLocal(@134, JS|CanExit, r3(VB), bc#234) predicting None 136: skipped < 0:-> SetLocal(@135, <empty>, r10(WB), bc#234) 137: <!0:-> ForceOSRExit(MustGen|CanExit, bc#237) 138: <!1:-> GetById(@135, JS|MustGen|Clobbers|CanExit, id8{replace}, bc#237) predicting None 139: skipped < 0:-> SetLocal(@138, <empty>, r6(XB), bc#237) 140: < 1:-> NewRegexp(JS|CanExit, bc#247) 141: skipped < 0:-> SetLocal(@140<Object>, <empty>, r9(YB), bc#247) 142: < 1:-> JSConstant(JS|CanExit, $5 = Cell: 0x7fff9a5a4a00 (0x7fffa008fcc0: string, NonArray), bc#250) 143: skipped < 0:-> SetLocal(@142<String>, <empty>, r8(ZB), bc#250) 144: <!0:-> ForceOSRExit(MustGen|CanExit, bc#253) 145: <!1:-> Call(@138, @135, @140<Object>, @142<String>, JS|MustGen|VarArgs|Clobbers|CanExit, bc#253) predicting None 146: skipped < 0:-> SetLocal(@145, <empty>, r6(AC), bc#253) 147: <!0:-> ForceOSRExit(MustGen|CanExit, bc#262) 148: <!1:-> Call(@132, @129<Other>, @145, JS|MustGen|VarArgs|Clobbers|CanExit, bc#262) predicting None 149: skipped < 0:-> SetLocal(@148, <empty>, r3(BC), bc#262) 150: <!0:-> ForceOSRExit(MustGen|CanExit, bc#271) 151: < 1:-> GetScope(JS|CanExit, bc#271) 152: < 1:-> GetScopeRegisters(@151<Cell>, Storage|PureInt|CanExit, bc#271) 153: < 1:-> GetScopedVar(@152<Other>, JS|CanExit, var310, bc#271) predicting None 154: skipped < 0:-> SetLocal(@153, <empty>, r5(CC), bc#271) 155: skipped < 0:-> SetLocal(@129<Other>, <empty>, r8(DC), bc#276) 157: < 3:-> GetLocal(@156, JS|CanExit, arg1(ED<Final>), bc#279) predicting Final 158: skipped < 0:-> SetLocal(@157<Final>, <empty>, r7(FC), bc#279) 159: skipped < 0:-> SetLocal(@148, <empty>, r6(GC), bc#282) 160: <!0:-> ForceOSRExit(MustGen|CanExit, bc#285) 161: <!1:-> Call(@153, @129<Other>, @157<Final>, @148, JS|MustGen|VarArgs|Clobbers|CanExit, bc#285) predicting None 162: skipped < 0:-> SetLocal(@161, <empty>, r3(HC), bc#285) 163: < 2:-> SetLocal(@157<Final>, <empty>, r8(XC<Final>), bc#294) predicting Final 164: <!0:-> ForceOSRExit(MustGen|CanExit, bc#297) 165: <!1:-> GetById(@157<Final>, JS|MustGen|Clobbers|CanExit, id9{add}, bc#297) predicting None 166: < 2:-> SetLocal(@165, <empty>, r5(WC), bc#297) predicting None 167: < 2:-> SetLocal(@161, <empty>, r7(YC), bc#307) predicting None 169: < 1:-> GetLocal(@168, JS|CanExit, r4(OC), bc#310) predicting None 170: <!0:-> Branch(@169, MustGen|CanExit, T:#7, F:#8, bc#310) vars after: <empty> var links: - @157 : @225 @229 - @162 @169 @166 @159 @167 @163 @141 @136 - - - - - - - - - - Block #7 (bc#313): Predecessors: #6 Phi Nodes: @176->(@168), @224->(@225), @228->(@229), @231->(@167), @233->(@163), @235->(@166), @241->(@156) vars before: <empty> var links: - @241 : @224 @228 - - @177 @235 - @231 @233 - - - - - - - - - - - - 171: < 1:-> JSConstant(JS|CanExit, $4 = Undefined, bc#313) 172: skipped < 0:-> SetLocal(@171<Other>, <empty>, r11(MC), bc#313) 173: <!0:-> ForceOSRExit(MustGen|CanExit, bc#316) 174: <!1:-> ResolveGlobal(JS|MustGen|Clobbers|CanExit, bc#316) predicting None 175: skipped < 0:-> SetLocal(@174, <empty>, r9(NC), bc#316) 177: < 2:-> GetLocal(@176, JS|CanExit, r4(OC), bc#322) predicting None 178: skipped < 0:-> SetLocal(@177, <empty>, r14(PC), bc#322) 179: <!0:-> ForceOSRExit(MustGen|CanExit, bc#325) 180: <!1:-> GetById(@177, JS|MustGen|Clobbers|CanExit, id8{replace}, bc#325) predicting None 181: skipped < 0:-> SetLocal(@180, <empty>, r10(QC), bc#325) 182: < 1:-> NewRegexp(JS|CanExit, bc#335) 183: skipped < 0:-> SetLocal(@182<Object>, <empty>, r13(RC), bc#335) 184: < 1:-> JSConstant(JS|CanExit, $5 = Cell: 0x7fff9a5a4a00 (0x7fffa008fcc0: string, NonArray), bc#338) 185: skipped < 0:-> SetLocal(@184<String>, <empty>, r12(SC), bc#338) 186: <!0:-> ForceOSRExit(MustGen|CanExit, bc#341) 187: <!1:-> Call(@180, @177, @182<Object>, @184<String>, JS|MustGen|VarArgs|Clobbers|CanExit, bc#341) predicting None 188: skipped < 0:-> SetLocal(@187, <empty>, r10(TC), bc#341) 189: <!0:-> ForceOSRExit(MustGen|CanExit, bc#350) 190: <!1:-> Call(@174, @171<Other>, @187, JS|MustGen|VarArgs|Clobbers|CanExit, bc#350) predicting None 191: < 1:-> SetLocal(@190, <empty>, r6(ZC<String>), bc#350) predicting String 192: <!0:-> Jump(MustGen|CanExit, T:#9, bc#359) vars after: <empty> var links: - @241 : @224 @228 - - @177 @235 @191 @231 @233 @175 @188 @172 @185 @183 @178 - - - - - - Block #8 (bc#361): Predecessors: #6 Phi Nodes: @223->(@225), @227->(@229), @230->(@167), @232->(@163), @234->(@166), @240->(@156) vars before: <empty> var links: - @240 : @223 @227 - - - @234 - @230 @232 - - - - - - - - - - - - 193: < 1:-> JSConstant(JS|CanExit, $6 = Cell: 0x7fff9a5affe0 (0x7fffa008fcc0: string, NonArray), bc#361) 194: < 1:-> SetLocal(@193<String>, <empty>, r6(ZC<String>), bc#361) predicting String 195: <!0:-> Jump(MustGen|CanExit, T:#9, bc#364) vars after: <empty> var links: - @240 : @223 @227 - - - @234 @194 @230 @232 - - - - - - - - - - - - Block #9 (bc#364): Predecessors: #8 #7 Phi Nodes: @196->(@234, @235), @198->(@232, @233), @200->(@230, @231), @202->(@194, @191), @222->(@223, @224), @226->(@227, @228), @239->(@240, @241), @206->(@226), @212->(@222), @237->(@239) vars before: <empty> var links: - @239 : @222 @226 - - - @197 @203 @201 @199 - - - - - - - - - - - - 197: < 1:-> GetLocal(@196, JS|CanExit, r5(WC), bc#364) predicting None 199: < 1:-> GetLocal(@198, JS|CanExit, r8(XC<Final>), bc#364) predicting Final 201: < 1:-> GetLocal(@200, JS|CanExit, r7(YC), bc#364) predicting None 203: < 1:-> GetLocal(@202, JS|CanExit, r6(ZC<String>), bc#364) predicting String 204: <!0:-> Call(@197, @199<Final>, @201, @203<String>, JS|MustGen|VarArgs|Clobbers|PureInt|CanExit, bc#364) predicting None 205: <!0:-> Phantom(MustGen|CanExit, bc#370) 207: < 1:-> GetLocal(@226, JS|UseAsInt|CanExit, r1(AD<Int32>), bc#370) predicting Int 208: < 1:-> JSConstant(JS|UseAsInt|CanExit, $3 = Int32: 1, bc#370) 209: <!2:-> ArithAdd(@207<Int32>, @208<Int32>, Number|MustGen|UseAsInt|CanExit, bc#370) 210: < 1:-> SetLocal(@209<Int32>, <empty>, r1(AD<Int32>), bc#370) predicting Int 211: <!0:-> ForceOSRExit(MustGen|CanExit, bc#372) 213: < 1:-> GetLocal(@222, JS|CanExit, r0(CD), bc#372) predicting None 214: <!1:-> GetById(@213, JS|MustGen|Clobbers|CanExit, id4{length}, bc#372) predicting None 215: skipped < 0:-> SetLocal(@214, <empty>, r5(DD), bc#372) 216: <!1:-> CompareLess(@209<Int32>, @214, Boolean|MustGen|MightClobber|CanExit, bc#381) 217: <!0:-> Branch(@216<Boolean>, MustGen|CanExit, T:#3, F:#11, bc#381) vars after: <empty> var links: - @239 : @213 @210 - - - @215 @203 @201 @199 - - - - - - - - - - - - Block #11 (bc#385): Predecessors: #0 #1 #2 #9 Phi Nodes: @218->(@238, @239), @238->(@1, @13, @40) vars before: (None, [], []) (Final, [0x7fff595b5540], [0x7fff595b5540]) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: - @219 : - - - - - - - - - - - - - - - - - - - - - 219: <!0:-> Flush(@218, MustGen, arg1(ED<Final>), bc#385) predicting Final 220: < 1:-> JSConstant(JS, $4 = Undefined, bc#385) 221: <!0:-> Return(@220<Other>, MustGen, bc#385) vars after: (None, [], []) (None, [], []) : (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) (None, [], []) var links: - @219 : - - - - - - - - - - - - - - - - - - - - - ASSERTION FAILED: myRefCounts[nodeIndex] == node.adjustedRefCount() ../../Source/JavaScriptCore/dfg/DFGValidate.cpp(132) : void JSC::DFG::Validate::validate() 1 0x7ffff79bd9f7 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG8Validate8validateEv+0x581) [0x7ffff79bd9f7] 2 0x7ffff79bd31d /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG8validateERNS0_5GraphENS0_13GraphDumpModeE+0x31) [0x7ffff79bd31d] 3 0x7ffff791ed3a /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG22CFGSimplificationPhase3runEv+0xb08) [0x7ffff791ed3a] 4 0x7ffff79213c2 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG9runAndLogINS0_22CFGSimplificationPhaseEEEbRT_+0x18) [0x7ffff79213c2] 5 0x7ffff7920f10 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG8runPhaseINS0_22CFGSimplificationPhaseEEEbRNS0_5GraphE+0x2c) [0x7ffff7920f10] 6 0x7ffff791de37 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG24performCFGSimplificationERNS0_5GraphE+0x2b) [0x7ffff791de37] 7 0x7ffff793179d /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG7compileENS0_11CompileModeEPNS_9ExecStateEPNS_9CodeBlockERNS_7JITCodeEPNS_21MacroAssemblerCodePtrEj+0x41b) [0x7ffff793179d] 8 0x7ffff793121c /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC3DFG18tryCompileFunctionEPNS_9ExecStateEPNS_9CodeBlockERNS_7JITCodeERNS_21MacroAssemblerCodePtrEj+0x42) [0x7ffff793121c] 9 0x7ffff7ad936b /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC31jitCompileFunctionIfAppropriateEPNS_9ExecStateERN3WTF6OwnPtrINS_17FunctionCodeBlockEEERNS_7JITCodeERNS_21MacroAssemblerCodePtrERNS_12WriteBarrierINS_17SharedSymbolTableEEENS7_7JITTypeEjNS_20JITCompilationEffortE+0x114) [0x7ffff7ad936b] 10 0x7ffff7ad9663 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC27prepareFunctionForExecutionEPNS_9ExecStateERN3WTF6OwnPtrINS_17FunctionCodeBlockEEERNS_7JITCodeERNS_21MacroAssemblerCodePtrERNS_12WriteBarrierINS_17SharedSymbolTableEEENS7_7JITTypeEjNS_22CodeSpecializationKindE+0xb7) [0x7ffff7ad9663] 11 0x7ffff7ad7563 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC18FunctionExecutable22compileForCallInternalEPNS_9ExecStateEPNS_7JSScopeENS_7JITCode7JITTypeEj+0x2c7) [0x7ffff7ad7563] 12 0x7ffff7ad698d /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC18FunctionExecutable23compileOptimizedForCallEPNS_9ExecStateEPNS_7JSScopeEj+0x12b) [0x7ffff7ad698d] 13 0x7ffff78675d5 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC18FunctionExecutable19compileOptimizedForEPNS_9ExecStateEPNS_7JSScopeEjNS_22CodeSpecializationKindE+0x141) [0x7ffff78675d5] 14 0x7ffff78637ac /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(_ZN3JSC17FunctionCodeBlock16compileOptimizedEPNS_9ExecStateEPNS_7JSScopeEj+0x96) [0x7ffff78637ac] 15 0x7ffff7a2d56a /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(+0x6a856a) [0x7ffff7a2d56a] 16 0x7ffff7a29963 /home/xan/git/webkit/build/debug/.libs/libjavascriptcoregtk-3.0.so(+0x6a4963) [0x7ffff7a29963] 17 0x7fffffffcab0 [0x7fffffffcab0] Program received signal SIGSEGV, Segmentation fault. 0x00007ffff79bda01 in JSC::DFG::Validate::validate (this=0x7fffffffa220) at ../../Source/JavaScriptCore/dfg/DFGValidate.cpp:132 132 V_EQUAL((nodeIndex), myRefCounts[nodeIndex], node.adjustedRefCount()); Missing separate debuginfos, use: debuginfo-install google-talkplugin-3.9.1.0-1.x86_64 (gdb) bt #0 0x00007ffff79bda01 in JSC::DFG::Validate::validate (this=0x7fffffffa220) at ../../Source/JavaScriptCore/dfg/DFGValidate.cpp:132 #1 0x00007ffff79bd31d in JSC::DFG::validate (graph=..., graphDumpMode=JSC::DFG::DumpGraph) at ../../Source/JavaScriptCore/dfg/DFGValidate.cpp:354 #2 0x00007ffff791ed3a in JSC::DFG::CFGSimplificationPhase::run (this=0x7fffffffa3c0) at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:243 #3 0x00007ffff79213c2 in JSC::DFG::runAndLog<JSC::DFG::CFGSimplificationPhase> (phase=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:83 #4 0x00007ffff7920f10 in JSC::DFG::runPhase<JSC::DFG::CFGSimplificationPhase> (graph=...) at ../../Source/JavaScriptCore/dfg/DFGPhase.h:95 #5 0x00007ffff791de37 in JSC::DFG::performCFGSimplification (graph=...) at ../../Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp:741 #6 0x00007ffff793179d in JSC::DFG::compile (compileMode=JSC::DFG::CompileFunction, exec=0x7fffa0095698, codeBlock=0x344f0a0, jitCode=..., jitCodeWithArityCheck=0x7fff724d3f10, osrEntryBytecodeIndex=0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:128 #7 0x00007ffff793121c in JSC::DFG::tryCompileFunction (exec=0x7fffa0095698, codeBlock=0x344f0a0, jitCode=..., jitCodeWithArityCheck=..., bytecodeIndex=0) at ../../Source/JavaScriptCore/dfg/DFGDriver.cpp:173 #8 0x00007ffff7ad936b in JSC::jitCompileFunctionIfAppropriate (exec=0x7fffa0095698, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, effort=JSC::JITCompilationCanFail) at ../../Source/JavaScriptCore/jit/JITDriver.h:95 #9 0x00007ffff7ad9663 in JSC::prepareFunctionForExecution (exec=0x7fffa0095698, codeBlock=..., jitCode=..., jitCodeWithArityCheck=..., symbolTable=..., jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/ExecutionHarness.h:64 #10 0x00007ffff7ad7563 in JSC::FunctionExecutable::compileForCallInternal (this=0x7fff724d3ec0, exec=0x7fffa0095698, scope=0x7fff7249f180, jitType=JSC::JITCode::DFGJIT, bytecodeIndex=0) at ../../Source/JavaScriptCore/runtime/Executable.cpp:522 #11 0x00007ffff7ad698d in JSC::FunctionExecutable::compileOptimizedForCall (this=0x7fff724d3ec0, exec=0x7fffa0095698, scope=0x7fff7249f180, bytecodeIndex=0) at ../../Source/JavaScriptCore/runtime/Executable.cpp:422 #12 0x00007ffff78675d5 in JSC::FunctionExecutable::compileOptimizedFor (this=0x7fff724d3ec0, exec=0x7fffa0095698, scope=0x7fff7249f180, bytecodeIndex=0, kind=JSC::CodeForCall) at ../../Source/JavaScriptCore/runtime/Executable.h:634 #13 0x00007ffff78637ac in JSC::FunctionCodeBlock::compileOptimized (this=0x308e550, exec=0x7fffa0095698, scope=0x7fff7249f180, bytecodeIndex=0) at ../../Source/JavaScriptCore/bytecode/CodeBlock.cpp:2739 #14 0x00007ffff7a2d56a in JSC::cti_optimize (args=0x7fffffffca80) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:2020 #15 0x00007ffff7a29963 in JSC::JITThunks::tryCacheGetByID (callFrame=0x7ffff7fe85c0, codeBlock=0x0, returnAddress=..., baseValue=..., propertyName=..., slot=..., stubInfo=0x7fff00000000) at ../../Source/JavaScriptCore/jit/JITStubs.cpp:968 #16 0x00007fffffffcab0 in ?? () #17 0x00007fff00000000 in ?? () #18 0x00007fff00000003 in ?? () #19 0x00007ffff794a057 in JSC::Register::Register (this=0xc9cbe8c78948104d) at ../../Source/JavaScriptCore/interpreter/Register.h:105 Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb)
Attachments
the patch
(3.51 KB, patch)
2012-10-16 13:35 PDT
,
Filip Pizlo
mhahnenberg
: review+
Details
Formatted Diff
Diff
View All
Add attachment
proposed patch, testcase, etc.
Filip Pizlo
Comment 1
2012-10-16 13:33:14 PDT
<
rdar://problem/12363698
>
Filip Pizlo
Comment 2
2012-10-16 13:35:45 PDT
Created
attachment 169011
[details]
the patch
Mark Hahnenberg
Comment 3
2012-10-16 13:36:43 PDT
Comment on
attachment 169011
[details]
the patch r=me
Filip Pizlo
Comment 4
2012-10-16 13:37:09 PDT
(In reply to
comment #3
)
> (From update of
attachment 169011
[details]
) > r=me
Thanks! Tests forthcoming.
Filip Pizlo
Comment 5
2012-10-16 14:22:34 PDT
Landed in
http://trac.webkit.org/changeset/131501
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug