Fatal error in ../../v8/src/compiler/schedule.cc, line 254 |
||||||
Issue descriptionChrome Version: 60.0.3079.0 (Developer Build) (64-bit) with dcheck_always_on=1 OS: Linux What steps will reproduce the problem? (1) inbox.google.com (2) (3) What is the expected result? What happens instead? # # Fatal error in ../../v8/src/compiler/schedule.cc, line 254 # Check failed: BasicBlock::kNone == block->control() (none vs. throw). # #0 0x7ffff7a46ba7 base::debug::StackTrace::StackTrace() #1 0x7ffff2b5bed5 gin::(anonymous namespace)::PrintStackTrace() #2 0x7fffe877930d V8_Fatal #3 0x7ffff21f7676 v8::internal::compiler::Schedule::AddBranch() #4 0x7ffff21fc982 v8::internal::compiler::CFGBuilder::ConnectBranch() #5 0x7ffff21fae4b v8::internal::compiler::CFGBuilder::Run() #6 0x7ffff21f96b8 v8::internal::compiler::Scheduler::BuildCFG() #7 0x7ffff21f93e1 v8::internal::compiler::Scheduler::ComputeSchedule() #8 0x7ffff21da1d3 v8::internal::compiler::EffectControlLinearizationPhase::Run() #9 0x7ffff21d25e4 v8::internal::compiler::PipelineImpl::OptimizeGraph() #10 0x7ffff21d22c4 v8::internal::compiler::PipelineCompilationJob::ExecuteJobImp l() #11 0x7ffff20bb0ce v8::internal::CompilationJob::ExecuteJob() #12 0x7ffff20b9a18 v8::internal::OptimizingCompileDispatcher::CompileNext() #13 0x7ffff20baa68 v8::internal::OptimizingCompileDispatcher::CompileTask::Run() #14 0x7ffff7a47691 _ZNO4base8CallbackIFvvELNS_8internal8CopyModeE0ELNS2_10Repeat ModeE0EE3RunEv #15 0x7ffff7aee957 base::(anonymous namespace)::WorkerThread::ThreadMain() #16 0x7ffff7ae1a6c base::(anonymous namespace)::ThreadFunc() #17 0x7ffff7bc4184 start_thread #18 0x7fffec0cdbed clone Received signal 4 ILL_ILLOPN 7fffe877b77f Received signal 11 SEGV_MAPERR 003000000020 Please use labels and text to provide additional information. For graphics-related bugs, please copy/paste the contents of the about:gpu page at the end of this report.
,
Apr 24 2017
Short repro:
function C1() { }
C1.prototype.f = function () { return 0; }
function C2() { }
C2.prototype.f = function () { throw 42; }
var o1 = new C1();
var o2 = new C2();
function foo(o) {
o.f();
}
foo(o1);
try { foo(o2); } catch(e) {}
foo(o1);
try { foo(o2); } catch(e) {}
%OptimizeFunctionOnNextCall(foo);
foo(o2);
,
Apr 24 2017
So polymorphic inlining with exceptions is broken?
,
Apr 24 2017
Not exactly. The problem is that we do not kill the call nodes after we inline, so later the reducer is happy to inline the call once again. This results in a "split" control flow.
,
Apr 25 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/d081a6f692f0fc7ecbca40f09b07eebbbdb8c43d commit d081a6f692f0fc7ecbca40f09b07eebbbdb8c43d Author: jarin <jarin@chromium.org> Date: Tue Apr 25 08:10:32 2017 [turbofan] Make sure an inlined call is not resurrected and inlined again. BUG= chromium:714483 Review-Url: https://codereview.chromium.org/2833423004 Cr-Commit-Position: refs/heads/master@{#44830} [modify] https://crrev.com/d081a6f692f0fc7ecbca40f09b07eebbbdb8c43d/src/compiler/js-inlining-heuristic.cc [modify] https://crrev.com/d081a6f692f0fc7ecbca40f09b07eebbbdb8c43d/src/compiler/js-inlining.cc [add] https://crrev.com/d081a6f692f0fc7ecbca40f09b07eebbbdb8c43d/test/mjsunit/compiler/regress-714483.js
,
May 10 2017
,
May 10 2017
,
May 10 2017
Your change meets the bar and is auto-approved for M59. Please go ahead and merge the CL to branch 3071 manually. Please contact milestone owner if you have questions. Owners: amineer@(Android), cmasso@(iOS), gkihumba@(ChromeOS), Abdul Syed@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 15 2017
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/28ccce3e795a783cffc2421835b9be1a63c0d6d9 commit 28ccce3e795a783cffc2421835b9be1a63c0d6d9 Author: Jaroslav Sevcik <jarin@chromium.org> Date: Mon May 15 14:18:39 2017 Merged: [turbofan] Make sure an inlined call is not resurrected and inlined again. Revision: d081a6f692f0fc7ecbca40f09b07eebbbdb8c43d BUG= chromium:714483 LOG=N NOTRY=true NOPRESUBMIT=true NOTREECHECKS=true R=neis@chromium.org Change-Id: Id11e1ff79529a7923d7da8e41427b4cdd4e1b2ee Reviewed-on: https://chromium-review.googlesource.com/505511 Reviewed-by: Georg Neis <neis@chromium.org> Cr-Commit-Position: refs/branch-heads/5.9@{#47} Cr-Branched-From: fe9bb7e6e251159852770160cfb21dad3cf03523-refs/heads/5.9.211@{#1} Cr-Branched-From: 70ad23791a21c0dd7ecef8d4d8dd30ff6fc291f6-refs/heads/master@{#44591} [modify] https://crrev.com/28ccce3e795a783cffc2421835b9be1a63c0d6d9/src/compiler/js-inlining-heuristic.cc [modify] https://crrev.com/28ccce3e795a783cffc2421835b9be1a63c0d6d9/src/compiler/js-inlining.cc [add] https://crrev.com/28ccce3e795a783cffc2421835b9be1a63c0d6d9/test/mjsunit/compiler/regress-714483.js
,
May 15 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 19 2017
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 19 2017
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by bmeu...@chromium.org
, Apr 24 2017Labels: -Pri-3 Arch-All Pri-2
Owner: mstarzinger@chromium.org
Status: Assigned (was: Untriaged)