[Webkit-unassigned] [Bug 117602] Going to google.com/trends causes a crash

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jun 18 15:41:30 PDT 2013


https://bugs.webkit.org/show_bug.cgi?id=117602





--- Comment #4 from Filip Pizlo <fpizlo at apple.com>  2013-06-18 15:40:08 PST ---
(In reply to comment #3)
> Okay, so if we have:
> function g() { f() }
> function f() {  doStuff(); arguments;  }
> function doStuff() { throw {} }
> 
> for (var i = 0; i < 100; i++) { try { g() } catch (e) {} }
> 
> 
> 
> The initial graph is:
> DFG for g#BBXOF8:[0x7fe6ad00f000->0x10935fd70, DFGFunctionCall]:
>   Fixpoint state: BeforeFixpoint; Form: LoadStore; Unification state: LocallyUnified; Ref count state: EverythingIsLive
>   ArgumentPosition size: 3
>     #0: 
>     #1: 
>     #2: 
> Block #0 (bc#0):  (OSR target)
>   Predecessors:
>   Phi Nodes:
>   vars before: <empty>
>   var links: arg0:- : r0:- r1:- r2:- r3:- r4:- r5:- r6:- r7:- r8:- r9:- r10:- r11:- r12:- r13:- r14:- r15:- r16:- r17:- r18:-
>    0:           < 1:->    SetArgument(arg0(a), bc#0)  predicting None
>    1:           < 1:->    JSConstant(JS|PureInt, $0 = Undefined, bc#1)
>    2:           <!0:->    GlobalVarWatchpoint(MustGen|CanExit, global4(0x105dff9c8), bc#1)
>    3:           < 1:->    WeakJSConstant(JS|PureInt, 0x1092decb0, bc#1)
>    4:           < 1:->    SetLocal(@1, CanExit|NodeExitsForward, r1(B~), bc#1)  predicting None
>    5:           < 1:->    SetLocal(@3, CanExit|NodeExitsForward, r0(C~), bc#1)  predicting None
>    6:           < 1:->    SetLocal(@1, CanExit|NodeExitsForward, r1(D~), bc#1)  predicting None
>    7:           < 1:->    SetLocal(@3, CanExit|NodeExitsForward, r0(E~), bc#1)  predicting None
>    8:           <!0:->    Phantom(@3, @1, MustGen|CanExit, bc#7)
>   --> f#AmUsAH:<0x10935fc70, bc#7, Call, known callee: Cell: 0x1092decb0 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r8>
>      9:           <!0:->    InlineStart(MustGen, bc#0)
>     10:           < 1:->    SetLocal(@1, CanExit|NodeExitsForward, r8(F*), bc#0)  predicting None
>     11:           < 1:->    SetLocal(@1, CanExit|NodeExitsForward, r9(G*), bc#0)  predicting None
>     12:           < 1:->    JSConstant(JS|PureInt, $1 = <JSValue()>, bc#1)
>     13:           <!0:->    Flush(MustGen, r9(G*), bc#1)  predicting None
>     14:           < 1:->    SetLocal(@12, CanExit|NodeExitsForward, r9(H*), bc#1)  predicting None
>     15:           <!0:->    Flush(MustGen, r8(F*), bc#3)  predicting None
>     16:           < 1:->    SetLocal(@12, CanExit|NodeExitsForward, r8(I*), bc#3)  predicting None

Are 14 and 16 flushed?

>     17:           <!0:->    GlobalVarWatchpoint(MustGen|CanExit, global5(0x105dff9d0), bc#5)
>     18:           < 1:->    WeakJSConstant(JS|PureInt, 0x1092dec70, bc#5)
>     19:           < 1:->    SetLocal(@1, CanExit|NodeExitsForward, r11(J~), bc#5)  predicting None
>     20:           < 1:->    SetLocal(@18, CanExit|NodeExitsForward, r10(K~), bc#5)  predicting None
>     21:           < 1:->    SetLocal(@1, CanExit|NodeExitsForward, r11(L~), bc#5)  predicting None
>     22:           < 1:->    SetLocal(@18, CanExit|NodeExitsForward, r10(M~), bc#5)  predicting None
>     23:           <!0:->    Phantom(@18, @1, MustGen|CanExit, bc#11)
>     --> doStuff#ASE1VK:<0x10935fb70, bc#11, Call, known callee: Cell: 0x1092dec70 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r18>
>       24:           <!0:->    InlineStart(MustGen, bc#0)
>       25:           < 1:->    NewObject(JS|PureInt|CanExit, struct(0x105ddb6c8: NonArray), bc#1)
>       26:           < 1:->    SetLocal(@25, CanExit|NodeExitsForward, r18(N~), bc#1)  predicting None
>       27:           <!0:->    Throw(@25, MustGen|CanExit, bc#5)
> 
> 
> Which eventually becomes:
>   var links: arg0:@0 : r0:- r1:- r2:- r3:- r4:- r5:- r6:- r7:- r8:- r9:- r10:- r11:- r12:- r13:- r14:- r15:- r16:- r17:- r18:-
>    0:           < 1:->    SetArgument(arg0(a), bc#0)  predicting Other
>    1:           < 1:->    JSConstant(JS|UseAsOther, $0 = Undefined, bc#1)
>    2:           <!0:->    GlobalVarWatchpoint(MustGen|CanExit, global4(0x105dff9c8), bc#1)
>    3:           < 1:->    WeakJSConstant(JS|UseAsOther, 0x1092decb0, bc#1)
>    4:           < 1:->    SetLocal(@1<Other>, CanExit|NodeExitsForward, r1(B~<Other>), bc#1)  predicting Other
>    5:           < 1:->    SetLocal(@3<Function>, CanExit|NodeExitsForward, r0(C~<Function>), bc#1)  predicting Function
>    6:           < 1:->    SetLocal(@1<Other>, CanExit|NodeExitsForward, r1(D~<Other>), bc#1)  predicting Other
>    7:           < 1:->    SetLocal(@3<Function>, CanExit|NodeExitsForward, r0(E~<Function>), bc#1)  predicting Function
>    8:           <!0:->    Phantom(@3<Function>, @1<Other>, MustGen|CanExit, bc#7)
>   --> f#AmUsAH:<0x10935fc70, bc#7, Call, known callee: Cell: 0x1092decb0 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r8>
>      9:           <!0:->    InlineStart(MustGen, bc#0)
>     10:           < 1:->    SetLocal(@1<Other>, CanExit|NodeExitsForward, r8(F*<Other>), bc#0)  predicting Other
>     11:           < 1:->    SetLocal(@1<Other>, CanExit|NodeExitsForward, r9(G*<Other>), bc#0)  predicting Other
>     12:           < 1:->    JSConstant(JS|PureInt, $1 = <JSValue()>, bc#1)
>     13:           <!0:->    Flush(@11, MustGen, r9(G*<Other>), bc#1)  predicting Other
>     14:           < 1:->    SetLocal(@12, CanExit|NodeExitsForward, r9(H*), bc#1)  predicting Empty
>     15:           <!0:->    Flush(@10, MustGen, r8(F*<Other>), bc#3)  predicting Other
>     16:           < 1:->    SetLocal(@12, CanExit|NodeExitsForward, r8(I*), bc#3)  predicting Empty
>     17:           <!0:->    GlobalVarWatchpoint(MustGen|CanExit, global5(0x105dff9d0), bc#5)
>     18:           < 1:->    WeakJSConstant(JS|UseAsOther, 0x1092dec70, bc#5)
>     19:           < 1:->    SetLocal(@1<Other>, CanExit|NodeExitsForward, r11(J~<Other>), bc#5)  predicting Other
>     20:           < 1:->    SetLocal(@18<Function>, CanExit|NodeExitsForward, r10(K~<Function>), bc#5)  predicting Function
>     21:           < 1:->    SetLocal(@1<Other>, CanExit|NodeExitsForward, r11(L~<Other>), bc#5)  predicting Other
>     22:           < 1:->    SetLocal(@18<Function>, CanExit|NodeExitsForward, r10(M~<Function>), bc#5)  predicting Function
>     23:           <!0:->    Phantom(@18<Function>, @1<Other>, MustGen|CanExit, bc#11)
>     --> doStuff#ASE1VK:<0x10935fb70, bc#11, Call, known callee: Cell: 0x1092dec70 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r18>
>       24:           <!0:->    InlineStart(MustGen, bc#0)
>       25:           < 1:->    NewObject(JS|UseAsOther|CanExit, struct(0x105ddb6c8: NonArray), bc#1)
>       26:           < 1:->    SetLocal(@25<Final>, CanExit|NodeExitsForward, r18(N~<Final>), bc#1)  predicting Final
>       27:           <!0:->    Throw(@25<Final>, MustGen|CanExit, bc#5)
> 
> 
> And then after DCE
>   var links: arg0:@0 : r0:- r1:- r2:- r3:- r4:- r5:- r6:- r7:- r8:- r9:- r10:- r11:- r12:- r13:- r14:- r15:- r16:- r17:- r18:-
>    0:  skipped  < 0:->    SetArgument(arg0(a), bc#0)
>    1:           < 4:->    JSConstant(JS|UseAsOther, $0 = Undefined, bc#1)
>    2:           <!0:->    GlobalVarWatchpoint(MustGen|CanExit, global4(0x105dff9c8), bc#1)
>    3:           < 1:->    WeakJSConstant(JS|UseAsOther, 0x1092decb0, bc#1)
>    4:  skipped  < 0:->    MovHint(@1<Other>, r1(B~<Other>), bc#1)
>    5:  skipped  < 0:->    MovHint(@3<Function>, r0(C~<Function>), bc#1)
>    6:  skipped  < 0:->    MovHint(@1<Other>, r1(D~<Other>), bc#1)
>    7:  skipped  < 0:->    MovHint(@3<Function>, r0(E~<Function>), bc#1)
>    8:           <!0:->    Phantom(@3<Function>, @1<Other>, MustGen, bc#7)
>   --> f#AmUsAH:<0x10935fc70, bc#7, Call, known callee: Cell: 0x1092decb0 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r8>
>      9:           <!0:->    InlineStart(MustGen, bc#0)
>     10:  skipped  < 0:->    MovHint(@1<Other>, r8(F*<Other>), bc#0)
>     11:  skipped  < 0:->    MovHint(@1<Other>, r9(G*<Other>), bc#0)
>     12:           <!0:->    Phantom(MustGen|CanExit, bc#1)
>     13:           <!0:->    Phantom(@1<Other>, MustGen, bc#1)
>     14:  skipped  < 0:->    ZombieHint(r9(H*), bc#1)
>     15:           <!0:->    Phantom(@1<Other>, MustGen, bc#3)
>     16:  skipped  < 0:->    ZombieHint(r8(I*), bc#3)
>     17:           <!0:->    GlobalVarWatchpoint(MustGen|CanExit, global5(0x105dff9d0), bc#5)
>     18:           < 1:->    WeakJSConstant(JS|UseAsOther, 0x1092dec70, bc#5)
>     19:  skipped  < 0:->    MovHint(@1<Other>, r11(J~<Other>), bc#5)
>     20:  skipped  < 0:->    MovHint(@18<Function>, r10(K~<Function>), bc#5)
>     21:  skipped  < 0:->    MovHint(@1<Other>, r11(L~<Other>), bc#5)
>     22:  skipped  < 0:->    MovHint(@18<Function>, r10(M~<Function>), bc#5)
>     23:           <!0:->    Phantom(@18<Function>, @1<Other>, MustGen, bc#11)
>     --> doStuff#ASE1VK:<0x10935fb70, bc#11, Call, known callee: Cell: 0x1092dec70 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r18>
>       24:           <!0:->    InlineStart(MustGen, bc#0)
>       25:           < 1:->    NewObject(JS|UseAsOther, struct(0x105ddb6c8: NonArray), bc#1)
>       26:  skipped  < 0:->    MovHint(@25<Final>, r18(N~<Final>), bc#1)
>       27:           <!0:->    Throw(@25<Final>, MustGen|CanExit, bc#5)
> 
> 
> Nodes @14 and @16 were responsible for initializing the lazy argument slots, but they have been elided, despite being necessary for correct behavior.
> 
> I can add 
>             addToGraph(Phantom, get(currentInstruction[1].u.operand));
> 
> To init_lazy_reg, and that makes this crash go away, but it feels jacky, and looking at the output graph it is not obvious _why_ we end up with the correct behavior.

No that is definitely not the right solution. Why aren't those two nodes flushed?  Does the inkined functional ways end in Throw?  If so maybe it's that op_throw (and ThrowReferenceError) aren't doing the Flushing that op_ret and op_end do?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list