[Webkit-unassigned] [Bug 117602] Going to google.com/trends causes a crash
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jun 18 12:19:02 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=117602
Oliver Hunt <oliver at apple.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fpizlo at apple.com
--- Comment #3 from Oliver Hunt <oliver at apple.com> 2013-06-18 12:17:40 PST ---
Okay, so if we have:
function g() { f() }
function f() { doStuff(); arguments; }
function doStuff() { throw {} }
for (var i = 0; i < 100; i++) { try { g() } catch (e) {} }
The initial graph is:
DFG for g#BBXOF8:[0x7fe6ad00f000->0x10935fd70, DFGFunctionCall]:
Fixpoint state: BeforeFixpoint; Form: LoadStore; Unification state: LocallyUnified; Ref count state: EverythingIsLive
ArgumentPosition size: 3
#0:
#1:
#2:
Block #0 (bc#0): (OSR target)
Predecessors:
Phi Nodes:
vars before: <empty>
var links: arg0:- : r0:- r1:- r2:- r3:- r4:- r5:- r6:- r7:- r8:- r9:- r10:- r11:- r12:- r13:- r14:- r15:- r16:- r17:- r18:-
0: < 1:-> SetArgument(arg0(a), bc#0) predicting None
1: < 1:-> JSConstant(JS|PureInt, $0 = Undefined, bc#1)
2: <!0:-> GlobalVarWatchpoint(MustGen|CanExit, global4(0x105dff9c8), bc#1)
3: < 1:-> WeakJSConstant(JS|PureInt, 0x1092decb0, bc#1)
4: < 1:-> SetLocal(@1, CanExit|NodeExitsForward, r1(B~), bc#1) predicting None
5: < 1:-> SetLocal(@3, CanExit|NodeExitsForward, r0(C~), bc#1) predicting None
6: < 1:-> SetLocal(@1, CanExit|NodeExitsForward, r1(D~), bc#1) predicting None
7: < 1:-> SetLocal(@3, CanExit|NodeExitsForward, r0(E~), bc#1) predicting None
8: <!0:-> Phantom(@3, @1, MustGen|CanExit, bc#7)
--> f#AmUsAH:<0x10935fc70, bc#7, Call, known callee: Cell: 0x1092decb0 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r8>
9: <!0:-> InlineStart(MustGen, bc#0)
10: < 1:-> SetLocal(@1, CanExit|NodeExitsForward, r8(F*), bc#0) predicting None
11: < 1:-> SetLocal(@1, CanExit|NodeExitsForward, r9(G*), bc#0) predicting None
12: < 1:-> JSConstant(JS|PureInt, $1 = <JSValue()>, bc#1)
13: <!0:-> Flush(MustGen, r9(G*), bc#1) predicting None
14: < 1:-> SetLocal(@12, CanExit|NodeExitsForward, r9(H*), bc#1) predicting None
15: <!0:-> Flush(MustGen, r8(F*), bc#3) predicting None
16: < 1:-> SetLocal(@12, CanExit|NodeExitsForward, r8(I*), bc#3) predicting None
17: <!0:-> GlobalVarWatchpoint(MustGen|CanExit, global5(0x105dff9d0), bc#5)
18: < 1:-> WeakJSConstant(JS|PureInt, 0x1092dec70, bc#5)
19: < 1:-> SetLocal(@1, CanExit|NodeExitsForward, r11(J~), bc#5) predicting None
20: < 1:-> SetLocal(@18, CanExit|NodeExitsForward, r10(K~), bc#5) predicting None
21: < 1:-> SetLocal(@1, CanExit|NodeExitsForward, r11(L~), bc#5) predicting None
22: < 1:-> SetLocal(@18, CanExit|NodeExitsForward, r10(M~), bc#5) predicting None
23: <!0:-> Phantom(@18, @1, MustGen|CanExit, bc#11)
--> doStuff#ASE1VK:<0x10935fb70, bc#11, Call, known callee: Cell: 0x1092dec70 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r18>
24: <!0:-> InlineStart(MustGen, bc#0)
25: < 1:-> NewObject(JS|PureInt|CanExit, struct(0x105ddb6c8: NonArray), bc#1)
26: < 1:-> SetLocal(@25, CanExit|NodeExitsForward, r18(N~), bc#1) predicting None
27: <!0:-> Throw(@25, MustGen|CanExit, bc#5)
Which eventually becomes:
var links: arg0:@0 : r0:- r1:- r2:- r3:- r4:- r5:- r6:- r7:- r8:- r9:- r10:- r11:- r12:- r13:- r14:- r15:- r16:- r17:- r18:-
0: < 1:-> SetArgument(arg0(a), bc#0) predicting Other
1: < 1:-> JSConstant(JS|UseAsOther, $0 = Undefined, bc#1)
2: <!0:-> GlobalVarWatchpoint(MustGen|CanExit, global4(0x105dff9c8), bc#1)
3: < 1:-> WeakJSConstant(JS|UseAsOther, 0x1092decb0, bc#1)
4: < 1:-> SetLocal(@1<Other>, CanExit|NodeExitsForward, r1(B~<Other>), bc#1) predicting Other
5: < 1:-> SetLocal(@3<Function>, CanExit|NodeExitsForward, r0(C~<Function>), bc#1) predicting Function
6: < 1:-> SetLocal(@1<Other>, CanExit|NodeExitsForward, r1(D~<Other>), bc#1) predicting Other
7: < 1:-> SetLocal(@3<Function>, CanExit|NodeExitsForward, r0(E~<Function>), bc#1) predicting Function
8: <!0:-> Phantom(@3<Function>, @1<Other>, MustGen|CanExit, bc#7)
--> f#AmUsAH:<0x10935fc70, bc#7, Call, known callee: Cell: 0x1092decb0 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r8>
9: <!0:-> InlineStart(MustGen, bc#0)
10: < 1:-> SetLocal(@1<Other>, CanExit|NodeExitsForward, r8(F*<Other>), bc#0) predicting Other
11: < 1:-> SetLocal(@1<Other>, CanExit|NodeExitsForward, r9(G*<Other>), bc#0) predicting Other
12: < 1:-> JSConstant(JS|PureInt, $1 = <JSValue()>, bc#1)
13: <!0:-> Flush(@11, MustGen, r9(G*<Other>), bc#1) predicting Other
14: < 1:-> SetLocal(@12, CanExit|NodeExitsForward, r9(H*), bc#1) predicting Empty
15: <!0:-> Flush(@10, MustGen, r8(F*<Other>), bc#3) predicting Other
16: < 1:-> SetLocal(@12, CanExit|NodeExitsForward, r8(I*), bc#3) predicting Empty
17: <!0:-> GlobalVarWatchpoint(MustGen|CanExit, global5(0x105dff9d0), bc#5)
18: < 1:-> WeakJSConstant(JS|UseAsOther, 0x1092dec70, bc#5)
19: < 1:-> SetLocal(@1<Other>, CanExit|NodeExitsForward, r11(J~<Other>), bc#5) predicting Other
20: < 1:-> SetLocal(@18<Function>, CanExit|NodeExitsForward, r10(K~<Function>), bc#5) predicting Function
21: < 1:-> SetLocal(@1<Other>, CanExit|NodeExitsForward, r11(L~<Other>), bc#5) predicting Other
22: < 1:-> SetLocal(@18<Function>, CanExit|NodeExitsForward, r10(M~<Function>), bc#5) predicting Function
23: <!0:-> Phantom(@18<Function>, @1<Other>, MustGen|CanExit, bc#11)
--> doStuff#ASE1VK:<0x10935fb70, bc#11, Call, known callee: Cell: 0x1092dec70 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r18>
24: <!0:-> InlineStart(MustGen, bc#0)
25: < 1:-> NewObject(JS|UseAsOther|CanExit, struct(0x105ddb6c8: NonArray), bc#1)
26: < 1:-> SetLocal(@25<Final>, CanExit|NodeExitsForward, r18(N~<Final>), bc#1) predicting Final
27: <!0:-> Throw(@25<Final>, MustGen|CanExit, bc#5)
And then after DCE
var links: arg0:@0 : r0:- r1:- r2:- r3:- r4:- r5:- r6:- r7:- r8:- r9:- r10:- r11:- r12:- r13:- r14:- r15:- r16:- r17:- r18:-
0: skipped < 0:-> SetArgument(arg0(a), bc#0)
1: < 4:-> JSConstant(JS|UseAsOther, $0 = Undefined, bc#1)
2: <!0:-> GlobalVarWatchpoint(MustGen|CanExit, global4(0x105dff9c8), bc#1)
3: < 1:-> WeakJSConstant(JS|UseAsOther, 0x1092decb0, bc#1)
4: skipped < 0:-> MovHint(@1<Other>, r1(B~<Other>), bc#1)
5: skipped < 0:-> MovHint(@3<Function>, r0(C~<Function>), bc#1)
6: skipped < 0:-> MovHint(@1<Other>, r1(D~<Other>), bc#1)
7: skipped < 0:-> MovHint(@3<Function>, r0(E~<Function>), bc#1)
8: <!0:-> Phantom(@3<Function>, @1<Other>, MustGen, bc#7)
--> f#AmUsAH:<0x10935fc70, bc#7, Call, known callee: Cell: 0x1092decb0 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r8>
9: <!0:-> InlineStart(MustGen, bc#0)
10: skipped < 0:-> MovHint(@1<Other>, r8(F*<Other>), bc#0)
11: skipped < 0:-> MovHint(@1<Other>, r9(G*<Other>), bc#0)
12: <!0:-> Phantom(MustGen|CanExit, bc#1)
13: <!0:-> Phantom(@1<Other>, MustGen, bc#1)
14: skipped < 0:-> ZombieHint(r9(H*), bc#1)
15: <!0:-> Phantom(@1<Other>, MustGen, bc#3)
16: skipped < 0:-> ZombieHint(r8(I*), bc#3)
17: <!0:-> GlobalVarWatchpoint(MustGen|CanExit, global5(0x105dff9d0), bc#5)
18: < 1:-> WeakJSConstant(JS|UseAsOther, 0x1092dec70, bc#5)
19: skipped < 0:-> MovHint(@1<Other>, r11(J~<Other>), bc#5)
20: skipped < 0:-> MovHint(@18<Function>, r10(K~<Function>), bc#5)
21: skipped < 0:-> MovHint(@1<Other>, r11(L~<Other>), bc#5)
22: skipped < 0:-> MovHint(@18<Function>, r10(M~<Function>), bc#5)
23: <!0:-> Phantom(@18<Function>, @1<Other>, MustGen, bc#11)
--> doStuff#ASE1VK:<0x10935fb70, bc#11, Call, known callee: Cell: 0x1092dec70 (0x105ddf420: Function, NonArray), numArgs+this = 1, stack >= r18>
24: <!0:-> InlineStart(MustGen, bc#0)
25: < 1:-> NewObject(JS|UseAsOther, struct(0x105ddb6c8: NonArray), bc#1)
26: skipped < 0:-> MovHint(@25<Final>, r18(N~<Final>), bc#1)
27: <!0:-> Throw(@25<Final>, MustGen|CanExit, bc#5)
Nodes @14 and @16 were responsible for initializing the lazy argument slots, but they have been elided, despite being necessary for correct behavior.
I can add
addToGraph(Phantom, get(currentInstruction[1].u.operand));
To init_lazy_reg, and that makes this crash go away, but it feels jacky, and looking at the output graph it is not obvious _why_ we end up with the correct behavior.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list