[Webkit-unassigned] [Bug 145243] JIT bug - fails when inspector closed, works when open

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 15 13:38:37 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=145243

--- Comment #6 from Michael Saboff <msaboff at apple.com> ---
The failure is manifest in the following code:

function Assertion (obj, msg, stack) {
    flag(this, 'ssfi', stack  || arguments.callee);  // Eliminate arguments.callee and the bug goes away
    flag(this, 'object', obj);   // The first argument, "this", is undefined in "flag()"
    flag(this, 'message', msg);
}

function flag(obj, key, value) {
    var flags = obj.__flags || (obj.__flags = Object.create(null));
    if (arguments.length === 3) {
        flags[key] = value;
    } else {
        return flags[key];
    }
}

The bytecode for Assertion is:
Assertion#BsmUKj:[0x10b7dc720->0x10a04ab00, NoneFunctionConstruct, 140]: 140 m_instructions; 1120 bytes; 4 parameter(s); 14 callee register(s); 3 variable(s)
[   0] enter
[   1] get_scope         loc0
[   3] create_direct_arguments loc1
[   5] create_this       this, this, 0, 0
[  10] mov               loc2, loc1
[  13] resolve_scope     loc8, loc0, flag(@id0), 1<ThrowIfNotFound|GlobalVar>, 0
[  20] get_from_scope    loc3, loc8, flag(@id0), 1<ThrowIfNotFound|GlobalVar>, 201294216    predicting None
[  28] mov               loc7, this
[  31] mov               loc6, String (atomic) (identifier): ssfi, ID: 4(const0)
[  34] get_from_arguments loc5, loc1, 2    predicting None
[  39] jtrue             loc5, 12(->51)
[  42] get_by_id         loc5, loc2, callee(@id1)    predicting None
[  51] call              loc3, loc3, 4, 14 status(Could Take Slow Path, maxNumArguments = 1)    Original; predicting None
[  60] resolve_scope     loc8, loc0, flag(@id0), 1<ThrowIfNotFound|GlobalVar>, 0
[  67] get_from_scope    loc3, loc8, flag(@id0), 1<ThrowIfNotFound|GlobalVar>, 201294216    predicting None
[  75] mov               loc7, this
[  78] mov               loc6, String (atomic) (identifier): object, ID: 4(const1)
[  81] get_from_arguments loc5, loc1, 0    predicting None
[  86] call              loc3, loc3, 4, 14 status(Could Take Slow Path, maxNumArguments = 1)    Original; predicting None
[  95] resolve_scope     loc8, loc0, flag(@id0), 1<ThrowIfNotFound|GlobalVar>, 0
[ 102] get_from_scope    loc3, loc8, flag(@id0), 1<ThrowIfNotFound|GlobalVar>, 201294216    predicting None
[ 110] mov               loc7, this
[ 113] mov               loc6, String (atomic) (identifier): message, ID: 4(const2)
[ 116] get_from_arguments loc5, loc1, 1    predicting None
[ 121] call              loc3, loc3, 4, 14 status(Could Take Slow Path, maxNumArguments = 1)    Original; predicting None
[ 130] is_object         loc3, this
[ 133] jtrue             loc3, 5(->138)
[ 136] ret               this
[ 138] ret               this

The bytecode for flag is:
flag#D14VaO:[0x10b7dc980->0x10a04aa00, NoneFunctionCall, 132]: 132 m_instructions; 1056 bytes; 4 parameter(s); 14 callee register(s); 4 variable(s)
[   0] enter
[   1] get_scope         loc0
[   3] create_direct_arguments loc1
[   5] mov               loc3, loc1
[   8] get_from_arguments loc5, loc1, 0    predicting None
[  13] get_by_id         loc4, loc5, __flags(@id0)    predicting None
[  22] jtrue             loc4, 56(->78)
[  25] get_from_arguments loc5, loc1, 0    predicting None
[  30] resolve_scope     loc8, loc0, Object(@id1), 0<ThrowIfNotFound|GlobalProperty>, 0
[  37] get_from_scope    loc8, loc8, Object(@id1), 0<ThrowIfNotFound|GlobalProperty>, 101    predicting None
[  45] get_by_id         loc6, loc8, create(@id2)    predicting None
[  54] mov               loc7, Null(const0)
[  57] call              loc6, loc6, 2, 14 status(Could Take Slow Path, maxNumArguments = 1)    Original; predicting None
[  66] put_by_id         loc5, __flags(@id0), loc6
[  75] mov               loc4, loc6
[  78] mov               loc2, loc4
[  81] get_by_id         loc4, loc3, length(@id3)    predicting None
[  90] stricteq          loc4, loc4, Int32: 3(const1)
[  94] jfalse            loc4, 23(->117)
[  97] mov               loc4, loc2
[ 100] get_from_arguments loc5, loc1, 1    predicting None
[ 105] get_from_arguments loc6, loc1, 2    predicting None
[ 110] put_by_val        loc4, loc5, loc6    Original
[ 115] jmp               15(->130)
[ 117] get_from_arguments loc4, loc1, 1    predicting None
[ 122] get_by_val        loc4, loc2, loc4    Original; predicting None
[ 128] ret               loc4
[ 130] ret               Undefined(const2)

All three instances of "flag()" are inlined.  The problem is during the second call to flag(), we get "undefined" for the base object when executing bc#13, get_by_id.  The reason is during local CSE, we replace object we use as the base.  Before local CSE:
   189:< 1:->   CreateDirectArguments(JS|UseAsOther, Directarguments, R:Stack,HeapObjectCount, W:HeapObjectCount, bc#3)
...
   194:< 1:->   GetFromArguments(Check:KnownCell:@189, JS|UseAsOther, Final, capturedArgument0, R:DirectArgumentsProperties(0), bc#8)  predicting Final
...
   197:<!0:->   GetById(Check:Cell:@194, JS|MustGen|UseAsOther, Final, id2{__flags}, R:World, W:Heap, bc#13)  predicting Final

After local CSE:
 171:<!0:->     GetLocal(@457, JS|MustGen|UseAsOther, Directarguments, loc1(I<DirectArguments>/FlushedCell), R:Stack(-2), bc#81)  predicting Directarguments
 172:< 1:->     GetFromArguments(Check:KnownCell:@171, JS|UseAsOther, Other, capturedArgument0, R:DirectArgumentsProperties(0), bc#81)  predicting Other
   197:<!0:->   GetById(Check:Cell:@172, JS|MustGen|UseAsOther, Final, id2{__flags}, R:World, W:Heap, bc#13)  predicting Final

Where 172 is the GetFromArguments in Assertion.

The problem is in DFGClobberize::cloberize() and its handling of GetFromArguments.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150615/ad47e0a3/attachment-0001.html>

More information about the webkit-unassigned mailing list