[Webkit-unassigned] [Bug 190656] New: useProbeOSRExit causes failures for Win64 DFG JIT

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 16 18:38:09 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=190656

            Bug ID: 190656
           Summary: useProbeOSRExit causes failures for Win64 DFG JIT
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ross.kirsling at sony.com

About three dozen JSC tests fail for WinCairo in dfg-eager mode only, but all of these pass if useProbeOSRExit is switched off.

Two-thirds appear to be failing the `!Heap::heap(value) || Heap::heap(value) == Heap::heap(this)` assert in JSObject::putDirectInternal:
https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/runtime/JSObjectInlines.h#L270

The rest are failing isObject() assertions.

---

Here is a simple test case that reproduces the issue (distilled from stress/sparse-map-non-skip.js):

test.js
```
function checkGetter(object) {
  if (object.foo !== 0)
    throw new Error(`bad value for object.foo! expected 0, found ${object.foo}`);
}
noInline(checkGetter);

for (var i = 0; i < 2305; ++i)
  checkGetter({ get foo() { return 0; } });

checkGetter({ get foo() { return 0; } });
```

dfg-whitelist.txt
```
<global>#Cuu2O0
```

With this as input, `jsc --useConcurrentJIT=false --useProbeOSRExit=true --dfgWhitelist=dfg-whitelist.txt test.js` suffices to repro.

Debug:
> ASSERTION FAILED: getter.isObject() || setter.isObject()
> ...\jit\JITOperations.cpp(1748) : JSC::operationPutGetterSetter
> 1   00007FFB3E4321EA
> 2   00007FFB2FC42F11
> 3   00007FFB30910027
> 4   000002B0398E2AE0

Release:
> Exception: Error: bad value for object.foo! expected 0, found undefined
> checkGetter at test.js:3:20
> global code at test.js:10:12

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181017/9877e663/attachment.html>

More information about the webkit-unassigned mailing list