100620 2012-10-28 17:00:15 -0700 There should not be blind spots in array length array profiling 2012-10-29 09:52:32 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 100636 98606 1 fpizlo fpizlo barraclough cdumez ggaren mark.lam mhahnenberg msaboff oliver oldest_to_newest 753009 0 fpizlo 2012-10-28 17:00:15 -0700 Currently if you have a program like: for (thousand times) thingy for (thousand times) thingy(array.length) There is the risk that we'll end up tiering into the baseline JIT before the LLInt would have a chance to profile array.length, and we may tier all the way to the DFG before the baseline JIT had a chance to patch (but after it executed) array.length. Hence the DFG will not know whether the array.length access is just unprofiled, or legitimately accesses something that isn't really a length. The solution is to ensure that statements of the form "blah.length" get array length profiling in the baseline JIT even before the patching machinery kicks in. 753010 1 171145 fpizlo 2012-10-28 17:07:03 -0700 Created attachment 171145 the patch 753011 2 171145 webkit-ews 2012-10-28 17:13:29 -0700 Comment on attachment 171145 the patch Attachment 171145 did not pass qt-ews (qt): Output: http://queues.webkit.org/results/14606964 753012 3 171145 webkit-ews 2012-10-28 17:14:23 -0700 Comment on attachment 171145 the patch Attachment 171145 did not pass qt-wk2-ews (qt): Output: http://queues.webkit.org/results/14615912 753015 4 171145 eflews.bot 2012-10-28 17:25:48 -0700 Comment on attachment 171145 the patch Attachment 171145 did not pass efl-ews (efl): Output: http://queues.webkit.org/results/14609924 753016 5 171145 buildbot 2012-10-28 17:34:27 -0700 Comment on attachment 171145 the patch Attachment 171145 did not pass win-ews (win): Output: http://queues.webkit.org/results/14617874 753022 6 fpizlo 2012-10-28 18:28:48 -0700 I've fixed the 32-bit stuffs. 753027 7 fpizlo 2012-10-28 19:18:34 -0700 Landed in http://trac.webkit.org/changeset/132757 753118 8 cdumez 2012-10-29 00:39:24 -0700 The following test cases started crashing after this patch landed: jquery/manipulation.html jquery/traversing.html Backtrace: crash log for DumpRenderTree (pid 860): STDOUT: <empty> STDERR: ASSERTION FAILED: ArrayMode(Array::Arguments).alreadyChecked(m_state.forNode(node.child1())) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3247) : void JSC::DFG::SpeculativeJIT::compileGetByValOnArguments(JSC::DFG::Node&) STDERR: 1 0x7f56d6262474 JSC::DFG::SpeculativeJIT::compileGetByValOnArguments(JSC::DFG::Node&) STDERR: 2 0x7f56d6285456 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) STDERR: 3 0x7f56d6259602 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) STDERR: 4 0x7f56d6259d87 JSC::DFG::SpeculativeJIT::compile() STDERR: 5 0x7f56d622a1ce JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) STDERR: 6 0x7f56d622b163 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) STDERR: 7 0x7f56d621dfab JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) STDERR: 8 0x7f56d621d900 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) STDERR: 9 0x7f56d63add8f JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) STDERR: 10 0x7f56d63ae08a JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) STDERR: 11 0x7f56d63abf71 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) STDERR: 12 0x7f56d63ab39b JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 13 0x7f56d614ad85 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) STDERR: 14 0x7f56d6146e38 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 15 0x7f56d63177bd STDERR: 16 0x7f56d6313be0 STDERR: 17 0x7f5682780058 753541 9 ap 2012-10-29 09:52:32 -0700 Bug 100636 tracks the regression. 171145 2012-10-28 17:07:03 -0700 2012-10-28 17:34:27 -0700 the patch fixarraylength_1.patch text/plain 3893 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTMyNzU2KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIwIEBA CisyMDEyLTEwLTI4ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg VGhlcmUgc2hvdWxkIG5vdCBiZSBibGluZCBzcG90cyBpbiBhcnJheSBsZW5ndGggYXJyYXkgcHJv ZmlsaW5nCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0x MDA2MjAKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKworICAgICAgICBJ IGRvbid0IHRoaW5rIHRoaXMgaGFzIGFueSBwZXJmb3JtYW5jZSBpbXBhY3QuIEJ1dCBpdCdzIGdv b2QgdG8gbm90IGhhdmUgcmFuZG9tCisgICAgICAgIHByb2dyYW1zIG9jY2FzaW9uYWxseSBlbWl0 IGEgR2V0QnlJZCBmb3IgYXJyYXkgbGVuZ3RoIGFjY2Vzc2VzLgorCisgICAgICAgICogaml0L0pJ VFByb3BlcnR5QWNjZXNzLmNwcDoKKyAgICAgICAgKEpTQzo6SklUOjpjb21waWxlR2V0QnlJZEhv dFBhdGgpOgorICAgICAgICAoSlNDOjpKSVQ6OnByaXZhdGVDb21waWxlUGF0Y2hHZXRBcnJheUxl bmd0aCk6CisgICAgICAgICogaml0L0pJVFByb3BlcnR5QWNjZXNzMzJfNjQuY3BwOgorICAgICAg ICAoSlNDOjpKSVQ6OmNvbXBpbGVHZXRCeUlkSG90UGF0aCk6CisgICAgICAgIChKU0M6OkpJVDo6 cHJpdmF0ZUNvbXBpbGVQYXRjaEdldEFycmF5TGVuZ3RoKToKKwogMjAxMi0xMC0yOCAgRmlsaXAg UGl6bG8gIDxmcGl6bG9AYXBwbGUuY29tPgogCiAgICAgICAgIFVucmV2aWV3ZWQsIG1ha2UgYWx3 YXlzLXRydWUgZW51bS10by1pbnQgY29tcGFyaXNvbnMgdXNlIGNhc3RzLgpJbmRleDogU291cmNl L0phdmFTY3JpcHRDb3JlL2ppdC9KSVRQcm9wZXJ0eUFjY2VzczMyXzY0LmNwcAo9PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 Ci0tLSBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaml0L0pJVFByb3BlcnR5QWNjZXNzMzJfNjQuY3Bw CShyZXZpc2lvbiAxMzI3NDkpCisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvaml0L0pJVFByb3Bl cnR5QWNjZXNzMzJfNjQuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC00NjksNiArNDY5LDExIEBAIHZv aWQgSklUOjpjb21waWxlR2V0QnlJZEhvdFBhdGgoKQogICAgIC8vIHRvIGFycmF5LWxlbmd0aCAv IHByb3RvdHlwZSBhY2Nlc3MgdHJhbnBvbGluZXMsIGFuZCBmaW5hbGx5IHdlIGFsc28gdGhlIHRo ZSBwcm9wZXJ0eS1tYXAgYWNjZXNzIG9mZnNldCBhcyBhIGxhYmVsCiAgICAgLy8gdG8ganVtcCBi YWNrIHRvIGlmIG9uZSBvZiB0aGVzZSB0cmFtcG9saWVzIGZpbmRzIGEgbWF0Y2guCiAgICAgCisg ICAgaWYgKCppZGVudCA9PSBtX2dsb2JhbERhdGEtPnByb3BlcnR5TmFtZXMtPmxlbmd0aCAmJiBj YW5CZU9wdGltaXplZCgpKSB7CisgICAgICAgIGxvYWRQdHIoQWRkcmVzcyhyZWdUMCwgSlNDZWxs OjpzdHJ1Y3R1cmVPZmZzZXQoKSksIHJlZ1QxKTsKKyAgICAgICAgZW1pdEFycmF5UHJvZmlsaW5n U2l0ZUZvckJ5dGVjb2RlSW5kZXgocmVnVDEsIHJlZ1QyLCBtX2J5dGVjb2RlT2Zmc2V0KTsKKyAg ICB9CisKICAgICBCRUdJTl9VTklOVEVSUlVQVEVEX1NFUVVFTkNFKHNlcXVlbmNlR2V0QnlJZEhv dFBhdGgpOwogICAgIAogICAgIExhYmVsIGhvdFBhdGhCZWdpbih0aGlzKTsKQEAgLTc1MSw3ICs3 NTYsNiBAQCB2b2lkIEpJVDo6cHJpdmF0ZUNvbXBpbGVQYXRjaEdldEFycmF5TGVuCiAgICAgCiAg ICAgLy8gQ2hlY2sgZm9yIGFycmF5CiAgICAgbG9hZFB0cihBZGRyZXNzKHJlZ1QwLCBKU0NlbGw6 OnN0cnVjdHVyZU9mZnNldCgpKSwgcmVnVDIpOwotICAgIGVtaXRBcnJheVByb2ZpbGluZ1NpdGVG b3JCeXRlY29kZUluZGV4KHJlZ1QyLCByZWdUMywgc3R1YkluZm8tPmJ5dGVjb2RlSW5kZXgpOwog ICAgIEp1bXAgZmFpbHVyZUNhc2VzMSA9IGJyYW5jaFRlc3QzMihaZXJvLCByZWdUMiwgVHJ1c3Rl ZEltbTMyKElzQXJyYXkpKTsKICAgICBKdW1wIGZhaWx1cmVDYXNlczIgPSBicmFuY2hUZXN0MzIo WmVybywgcmVnVDIsIFRydXN0ZWRJbW0zMihJbmRleGluZ1NoYXBlTWFzaykpOwogICAgIApJbmRl eDogU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9KSVRQcm9wZXJ0eUFjY2Vzcy5jcHAKPT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2ppdC9KSVRQcm9wZXJ0eUFjY2Vzcy5jcHAJ KHJldmlzaW9uIDEzMjc0OSkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9qaXQvSklUUHJvcGVy dHlBY2Nlc3MuY3BwCSh3b3JraW5nIGNvcHkpCkBAIC01MTcsNyArNTE3LDcgQEAgdm9pZCBKSVQ6 OmVtaXRfb3BfZ2V0X2J5X2lkKEluc3RydWN0aW9uKgogICAgIGVtaXRQdXRWaXJ0dWFsUmVnaXN0 ZXIocmVzdWx0VlJlZyk7CiB9CiAKLXZvaWQgSklUOjpjb21waWxlR2V0QnlJZEhvdFBhdGgoaW50 IGJhc2VWUmVnLCBJZGVudGlmaWVyKikKK3ZvaWQgSklUOjpjb21waWxlR2V0QnlJZEhvdFBhdGgo aW50IGJhc2VWUmVnLCBJZGVudGlmaWVyKiBpZGVudCkKIHsKICAgICAvLyBBcyBmb3IgcHV0X2J5 X2lkLCBnZXRfYnlfaWQgcmVxdWlyZXMgdGhlIG9mZnNldCBvZiB0aGUgU3RydWN0dXJlIGFuZCB0 aGUgb2Zmc2V0IG9mIHRoZSBhY2Nlc3MgdG8gYmUgcGF0Y2hlZC4KICAgICAvLyBBZGRpdGlvbmFs bHksIGZvciBnZXRfYnlfaWQgd2UgbmVlZCBwYXRjaCB0aGUgb2Zmc2V0IG9mIHRoZSBicmFuY2gg dG8gdGhlIHNsb3cgY2FzZSAod2UgcGF0Y2ggdGhpcyB0byBqdW1wCkBAIC01MjUsNiArNTI1LDEx IEBAIHZvaWQgSklUOjpjb21waWxlR2V0QnlJZEhvdFBhdGgoaW50IGJhc2UKICAgICAvLyB0byBq dW1wIGJhY2sgdG8gaWYgb25lIG9mIHRoZXNlIHRyYW1wb2xpZXMgZmluZHMgYSBtYXRjaC4KIAog ICAgIGVtaXRKdW1wU2xvd0Nhc2VJZk5vdEpTQ2VsbChyZWdUMCwgYmFzZVZSZWcpOworICAgIAor ICAgIGlmICgqaWRlbnQgPT0gbV9nbG9iYWxEYXRhLT5wcm9wZXJ0eU5hbWVzLT5sZW5ndGggJiYg Y2FuQmVPcHRpbWl6ZWQoKSkgeworICAgICAgICBsb2FkUHRyKEFkZHJlc3MocmVnVDAsIEpTQ2Vs bDo6c3RydWN0dXJlT2Zmc2V0KCkpLCByZWdUMSk7CisgICAgICAgIGVtaXRBcnJheVByb2ZpbGlu Z1NpdGVGb3JCeXRlY29kZUluZGV4KHJlZ1QxLCByZWdUMiwgbV9ieXRlY29kZU9mZnNldCk7Cisg ICAgfQogCiAgICAgQkVHSU5fVU5JTlRFUlJVUFRFRF9TRVFVRU5DRShzZXF1ZW5jZUdldEJ5SWRI b3RQYXRoKTsKIApAQCAtNzg4LDcgKzc5Myw2IEBAIHZvaWQgSklUOjpwcml2YXRlQ29tcGlsZVBh dGNoR2V0QXJyYXlMZW4KIAogICAgIC8vIENoZWNrIGVheCBpcyBhbiBhcnJheQogICAgIGxvYWRQ dHIoQWRkcmVzcyhyZWdUMCwgSlNDZWxsOjpzdHJ1Y3R1cmVPZmZzZXQoKSksIHJlZ1QyKTsKLSAg ICBlbWl0QXJyYXlQcm9maWxpbmdTaXRlRm9yQnl0ZWNvZGVJbmRleChyZWdUMiwgcmVnVDEsIHN0 dWJJbmZvLT5ieXRlY29kZUluZGV4KTsKICAgICBKdW1wIGZhaWx1cmVDYXNlczEgPSBicmFuY2hU ZXN0MzIoWmVybywgcmVnVDIsIFRydXN0ZWRJbW0zMihJc0FycmF5KSk7CiAgICAgSnVtcCBmYWls dXJlQ2FzZXMyID0gYnJhbmNoVGVzdDMyKFplcm8sIHJlZ1QyLCBUcnVzdGVkSW1tMzIoSW5kZXhp bmdTaGFwZU1hc2spKTsKIAo=