117280 2013-06-05 21:41:05 -0700 JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com 2013-06-06 15:51:31 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED InRadar P2 Normal --- 1 msaboff msaboff bjhomer oldest_to_newest 897642 0 msaboff 2013-06-05 21:41:05 -0700 We are crashing because an argument variable is been speculated to be an Int32, but there isn't a corresponding speculation check on entry to the function. When it is call with a non-int value and we OSR exit for some other reason we crash in the baseline JIT because the tag is bogus. 897643 1 msaboff 2013-06-05 21:41:22 -0700 <rdar://problem/13548820> 897648 2 203903 msaboff 2013-06-05 22:01:33 -0700 Created attachment 203903 Patch This fixes the problem by merging the various attributes of a VariableAccessData with the root node of the unified set of VariableAccessData nodes. Before we were merging with a leaf node and therefore the merge didn't propgate to the code generation phase. This is performance neutral on SunSpider and V8. 897792 3 msaboff 2013-06-06 08:37:24 -0700 Committed r151273: <http://trac.webkit.org/changeset/151273> 897963 4 ap 2013-06-06 15:51:31 -0700 *** Bug 116052 has been marked as a duplicate of this bug. *** 203903 2013-06-05 22:01:33 -0700 2013-06-06 08:03:37 -0700 Patch 117280.patch text/plain 5977 msaboff SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTUxMjU4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDIzIEBA CisyMDEzLTA2LTA1ICBNaWNoYWVsIFNhYm9mZiAgPG1zYWJvZmZAYXBwbGUuY29tPgorCisgICAg ICAgIEpTQzogQ3Jhc2ggYmVuZWF0aCBjdGlfb3BfZGl2IEAgaHR0cDovL2dtYWlsYmxvZy5ibG9n c3BvdC5jb20KKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lk PTExNzI4MAorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IFVwZGF0ZWQgdGhlIG1lcmdpbmcgb2YgVmFyaWFibGVBY2Nlc3NEYXRhIG5vZGVzIGluIEFyZ3Vt ZW50UG9zaXRpb24gbGlzdHMKKyAgICAgICAgdG8gZmluZCB0aGUgdW5pZmllZCBWYXJpYWJsZUFj Y2Vzc0RhdGEgbm9kZSB0aGF0IGlzIHRoZSByb290IG9mIHRoZQorICAgICAgICBjdXJyZW50IG5v ZGUgaW5zdGVhZCBvZiB1c2luZyB0aGUgY3VycmVudCBub2RlIGRpcmVjdGx5IHdoZW4gbWVyZ2lu ZworICAgICAgICBhdHRyaWJ1dGVzLgorICAgICAgICBBZGRlZCBuZXcgZHVtcCBjb2RlIHRvIGR1 bXAgdGhlIEFyZ3VtZW50UG9zaXRpb24gbGlzdC4KKworICAgICAgICAqIGRmZy9ERkdBcmd1bWVu dFBvc2l0aW9uLmg6CisgICAgICAgIChKU0M6OkRGRzo6cmd1bWVudFBvc2l0aW9uOjptZXJnZUFy Z3VtZW50UHJlZGljdGlvbkF3YXJlbmVzcyk6CisgICAgICAgIChKU0M6OkRGRzo6QXJndW1lbnRQ b3NpdGlvbjo6bWVyZ2VBcmd1bWVudFVuYm94aW5nQXdhcmVuZXNzKToKKyAgICAgICAgKEpTQzo6 REZHOjpBcmd1bWVudFBvc2l0aW9uOjpkdW1wKToKKyAgICAgICAgKiBkZmcvREZHR3JhcGguY3Bw OgorICAgICAgICAoSlNDOjpERkc6OkdyYXBoOjpkdW1wKToKKwogMjAxMy0wNi0wNSAgQmVhciBU cmF2aXMgIDxiZXRyYXZpc0BhZG9iZS5jb20+CiAKICAgICAgICAgW0NTUyBFeGNsdXNpb25zXVtD U1MgU2hhcGVzXSBTcGxpdCBDU1MgRXhjbHVzaW9ucyAmIFNoYXBlcyBjb21waWxlICYgcnVudGlt ZSBmbGFncwpJbmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdBcmd1bWVudFBvc2l0 aW9uLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdBcmd1bWVu dFBvc2l0aW9uLmgJKHJldmlzaW9uIDE1MTI0OCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9k ZmcvREZHQXJndW1lbnRQb3NpdGlvbi5oCSh3b3JraW5nIGNvcHkpCkBAIC0yOCw2ICsyOCw3IEBA CiAKICNpbmNsdWRlICJERkdEb3VibGVGb3JtYXRTdGF0ZS5oIgogI2luY2x1ZGUgIkRGR1Zhcmlh YmxlQWNjZXNzRGF0YS5oIgorI2luY2x1ZGUgIkRGR1ZhcmlhYmxlQWNjZXNzRGF0YUR1bXAuaCIK ICNpbmNsdWRlICJTcGVjdWxhdGVkVHlwZS5oIgogCiBuYW1lc3BhY2UgSlNDIHsgbmFtZXNwYWNl IERGRyB7CkBAIC01NiwxNyArNTcsMTkgQEAgcHVibGljOgogICAgIHsKICAgICAgICAgYm9vbCBj aGFuZ2VkID0gZmFsc2U7CiAgICAgICAgIGZvciAodW5zaWduZWQgaSA9IDA7IGkgPCBtX3Zhcmlh Ymxlcy5zaXplKCk7ICsraSkgewotICAgICAgICAgICAgY2hhbmdlZCB8PSBtZXJnZVNwZWN1bGF0 aW9uKG1fcHJlZGljdGlvbiwgbV92YXJpYWJsZXNbaV0tPmFyZ3VtZW50QXdhcmVQcmVkaWN0aW9u KCkpOwotICAgICAgICAgICAgY2hhbmdlZCB8PSBtZXJnZURvdWJsZUZvcm1hdFN0YXRlKG1fZG91 YmxlRm9ybWF0U3RhdGUsIG1fdmFyaWFibGVzW2ldLT5kb3VibGVGb3JtYXRTdGF0ZSgpKTsKLSAg ICAgICAgICAgIGNoYW5nZWQgfD0gbWVyZ2VTaG91bGROZXZlclVuYm94KG1fdmFyaWFibGVzW2ld LT5zaG91bGROZXZlclVuYm94KCkpOworICAgICAgICAgICAgVmFyaWFibGVBY2Nlc3NEYXRhKiB2 YXJpYWJsZSA9IG1fdmFyaWFibGVzW2ldLT5maW5kKCk7CisgICAgICAgICAgICBjaGFuZ2VkIHw9 IG1lcmdlU3BlY3VsYXRpb24obV9wcmVkaWN0aW9uLCB2YXJpYWJsZS0+YXJndW1lbnRBd2FyZVBy ZWRpY3Rpb24oKSk7CisgICAgICAgICAgICBjaGFuZ2VkIHw9IG1lcmdlRG91YmxlRm9ybWF0U3Rh dGUobV9kb3VibGVGb3JtYXRTdGF0ZSwgdmFyaWFibGUtPmRvdWJsZUZvcm1hdFN0YXRlKCkpOwor ICAgICAgICAgICAgY2hhbmdlZCB8PSBtZXJnZVNob3VsZE5ldmVyVW5ib3godmFyaWFibGUtPnNo b3VsZE5ldmVyVW5ib3goKSk7CiAgICAgICAgIH0KICAgICAgICAgaWYgKCFjaGFuZ2VkKQogICAg ICAgICAgICAgcmV0dXJuIGZhbHNlOwogICAgICAgICBjaGFuZ2VkID0gZmFsc2U7CiAgICAgICAg IGZvciAodW5zaWduZWQgaSA9IDA7IGkgPCBtX3ZhcmlhYmxlcy5zaXplKCk7ICsraSkgewotICAg ICAgICAgICAgY2hhbmdlZCB8PSBtX3ZhcmlhYmxlc1tpXS0+bWVyZ2VBcmd1bWVudEF3YXJlUHJl ZGljdGlvbihtX3ByZWRpY3Rpb24pOwotICAgICAgICAgICAgY2hhbmdlZCB8PSBtX3ZhcmlhYmxl c1tpXS0+bWVyZ2VEb3VibGVGb3JtYXRTdGF0ZShtX2RvdWJsZUZvcm1hdFN0YXRlKTsKLSAgICAg ICAgICAgIGNoYW5nZWQgfD0gbV92YXJpYWJsZXNbaV0tPm1lcmdlU2hvdWxkTmV2ZXJVbmJveCht X3Nob3VsZE5ldmVyVW5ib3gpOworICAgICAgICAgICAgVmFyaWFibGVBY2Nlc3NEYXRhKiB2YXJp YWJsZSA9IG1fdmFyaWFibGVzW2ldLT5maW5kKCk7CisgICAgICAgICAgICBjaGFuZ2VkIHw9IHZh cmlhYmxlLT5tZXJnZUFyZ3VtZW50QXdhcmVQcmVkaWN0aW9uKG1fcHJlZGljdGlvbik7CisgICAg ICAgICAgICBjaGFuZ2VkIHw9IHZhcmlhYmxlLT5tZXJnZURvdWJsZUZvcm1hdFN0YXRlKG1fZG91 YmxlRm9ybWF0U3RhdGUpOworICAgICAgICAgICAgY2hhbmdlZCB8PSB2YXJpYWJsZS0+bWVyZ2VT aG91bGROZXZlclVuYm94KG1fc2hvdWxkTmV2ZXJVbmJveCk7CiAgICAgICAgIH0KICAgICAgICAg cmV0dXJuIGNoYW5nZWQ7CiAgICAgfQpAQCAtNzQsMTMgKzc3LDE3IEBAIHB1YmxpYzoKICAgICBi b29sIG1lcmdlQXJndW1lbnRVbmJveGluZ0F3YXJlbmVzcygpCiAgICAgewogICAgICAgICBib29s IGNoYW5nZWQgPSBmYWxzZTsKLSAgICAgICAgZm9yICh1bnNpZ25lZCBpID0gMDsgaSA8IG1fdmFy aWFibGVzLnNpemUoKTsgKytpKQotICAgICAgICAgICAgY2hhbmdlZCB8PSBjaGVja0FuZFNldCht X2lzUHJvZml0YWJsZVRvVW5ib3gsIG1faXNQcm9maXRhYmxlVG9VbmJveCB8IG1fdmFyaWFibGVz W2ldLT5pc1Byb2ZpdGFibGVUb1VuYm94KCkpOworICAgICAgICBmb3IgKHVuc2lnbmVkIGkgPSAw OyBpIDwgbV92YXJpYWJsZXMuc2l6ZSgpOyArK2kpIHsKKyAgICAgICAgICAgIFZhcmlhYmxlQWNj ZXNzRGF0YSogdmFyaWFibGUgPSBtX3ZhcmlhYmxlc1tpXS0+ZmluZCgpOworICAgICAgICAgICAg Y2hhbmdlZCB8PSBjaGVja0FuZFNldChtX2lzUHJvZml0YWJsZVRvVW5ib3gsIG1faXNQcm9maXRh YmxlVG9VbmJveCB8IHZhcmlhYmxlLT5pc1Byb2ZpdGFibGVUb1VuYm94KCkpOworICAgICAgICB9 CiAgICAgICAgIGlmICghY2hhbmdlZCkKICAgICAgICAgICAgIHJldHVybiBmYWxzZTsKICAgICAg ICAgY2hhbmdlZCA9IGZhbHNlOwotICAgICAgICBmb3IgKHVuc2lnbmVkIGkgPSAwOyBpIDwgbV92 YXJpYWJsZXMuc2l6ZSgpOyArK2kpCi0gICAgICAgICAgICBjaGFuZ2VkIHw9IG1fdmFyaWFibGVz W2ldLT5tZXJnZUlzUHJvZml0YWJsZVRvVW5ib3gobV9pc1Byb2ZpdGFibGVUb1VuYm94KTsKKyAg ICAgICAgZm9yICh1bnNpZ25lZCBpID0gMDsgaSA8IG1fdmFyaWFibGVzLnNpemUoKTsgKytpKSB7 CisgICAgICAgICAgICBWYXJpYWJsZUFjY2Vzc0RhdGEqIHZhcmlhYmxlID0gbV92YXJpYWJsZXNb aV0tPmZpbmQoKTsKKyAgICAgICAgICAgIGNoYW5nZWQgfD0gdmFyaWFibGUtPm1lcmdlSXNQcm9m aXRhYmxlVG9VbmJveChtX2lzUHJvZml0YWJsZVRvVW5ib3gpOworICAgICAgICB9CiAgICAgICAg IHJldHVybiBjaGFuZ2VkOwogICAgIH0KICAgICAKQEAgLTkzLDYgKzEwMCwyMyBAQCBwdWJsaWM6 CiAgICAgICAgIHJldHVybiBkb3VibGVGb3JtYXRTdGF0ZSgpID09IFVzaW5nRG91YmxlRm9ybWF0 ICYmIHNob3VsZFVuYm94SWZQb3NzaWJsZSgpOwogICAgIH0KICAgICAKKyAgICB2b2lkIGR1bXAo UHJpbnRTdHJlYW0mIG91dCwgR3JhcGgqIGdyYXBoKQorICAgIHsKKyAgICAgICAgZm9yICh1bnNp Z25lZCBpID0gMDsgaSA8IG1fdmFyaWFibGVzLnNpemUoKTsgKytpKSB7CisgICAgICAgICAgICBW YXJpYWJsZUFjY2Vzc0RhdGEqIHZhcmlhYmxlID0gbV92YXJpYWJsZXNbaV0tPmZpbmQoKTsKKyAg ICAgICAgICAgIGludCBvcGVyYW5kID0gdmFyaWFibGUtPm9wZXJhbmQoKTsKKworICAgICAgICAg ICAgaWYgKGkpCisgICAgICAgICAgICAgICAgb3V0LnByaW50KCIgIik7CisKKyAgICAgICAgICAg IGlmIChvcGVyYW5kSXNBcmd1bWVudChvcGVyYW5kKSkKKyAgICAgICAgICAgICAgICBvdXQucHJp bnQoImFyZyIsIG9wZXJhbmRUb0FyZ3VtZW50KG9wZXJhbmQpLCAiKCIsIFZhcmlhYmxlQWNjZXNz RGF0YUR1bXAoKmdyYXBoLCB2YXJpYWJsZSksICIpIik7CisgICAgICAgICAgICBlbHNlCisgICAg ICAgICAgICAgICAgb3V0LnByaW50KCJyIiwgb3BlcmFuZCwgIigiLCBWYXJpYWJsZUFjY2Vzc0Rh dGFEdW1wKCpncmFwaCwgdmFyaWFibGUpLCAiKSIpOworICAgICAgICB9CisgICAgICAgIG91dC5w cmludCgiXG4iKTsKKyAgICB9CisgICAgCiBwcml2YXRlOgogICAgIFNwZWN1bGF0ZWRUeXBlIG1f cHJlZGljdGlvbjsKICAgICBEb3VibGVGb3JtYXRTdGF0ZSBtX2RvdWJsZUZvcm1hdFN0YXRlOwpJ bmRleDogU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdHcmFwaC5jcHAKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdHcmFwaC5jcHAJKHJldmlzaW9uIDE1MTI0 OCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHR3JhcGguY3BwCSh3b3JraW5nIGNv cHkpCkBAIC0zMTQsNyArMzE0LDE0IEBAIHZvaWQgR3JhcGg6OmR1bXAoUHJpbnRTdHJlYW0mIG91 dCkKIHsKICAgICBkYXRhTG9nKCJERkcgZm9yICIsIENvZGVCbG9ja1dpdGhKSVRUeXBlKG1fY29k ZUJsb2NrLCBKSVRDb2RlOjpERkdKSVQpLCAiOlxuIik7CiAgICAgZGF0YUxvZygiICBGaXhwb2lu dCBzdGF0ZTogIiwgbV9maXhwb2ludFN0YXRlLCAiOyBGb3JtOiAiLCBtX2Zvcm0sICI7IFVuaWZp Y2F0aW9uIHN0YXRlOiAiLCBtX3VuaWZpY2F0aW9uU3RhdGUsICI7IFJlZiBjb3VudCBzdGF0ZTog IiwgbV9yZWZDb3VudFN0YXRlLCAiXG4iKTsKLSAgICAKKworICAgIG91dC5wcmludCgiICBBcmd1 bWVudFBvc2l0aW9uIHNpemU6ICIsIG1fYXJndW1lbnRQb3NpdGlvbnMuc2l6ZSgpLCAiXG4iKTsK KyAgICBmb3IgKHNpemVfdCBpID0gMDsgaSA8IG1fYXJndW1lbnRQb3NpdGlvbnMuc2l6ZSgpOyAr K2kpIHsKKyAgICAgICAgb3V0LnByaW50KCIgICAgIyIsIGksICI6ICIpOworICAgICAgICBBcmd1 bWVudFBvc2l0aW9uJiBhcmd1bWVudHMgPSBtX2FyZ3VtZW50UG9zaXRpb25zW2ldOworICAgICAg ICBhcmd1bWVudHMuZHVtcChvdXQsIHRoaXMpOworICAgIH0KKwogICAgIE5vZGUqIGxhc3ROb2Rl ID0gMDsKICAgICBmb3IgKHNpemVfdCBiID0gMDsgYiA8IG1fYmxvY2tzLnNpemUoKTsgKytiKSB7 CiAgICAgICAgIEJhc2ljQmxvY2sqIGJsb2NrID0gbV9ibG9ja3NbYl0uZ2V0KCk7Cg==