137340 2014-10-02 03:46:32 -0700 REGRESSION(r174025): Web Process crash when starting the web inspector after r174025 2014-10-20 12:14:25 -0700 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) Unspecified Unspecified RESOLVED FIXED Gtk, InRadar, Regression P2 Normal --- 137161 1 cgarcia mark.lam burg fpizlo jonowells mark.lam mhahnenb ossy pnormand timothy webkit-bug-importer oldest_to_newest 1038839 0 cgarcia 2014-10-02 03:46:32 -0700 The inspector web process crashes right after starting the inspector (in the GTK+ port at least) after r174025. It doesn't crash if the StorageTracker.db is removed, but it crashes again once the database is created again, so it's related to that somehow. 1039735 1 ossy 2014-10-06 09:00:22 -0700 With setting JSC_useDFGJIT=0 environment variable, inspector works again, so it must be a DFG JIT bug. I'll try to reproduce this bug in debug mode and try to get a crash backtrace to help debugging. 1039736 2 fpizlo 2014-10-06 09:03:56 -0700 (In reply to comment #1) > With setting JSC_useDFGJIT=0 environment variable, > inspector works again, so it must be a DFG JIT bug. > > I'll try to reproduce this bug in debug mode and try > to get a crash backtrace to help debugging. Careful. The purpose of that DFG change was to not insert obviously unnecessary GC barriers. It could just be revealing missing barriers in the runtime. 1039761 3 ossy 2014-10-06 10:34:34 -0700 Here is the crash log: Core was generated by `/home/ossy/WebKit/WebKitBuild/Debug/bin/WebKitWebProcess 20'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00007f01d9d0604c in JSC::JSCell::isGetterSetter (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:169 169 return m_type == GetterSetterType; (gdb) bt #0 0x00007f01d9d0604c in JSC::JSCell::isGetterSetter (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:169 #1 0x00007f01d9d060ae in JSC::JSValue::isGetterSetter (this=0x7fff09305740) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:559 #2 0x00007f01d4d9937a in JSC::JSObject::put (cell=0x7f015395ccf0, exec=0x7fff093058e0, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:376 #3 0x00007f01d4a8188e in JSC::JSValue::put (this=0x7fff09305860, exec=0x7fff093058e0, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:729 #4 0x00007f01d4c1e289 in JSC::operationPutByIdNonStrictBuildList (exec=0x7fff093058e0, stubInfo=0x2bde110, encodedValue=139643678252784, encodedBase=139643674021104, uid=0x7f01df0775d0 <WebCore::HTMLNames::dataData>) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:391 #5 0x00007f0181decf8b in ?? () #6 0x000000000000000a in ?? () #7 0x00007f01802fda30 in ?? () #8 0x00007fff09305970 in ?? () #9 0x00007f0181ddab36 in ?? () #10 0x0000000001b9b4f0 in ?? () #11 0x00007f018058f470 in ?? () #12 0x00007f01802fda30 in ?? () #13 0x0000001b00000004 in ?? () #14 0x00007f015395ccf0 in ?? () #15 0x00007f01df194950 in ?? () #16 0x00007f017063acf0 in ?? () #17 0x00007f0153d65ef0 in ?? () #18 0x000000000000000a in ?? () #19 0x000000000000000a in ?? () #20 0x00007f015395cd30 in ?? () #21 0x000000000000000a in ?? () #22 0x0000000000000000 in ?? () 1040293 4 ossy 2014-10-08 08:33:54 -0700 Any hint how is it possible to debug this regression? 1041412 5 mark.lam 2014-10-13 16:46:55 -0700 I'm looking into this. 1041434 6 mark.lam 2014-10-13 17:56:49 -0700 This issue is not unique to the GTK port. I can reproduce it on OSX. With the DFG disabled, the issue does not reproduce. With the DFG enabled and inlining disabled, the issue still reproduces. With JSC_alwaysDoFullCollection=true, the issue still reproduces. 1041591 7 timothy 2014-10-14 10:28:26 -0700 *** Bug 137629 has been marked as a duplicate of this bug. *** 1041593 8 timothy 2014-10-14 10:29:29 -0700 <rdar://problem/18618282> 1041933 9 mark.lam 2014-10-15 13:04:38 -0700 Here's a debug crash stack trace: (lldb) bt 15 * thread #1: tid = 0xd38ed6, 0x000000010e351aec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x5) * frame #0: 0x000000010e351aec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169 frame #1: 0x000000010e34df8c JavaScriptCore`JSC::JSValue::isGetterSetter(this=0x00007fff5b048ad0) const + 60 at JSCJSValueInlines.h:559 frame #2: 0x000000010e938b28 JavaScriptCore`JSC::JSObject::put(cell=0x000000011c25fcb0, exec=0x00007fff5b048d10, propertyName=PropertyName at 0x00007fff5b048ba8, value=JSValue at 0x00007fff5b048ba0, slot=0x00007fff5b048c70) + 1304 at JSObject.cpp:376 frame #3: 0x000000010e64fec2 JavaScriptCore`JSC::JSValue::put(this=0x00007fff5b048c98, exec=0x00007fff5b048d10, propertyName=PropertyName at 0x00007fff5b048c18, value=JSValue at 0x00007fff5b048c10, slot=0x00007fff5b048c70) + 210 at JSCJSValueInlines.h:729 frame #4: 0x000000010e89284f JavaScriptCore`operationPutByIdStrictBuildList(exec=0x00007fff5b048d10, stubInfo=0x00007fef6d078ec0, encodedValue=4698428880, encodedBase=4767218864, uid=0x00007fef63724600) + 239 at JITOperations.cpp:371 frame #5: 0x00004d326250e4ed frame #6: 0x00004d32625125a8 (lldb) up frame #1: 0x000000010e34df8c JavaScriptCore`JSC::JSValue::isGetterSetter(this=0x00007fff5b048ad0) const + 60 at JSCJSValueInlines.h:559 556 557 inline bool JSValue::isGetterSetter() const 558 { -> 559 return isCell() && asCell()->isGetterSetter(); 560 } 561 562 inline bool JSValue::isCustomGetterSetter() const (lldb) p isCell() (bool) $3 = true (lldb) p this (JSC::JSValue *) $4 = 0x00007fff5b048ad0 (lldb) p asCell() (JSC::JSCell *) $5 = 0x0000000000000000 (lldb) p *this (JSC::JSValue) $6 = { u = { asInt64 = 0 ptr = 0x0000000000000000 asBits = (payload = 0, tag = 0) } } The crash is because we got handed a NULL pointer. ==== Some more debugging notes: =========================== 1. To reiterate, this does not look like a barrier issue because I am able to reproduce the issue with JSC_alwaysDoFullCollection=true. 2. The issue is racy. I need to reload the page while the WebInspector at the right time in order to reproduce the issue. If I wait too long, the issue seems to go away. 3. When I crash, the crash always appear to be from here: frame #2: 0x0000000111059b28 JavaScriptCore`JSC::JSObject::put(cell=0x000000012020fc30, exec=0x00007fff58924d50, propertyName=PropertyName at 0x00007fff58924be8, value=JSValue at 0x00007fff58924be0, slot=0x00007fff58924cb0) + 1304 at JSObject.cpp:376 373 } 374 375 JSValue gs = obj->getDirect(offset); -> 376 if (gs.isGetterSetter()) { 377 callSetter(exec, cell, gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode); 378 if (!thisObject->structure()->isDictionary()) 379 slot.setCacheableSetter(obj, offset); where gs is a NULL JSValue. 4. The "offset" value is always 4 (from the 2 samples I have so far). 5. Though I turn on zombie mode (JSC_useZombieMode=true), the offending object does not appear to be zombified: (lldb) p obj (JSC::JSObject *) $17 = 0x000000012020fc30 (lldb) x/20x obj 0x12020fc30: 0x000022a1 0x01001200 0x00000000 0x00000000 0x12020fc40: 0x00000020 0xffff0000 0x0000002b 0xffff0000 0x12020fc50: 0x1a0dfa90 0x00000001 0x2020fd30 0x00000001 0x12020fc60: 0x00000000 0x00000000 0x00000000 0x00000000 0x12020fc70: 0x00000066 0x01302800 0x00000000 0x00000000 1041940 10 mark.lam 2014-10-15 13:23:45 -0700 More debugging notes: 6. The Structure of the offending object says: (lldb) p obj->structure() (JSC::Structure *) $23 = 0x000000011a8a3500 (lldb) p *obj->structure() (JSC::Structure) $24 = { JSC::JSCell = (m_structureID = 1, m_indexingType = '\0', m_type = CellType, m_flags = '\0', m_gcData = '\x01') m_blob = { u = { fields = { structureID = 8865 indexingType = '\0' type = FinalObjectType inlineTypeFlags = '\0' defaultGCData = NotMarked } words = (word1 = 8865, word2 = 16781824) doubleWord = 72077385247236769 } } m_outOfLineTypeFlags = '\0' m_globalObject = { JSC::WriteBarrierBase<JSC::JSGlobalObject> = { m_cell = 0x000000011a27f470 } } m_prototype = { JSC::WriteBarrierBase<JSC::<anonymous enum> > = (m_value = 4791946544) } m_cachedPrototypeChain = { JSC::WriteBarrierBase<JSC::StructureChain> = { m_cell = 0x000000011a36d0c0 } } m_previousOrRareData = { JSC::WriteBarrierBase<JSC::JSCell> = { m_cell = 0x000000011a290cb0 } } m_nameInPrevious = { m_ptr = 0x00007f9aa453c3b0 } m_classInfo = 0x00000001116554a8 m_transitionTable = (m_data = 4739840353) m_propertyTableUnsafe = { JSC::WriteBarrierBase<JSC::PropertyTable> = { m_cell = 0x000000011a294d90 } } m_transitionWatchpointSet = (m_data = 5) m_offset = 4 m_inlineCapacity = '\x06' m_lock = (m_lock = '\0') m_bitField = 10485760 } 7. The ClassInfo of the offending object says: (lldb) p obj->structure()->classInfo() (const JSC::ClassInfo *) $25 = 0x00000001116554a8 (lldb) p *obj->structure()->classInfo() (const JSC::ClassInfo) $26 = { className = 0x000000011140d567 "Object" parentClass = 0x00000001116553c0 staticPropHashTable = 0x0000000000000000 methodTable = { destroy = 0x0000000110ffb8d0 (JavaScriptCore`JSC::JSCell::destroy(JSC::JSCell*) at JSCell.cpp:40) visitChildren = 0x000000011105c870 (JavaScriptCore`JSC::JSFinalObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) at JSObject.cpp:230) copyBackingStore = 0x0000000111059480 (JavaScriptCore`JSC::JSObject::copyBackingStore(JSC::JSCell*, JSC::CopyVisitor&, JSC::CopyToken) at JSObject.cpp:217) getCallData = 0x0000000110ffbb40 (JavaScriptCore`JSC::JSCell::getCallData(JSC::JSCell*, JSC::CallData&) at JSCell.cpp:82) getConstructData = 0x0000000110ffbb80 (JavaScriptCore`JSC::JSCell::getConstructData(JSC::JSCell*, JSC::ConstructData&) at JSCell.cpp:90) put = 0x0000000111059610 (JavaScriptCore`JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) at JSObject.cpp:334) putByIndex = 0x0000000111059f70 (JavaScriptCore`JSC::JSObject::putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned int, JSC::JSValue, bool) at JSObject.cpp:412) deleteProperty = 0x000000011105a890 (JavaScriptCore`JSC::JSObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) at JSObject.cpp:1270) deletePropertyByIndex = 0x000000011105aae0 (JavaScriptCore`JSC::JSObject::deletePropertyByIndex(JSC::JSCell*, JSC::ExecState*, unsigned int) at JSObject.cpp:1315) getOwnPropertySlot = 0x0000000110a6c3d0 (JavaScriptCore`JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at JSObject.h:1246) getOwnPropertySlotByIndex = 0x000000011105af70 (JavaScriptCore`JSC::JSObject::getOwnPropertySlotByIndex(JSC::JSObject*, JSC::ExecState*, unsigned int, JSC::PropertySlot&) at JSObject.cpp:261) toThis = 0x000000011105b4c0 (JavaScriptCore`JSC::JSObject::toThis(JSC::JSCell*, JSC::ExecState*, JSC::ECMAMode) at JSObject.cpp:1594) defaultValue = 0x000000011105b500 (JavaScriptCore`JSC::JSObject::defaultValue(JSC::JSObject const*, JSC::ExecState*, JSC::PreferredPrimitiveType) at JSObject.cpp:1401) getOwnPropertyNames = 0x000000011105b840 (JavaScriptCore`JSC::JSObject::getOwnPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:1493) getOwnNonIndexPropertyNames = 0x000000011105bec0 (JavaScriptCore`JSC::JSObject::getOwnNonIndexPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:1567) getPropertyNames = 0x000000011105bf80 (JavaScriptCore`JSC::JSObject::getPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:1470) getEnumerableLength = 0x000000011105c110 (JavaScriptCore`JSC::JSObject::getEnumerableLength(JSC::ExecState*, JSC::JSObject*) at JSObject.cpp:2706) getStructurePropertyNames = 0x000000011105c540 (JavaScriptCore`JSC::JSObject::getStructurePropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:2758) getGenericPropertyNames = 0x000000011105c590 (JavaScriptCore`JSC::JSObject::getGenericPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:2764) className = 0x000000011105c740 (JavaScriptCore`JSC::JSObject::className(JSC::JSObject const*) at JSObject.cpp:254) customHasInstance = 0x0000000110ffc470 (JavaScriptCore`JSC::JSCell::customHasInstance(JSC::JSObject*, JSC::ExecState*, JSC::JSValue) at JSCell.cpp:216) defineOwnProperty = 0x000000011105c7c0 (JavaScriptCore`JSC::JSObject::defineOwnProperty(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool) at JSObject.cpp:2673) slowDownAndWasteMemory = 0x0000000110ffc500 (JavaScriptCore`JSC::JSCell::slowDownAndWasteMemory(JSC::JSArrayBufferView*) at JSCell.cpp:228) getTypedArrayImpl = 0x0000000110ffc540 (JavaScriptCore`JSC::JSCell::getTypedArrayImpl(JSC::JSArrayBufferView*) at JSCell.cpp:234) dumpToStream = 0x0000000110ffb920 (JavaScriptCore`JSC::JSCell::dumpToStream(JSC::JSCell const*, WTF::PrintStream&) at JSCell.cpp:50) } typedArrayStorageType = NotTypedArray } 1041967 11 mark.lam 2014-10-15 14:28:41 -0700 More debugging notes: Michael made the observation that if we made the DFG fix up for PutByOffset always insert a store barrier, the issue will stop manifesting. With that, we did some investigation and showed that the crash only manifests when the store barrier is omitted for a PutByOffset when the written value shouldSpeculateNotCell(). The value's prediction is 0x20200000, which is SpecOther | SpecInt32. 1041974 12 mark.lam 2014-10-15 14:57:15 -0700 More debugging notes: // Some printfs and logging: ... mlam [93284] 0x128613480 PutByOffset: prediction = 20200000 // <== The PutByOffset that triggered the insertStoreBarrier of interest. mlam [93284] 0x128613480 insertStoreBarrier() cb 0x7f8415bb2a20 Baseline 'result': value->shouldSpeculateNotCell() prediction = 20200000 (538968064) // <== The insertStoreBarrier where we elided the StoreBarrier. ... // Note: the store barrier was elided from a codeBlock that has a baseline codeBlock (0x7f8415bb2a20 ) with inferredName 'result'. // And later on, we see this codeBlock OSR exited to baseline CB 0x7f8415bb2a20: Speculation failure in result#AlZ94h:[0x7f8416919de0->0x7f8415bb2a20->0x12289ee70, %sDFGFunctionCall, 197 (StrictMode)] @ exit #24 (bc#44, BadType) with executeCounter = 0.000000/0.000000, 0, reoptimizationRetryCounter = 0, optimizationDelayCounter = 0, osrExitCounter = 0 GPRs at time of exit: rax:0xffff00000000002b rdx:0x1285b0a70 rcx:0x122ba9d90 rbx:0x12205fa90 rdi:0x2 rsi:0x1285b0b70 r8:0x1259f47b0 r9:0x1285b0a30 r10:0xffff000000000020 r12:0x7f8412937760 r13:0x12226ff30 FPRs at time of exit: xmm0:cdcdcdcdcdcdcdcd:-6277438562204192487878988888393020692503707483087375482269988814848.000000 xmm1:404c800000000000:57.000000 xmm2:7fffffffffffffff:nan xmm3:1285819a0:0.000000 xmm4:2:0.000000 xmm5:2:0.000000 From observations so far, it looks like we did the right thing in eliding the store barrier. However, the speculation check has failed (with a BadType) and we OSR exited. All of this is proper. However, we did still put a value that presumably is a Cell, and we speculated it to not be a Cell. Either the spec fail code needs to execute the store barrier or the baseline JIT needs to execute it. Someone has to. Checking ... 1041993 13 mark.lam 2014-10-15 16:04:26 -0700 Confirmed that the store barrier is only used for Eden collections. Since, I'm always running full collections, the store barrier should not be the issue. More debugging info: The crash occurred at: (lldb) bt 15 * thread #1: tid = 0xda8e77, 0x00000001189efaec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x5) frame #0: 0x00000001189efaec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169 frame #1: 0x00000001189ebf8c JavaScriptCore`JSC::JSValue::isGetterSetter(this=0x00007fff509a6a90) const + 60 at JSCJSValueInlines.h:559 * frame #2: 0x0000000118fd6b78 JavaScriptCore`JSC::JSObject::put(cell=0x00000001285b0a70, exec=0x00007fff509a6cd0, propertyName=PropertyName at 0x00007fff509a6b68, value=JSValue at 0x00007fff509a6b60, slot=0x00007fff509a6c30) + 1304 at JSObject.cpp:376 frame #3: 0x0000000118cedec2 JavaScriptCore`JSC::JSValue::put(this=0x00007fff509a6c58, exec=0x00007fff509a6cd0, propertyName=PropertyName at 0x00007fff509a6bd8, value=JSValue at 0x00007fff509a6bd0, slot=0x00007fff509a6c30) + 210 at JSCJSValueInlines.h:729 frame #4: 0x0000000118f3089f JavaScriptCore`operationPutByIdStrictBuildList(exec=0x00007fff509a6cd0, stubInfo=0x00007f840eb37910, encodedValue=4877622672, encodedBase=4972022384, uid=0x00007f840e944010) + 239 at JITOperations.cpp:371 frame #5: 0x00003f0ef631464c ... The JS stack is: frame 0x7fff509a6cd0 { name 'JSLexical' sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js' isInlinedFrame 0 callee 0x122b04a30 returnPC 0x3f0ef6318927 callerFrame 0x7fff509a6d70 rawLocationBits 45 0x2d codeBlock 0x7f8412c172a0 bytecodeOffset 45 0x2d / 70 line 224 column 9 jitType 3 <BaselineJIT> isOptimizingJIT 0 hasCodeOrigins 0 } frame 0x7fff509a6d70 { name 'result' sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js' isInlinedFrame 0 callee 0x1285d92b0 returnPC 0x3f0ef63cc214 callerFrame 0x7fff509a6dd0 rawLocationBits 177 0xb1 codeBlock 0x7f8415bb2a20 bytecodeOffset 177 0xb1 / 197 line 301 column 36 jitType 3 <BaselineJIT> isOptimizingJIT 0 hasCodeOrigins 0 } frame 0x7fff509a6dd0 { name 'parseJS' sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js' isInlinedFrame 0 callee 0x122b049b0 returnPC 0x3f0ef6396aac callerFrame 0x7fff509a6ea0 rawLocationBits 329 0x149 codeBlock 0x7f8415baf210 bytecodeOffset 329 0x149 / 480 line 250 column 19 jitType 3 <BaselineJIT> isOptimizingJIT 0 hasCodeOrigins 0 } frame 0x7fff509a6ea0 { name 'token' sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js' isInlinedFrame 0 callee 0x122b029b0 returnPC 0x3f0ef63986c9 callerFrame 0x7fff509a6f80 rawLocationBits 2147483655 0x80000007 codeBlock 0x7f8415e5c900 codeOriginIdex 7 0x7 / 18 line 610 column 21 jitType 4 <DFGJIT> isOptimizingJIT 1 hasCodeOrigins 1 jitCode 0x7f8415bf3ae0 start 0x3f0ef6395980 end 0x3f0ef6397560 } frame 0x7fff509a6f80 { name 'extendedToken' sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/CodeMirrorAdditions.js' isInlinedFrame 1 InlineCallFrame 0x7f840eb8cd20 callee 0x122864d70 returnPC 0x3f0ef62fe69b callerFrame 0x7fff509a6f80 rawLocationBits 2147483651 0x80000003 codeBlock 0x7f8415ba8dc0 ... The JS function we crashed in: function JSLexical(indented, column, type, align, prev, info) { this.indented = indented; this.column = column; this.type = type; this.prev = prev; this.info = info; // <=========== Crash on this assignment. if (align != null) this.align = align; } 1042230 14 mark.lam 2014-10-16 16:09:54 -0700 Found the root cause of the issue: PutByID bytecodes used to be emitted as the following DFG nodes: 102:<!0:-> StoreBarrier(Check:KnownCell:@19, MustGen, W:SideState, bc#44) 60:<!0:-> PutStructure(Check:KnownCell:@19, MustGen, %Co:Object -> %De:Object, W:JSCell_structureID,JSCell_indexingType,JSCell_typeInfoFlags,JSCell_typeInfoType, bc#44) 103:<!0:-> StoreBarrier(Check:KnownCell:@19, MustGen, W:SideState, bc#44) 61:<!0:-> PutByOffset(Check:KnownCell:@19, Check:KnownCell:@19, @54, MustGen, id4{info}, 4, W:NamedProperties(4), bc#44) With the change in 174025, they are now emitted as: 102:<!0:-> StoreBarrier(Check:KnownCell:@19, MustGen, W:SideState, bc#44) 60:<!0:-> PutStructure(Check:KnownCell:@19, MustGen, %Co:Object -> %De:Object, W:JSCell_structureID,JSCell_indexingType,JSCell_typeInfoFlags,JSCell_typeInfoType, bc#44) 103:<!0:-> Check(Check:NotCell:@54, MustGen, bc#44) // <=== The StoreBarrier has been elided and replaced with a speculation check which can OSR exit. 61:<!0:-> PutByOffset(Check:KnownCell:@19, Check:KnownCell:@19, @54, MustGen, id4{info}, 4, W:NamedProperties(4), bc#44) As a result, the structure change will get executed even if we end up OSR exiting before the PutByOffset. In the baseline JIT code, the structure now erroneously tells the put operation that there is a value in that property slot when it is actually uninitialized (hence, the crash). Fix in progress ... 1042539 15 mark.lam 2014-10-17 17:31:29 -0700 The fix is to insert the Check at the earliest point possible: 1. If the checked node is in the same bytecode as the PutByOffset, then the earliest point where we can insert the Check is right after the checked node. 2. If the checked node is from a preceding bytecode (before the PutByOffset), then the earliest point where we can insert the Check is at the start of the current bytecode. Also reverted the workaround from r174749: https://webkit.org/b/137758. Benchmark results appear to be a wash on aggregate: VMs tested (based on a build of r174798): Collected 4 samples per benchmark/VM, with 4 VM invocations per benchmark. Emitted a call to gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. base fix SunSpider: 3d-cube 5.2593+-0.1976 5.2314+-0.1170 3d-morph 6.7344+-0.2151 6.5827+-0.1344 might be 1.0231x faster 3d-raytrace 6.8160+-0.1613 ? 6.8635+-0.0363 ? access-binary-trees 2.2632+-0.1377 2.1836+-0.0393 might be 1.0365x faster access-fannkuch 6.2303+-0.3647 6.1520+-0.1743 might be 1.0127x faster access-nbody 3.1624+-0.0567 3.0806+-0.0834 might be 1.0266x faster access-nsieve 4.3408+-0.4351 4.2625+-0.3515 might be 1.0184x faster bitops-3bit-bits-in-byte 1.8014+-0.0617 1.7908+-0.0612 bitops-bits-in-byte 3.7362+-0.2584 3.6378+-0.1438 might be 1.0271x faster bitops-bitwise-and 2.3635+-0.0983 2.2733+-0.1645 might be 1.0397x faster bitops-nsieve-bits 4.0065+-0.1090 ? 4.0109+-0.1858 ? controlflow-recursive 2.4164+-0.1066 ? 2.4298+-0.0759 ? crypto-aes 4.5332+-0.3323 4.4337+-0.0983 might be 1.0225x faster crypto-md5 2.6685+-0.1413 ? 2.7255+-0.0798 ? might be 1.0213x slower crypto-sha1 2.8146+-0.0589 2.8013+-0.0319 date-format-tofte 10.4015+-0.6676 ? 10.4100+-0.4387 ? date-format-xparb 5.8408+-0.8912 5.6798+-0.4522 might be 1.0283x faster math-cordic 3.4100+-0.1352 ? 3.4603+-0.2081 ? might be 1.0147x slower math-partial-sums 5.5235+-0.1539 ? 5.5563+-0.3833 ? math-spectral-norm 2.1401+-0.0260 ? 2.1782+-0.0389 ? might be 1.0178x slower regexp-dna 7.5696+-0.2302 7.5480+-0.2394 string-base64 4.4603+-0.0770 ? 4.5673+-0.2249 ? might be 1.0240x slower string-fasta 6.9024+-0.2143 6.8079+-0.2507 might be 1.0139x faster string-tagcloud 10.5628+-0.2887 10.4528+-0.5586 might be 1.0105x faster string-unpack-code 22.1400+-0.3966 21.9800+-0.5146 string-validate-input 4.9505+-0.3575 ? 5.1740+-0.4526 ? might be 1.0451x slower <arithmetic> * 5.5019+-0.0456 5.4721+-0.0909 might be 1.0054x faster <geometric> 4.5889+-0.0313 4.5648+-0.0461 might be 1.0053x faster <harmonic> 3.9687+-0.0148 3.9462+-0.0226 might be 1.0057x faster base fix LongSpider: 3d-cube 909.7713+-41.4006 891.1771+-1.2888 might be 1.0209x faster 3d-morph 1651.4618+-66.8710 1623.7175+-7.2305 might be 1.0171x faster 3d-raytrace 805.1076+-22.1194 794.7255+-6.9251 might be 1.0131x faster access-binary-trees 1034.6094+-8.5233 ? 1035.7241+-8.5454 ? access-fannkuch 345.8102+-13.0745 ? 360.1252+-8.0894 ? might be 1.0414x slower access-nbody 679.1992+-2.5817 ^ 657.0374+-3.3638 ^ definitely 1.0337x faster access-nsieve 910.9268+-5.2692 908.7668+-9.1563 bitops-3bit-bits-in-byte 49.9352+-1.4126 ? 50.1774+-1.1747 ? bitops-bits-in-byte 109.7780+-5.0817 ? 110.0837+-3.4510 ? bitops-nsieve-bits 775.5458+-19.3485 769.1240+-7.5889 controlflow-recursive 535.8005+-1.5741 ? 537.5239+-4.0549 ? crypto-aes 714.8853+-1.5094 714.6979+-1.6753 crypto-md5 651.8590+-6.0930 651.6053+-7.4265 crypto-sha1 713.9590+-22.1801 ? 735.7139+-0.9615 ? might be 1.0305x slower date-format-tofte 843.5130+-5.2038 ! 887.3766+-37.1911 ! definitely 1.0520x slower date-format-xparb 777.2550+-80.9931 ? 795.1168+-34.4671 ? might be 1.0230x slower math-cordic 634.6334+-1.1157 633.9984+-2.4558 math-partial-sums 570.4352+-2.1086 ? 573.6301+-9.6903 ? math-spectral-norm 606.3718+-1.4960 ! 623.8643+-4.7735 ! definitely 1.0288x slower string-base64 366.2111+-3.9877 362.7953+-6.4375 string-fasta 455.9738+-7.3909 ? 456.9239+-3.3807 ? string-tagcloud 230.6552+-4.2497 229.1937+-2.5320 <arithmetic> 653.3499+-5.4655 ? 654.6863+-2.2650 ? might be 1.0020x slower <geometric> * 536.4561+-4.0018 ? 538.4663+-1.6117 ? might be 1.0037x slower <harmonic> 350.7402+-4.5187 ? 352.2773+-3.3702 ? might be 1.0044x slower base fix V8Spider: crypto 60.1417+-0.7537 ? 60.5637+-1.1530 ? deltablue 95.9276+-1.0828 95.5020+-1.2122 earley-boyer 46.8889+-1.0808 ? 47.6956+-1.3054 ? might be 1.0172x slower raytrace 35.9495+-0.6895 ^ 33.5833+-1.0869 ^ definitely 1.0705x faster regexp 66.7947+-2.0093 ? 67.3785+-2.8641 ? richards 110.1313+-4.4633 ^ 98.2770+-2.4137 ^ definitely 1.1206x faster splay 31.9075+-1.3643 ? 33.3975+-1.8585 ? might be 1.0467x slower <arithmetic> 63.9630+-0.7525 62.3425+-1.0254 might be 1.0260x faster <geometric> * 58.2699+-0.5575 57.3772+-1.1025 might be 1.0156x faster <harmonic> 53.1858+-0.6933 52.7439+-1.2236 might be 1.0084x faster base fix Octane: encrypt 0.23572+-0.00035 ? 0.24109+-0.00966 ? might be 1.0228x slower decrypt 4.21976+-0.01098 4.19839+-0.01405 deltablue x2 0.21375+-0.00175 0.21151+-0.00344 might be 1.0106x faster earley 0.73949+-0.00789 ? 0.74414+-0.01053 ? boyer 5.33969+-0.02036 5.32947+-0.02097 navier-stokes x2 5.52504+-0.00786 ? 5.53581+-0.02912 ? raytrace x2 1.20483+-0.02214 1.20422+-0.01432 richards x2 0.13560+-0.00171 ^ 0.12807+-0.00403 ^ definitely 1.0588x faster splay x2 0.40295+-0.00587 0.40194+-0.00135 regexp x2 34.72269+-0.30720 ? 34.86035+-0.33212 ? pdfjs x2 54.23336+-0.35151 ? 54.34708+-1.07715 ? mandreel x2 58.23105+-0.73499 ? 58.59521+-1.56389 ? gbemu x2 50.53446+-0.64863 ^ 48.46445+-0.40203 ^ definitely 1.0427x faster closure 0.63866+-0.00562 0.63605+-0.00386 jquery 8.10849+-0.03983 8.08814+-0.04950 box2d x2 15.66741+-0.05539 ^ 15.16280+-0.37548 ^ definitely 1.0333x faster zlib x2 504.66252+-2.94226 495.74579+-29.64051 might be 1.0180x faster typescript x2 903.66840+-3.09708 895.61450+-9.65144 <arithmetic> 109.25620+-0.21744 107.99269+-2.11240 might be 1.0117x faster <geometric> * 7.51899+-0.01624 7.44370+-0.07130 might be 1.0101x faster <harmonic> 0.76721+-0.00358 ^ 0.75009+-0.01260 ^ definitely 1.0228x faster base fix Kraken: ai-astar 366.416+-2.064 361.698+-9.844 might be 1.0130x faster audio-beat-detection 121.866+-1.506 120.170+-0.884 might be 1.0141x faster audio-dft 157.122+-3.536 ? 158.341+-1.750 ? audio-fft 83.179+-0.468 83.062+-0.582 audio-oscillator 252.475+-1.676 ! 257.377+-1.232 ! definitely 1.0194x slower imaging-darkroom 189.649+-0.771 ? 194.979+-16.588 ? might be 1.0281x slower imaging-desaturate 68.949+-0.923 ! 71.450+-0.255 ! definitely 1.0363x slower imaging-gaussian-blur 118.534+-1.245 ! 120.870+-1.046 ! definitely 1.0197x slower json-parse-financial 49.126+-2.077 47.670+-1.320 might be 1.0306x faster json-stringify-tinderbox 62.843+-1.533 ? 63.490+-1.384 ? might be 1.0103x slower stanford-crypto-aes 62.040+-0.919 ? 62.417+-0.530 ? stanford-crypto-ccm 58.082+-11.275 ? 58.444+-9.093 ? stanford-crypto-pbkdf2 181.050+-1.043 180.335+-0.917 stanford-crypto-sha256-iterative 58.486+-1.842 57.111+-2.300 might be 1.0241x faster <arithmetic> * 130.701+-1.054 ? 131.244+-2.203 ? might be 1.0042x slower <geometric> 107.280+-1.643 ? 107.644+-2.054 ? might be 1.0034x slower <harmonic> 90.961+-2.089 ? 91.047+-2.152 ? might be 1.0010x slower base fix JSRegress: abs-boolean 2.9046+-0.0695 2.8672+-0.0866 might be 1.0130x faster adapt-to-double-divide 17.9116+-0.6985 17.7980+-0.3300 aliased-arguments-getbyval 1.1300+-0.3348 1.0265+-0.0485 might be 1.1008x faster allocate-big-object 2.3820+-0.1372 2.3240+-0.1205 might be 1.0250x faster arity-mismatch-inlining 0.9664+-0.0426 ? 0.9718+-0.0427 ? array-access-polymorphic-structure 6.2885+-0.0629 ? 6.8120+-0.6350 ? might be 1.0832x slower array-nonarray-polymorhpic-access 37.6785+-1.5426 37.6713+-1.2623 array-prototype-every 80.0132+-2.1330 ? 80.3256+-2.0835 ? array-prototype-forEach 78.4815+-1.7680 78.2956+-1.6721 array-prototype-map 101.1068+-1.4184 99.5477+-2.2147 might be 1.0157x faster array-prototype-some 80.6202+-1.8335 79.9163+-2.2101 array-splice-contiguous 44.1169+-2.2618 ? 45.2592+-3.6247 ? might be 1.0259x slower array-with-double-add 4.3777+-0.2191 ? 4.4830+-0.2119 ? might be 1.0241x slower array-with-double-increment 3.5120+-0.1636 ? 3.5171+-0.1583 ? array-with-double-mul-add 5.3145+-0.2154 ? 5.4254+-0.2675 ? might be 1.0209x slower array-with-double-sum 3.4752+-0.1590 ? 3.5688+-0.1051 ? might be 1.0269x slower array-with-int32-add-sub 7.2640+-0.3553 7.2554+-0.2061 array-with-int32-or-double-sum 3.5073+-0.0504 ? 3.5676+-0.2214 ? might be 1.0172x slower ArrayBuffer-DataView-alloc-large-long-lived 34.3277+-1.9830 34.0013+-1.3292 ArrayBuffer-DataView-alloc-long-lived 13.6130+-0.3740 ? 13.8604+-0.2785 ? might be 1.0182x slower ArrayBuffer-Int32Array-byteOffset 3.6931+-0.1287 ? 3.7339+-0.1771 ? might be 1.0111x slower ArrayBuffer-Int8Array-alloc-large-long-lived 34.8677+-0.8045 ? 35.5499+-1.7389 ? might be 1.0196x slower ArrayBuffer-Int8Array-alloc-long-lived-buffer 22.4033+-0.7799 ? 22.8447+-1.2871 ? might be 1.0197x slower ArrayBuffer-Int8Array-alloc-long-lived 12.9410+-0.8804 ? 12.9647+-0.8913 ? ArrayBuffer-Int8Array-alloc 11.4065+-1.2382 ? 11.4803+-1.1937 ? asmjs_bool_bug 7.8690+-0.2078 ? 7.9124+-0.5612 ? assign-custom-setter-polymorphic 3.3134+-0.1468 ? 3.3469+-0.1063 ? might be 1.0101x slower assign-custom-setter 4.6303+-0.0623 ? 4.9530+-0.6775 ? might be 1.0697x slower basic-set 11.1368+-0.6165 ? 11.2755+-0.4035 ? might be 1.0125x slower big-int-mul 4.5146+-0.2625 4.3066+-0.1982 might be 1.0483x faster boolean-test 3.2029+-0.0816 3.1763+-0.0948 branch-fold 4.0502+-0.2089 4.0031+-0.0925 might be 1.0118x faster by-val-generic 8.4173+-0.2524 ? 8.8862+-0.2277 ? might be 1.0557x slower call-spread-apply 14.6721+-0.3858 14.5281+-0.3228 call-spread-call 6.5933+-0.0562 6.4957+-0.1395 might be 1.0150x faster captured-assignments 0.5887+-0.0040 ? 0.6013+-0.0159 ? might be 1.0214x slower cast-int-to-double 5.7539+-0.1441 5.7111+-0.1125 cell-argument 8.8278+-0.3712 ? 8.8533+-0.2045 ? cfg-simplify 3.1241+-0.0963 ? 3.2176+-0.1925 ? might be 1.0299x slower chain-getter-access 10.6481+-0.2345 ? 10.8033+-0.4484 ? might be 1.0146x slower cmpeq-obj-to-obj-other 10.6615+-0.1393 10.6274+-0.0699 constant-test 5.3439+-0.1259 5.2516+-0.0882 might be 1.0176x faster DataView-custom-properties 38.8737+-2.1980 38.2969+-0.7704 might be 1.0151x faster delay-tear-off-arguments-strictmode 2.8297+-0.0572 ? 2.8743+-0.1886 ? might be 1.0157x slower destructuring-arguments 5.6000+-0.0434 5.5751+-0.0234 destructuring-swap 5.6008+-0.2248 5.5471+-0.1283 direct-arguments-getbyval 1.0400+-0.0949 ? 1.0966+-0.0575 ? might be 1.0544x slower div-boolean-double 5.6016+-0.2371 5.5225+-0.0997 might be 1.0143x faster div-boolean 8.4629+-0.3260 8.4599+-0.3059 double-get-by-val-out-of-bounds 4.6229+-0.4102 4.4782+-0.1949 might be 1.0323x faster double-pollution-getbyval 9.5883+-0.3201 9.5860+-0.2409 double-pollution-putbyoffset 4.2971+-0.1304 ? 4.4042+-0.0762 ? might be 1.0249x slower double-to-int32-typed-array-no-inline 2.5237+-0.1215 2.4988+-0.1032 double-to-int32-typed-array 2.0917+-0.0636 ? 2.1592+-0.0865 ? might be 1.0323x slower double-to-uint32-typed-array-no-inline 2.4888+-0.1098 ? 2.5784+-0.1548 ? might be 1.0360x slower double-to-uint32-typed-array 2.1835+-0.1216 ? 2.2172+-0.1098 ? might be 1.0154x slower elidable-new-object-dag 41.5396+-2.2017 ? 41.5440+-1.3863 ? elidable-new-object-roflcopter 156.1923+-0.8386 155.7128+-0.6746 elidable-new-object-then-call 38.1965+-4.7559 ? 39.3387+-2.2750 ? might be 1.0299x slower elidable-new-object-tree 43.4537+-0.9756 ? 43.8480+-0.8359 ? empty-string-plus-int 5.3450+-0.1984 ? 5.4205+-0.2977 ? might be 1.0141x slower emscripten-cube2hash 38.8495+-0.7183 38.5560+-2.2071 external-arguments-getbyval 1.5338+-0.1284 ? 1.5651+-0.1114 ? might be 1.0205x slower external-arguments-putbyval 2.2229+-0.0549 ? 2.2557+-0.1608 ? might be 1.0148x slower fixed-typed-array-storage-var-index 1.4821+-0.1122 1.4611+-0.0372 might be 1.0144x faster fixed-typed-array-storage 1.0651+-0.0971 ? 1.0850+-0.0978 ? might be 1.0186x slower Float32Array-matrix-mult 4.8337+-0.6079 4.6607+-0.1049 might be 1.0371x faster Float32Array-to-Float64Array-set 59.5255+-1.9354 59.0356+-1.4275 Float64Array-alloc-long-lived 66.8747+-0.5658 66.5723+-0.9233 Float64Array-to-Int16Array-set 76.0088+-2.6403 ? 77.5179+-1.3650 ? might be 1.0199x slower fold-double-to-int 13.9878+-0.6072 ? 14.3707+-0.3376 ? might be 1.0274x slower fold-get-by-id-to-multi-get-by-offset-rare-int 19.5161+-1.2434 ? 19.9683+-0.9491 ? might be 1.0232x slower fold-get-by-id-to-multi-get-by-offset 20.2629+-1.4064 20.1324+-0.7541 fold-multi-get-by-offset-to-get-by-offset 14.7375+-0.3091 14.5597+-0.3599 might be 1.0122x faster fold-multi-get-by-offset-to-poly-get-by-offset 15.0290+-0.2751 14.8520+-0.2005 might be 1.0119x faster fold-multi-put-by-offset-to-poly-put-by-offset 14.9886+-0.2002 ^ 14.5475+-0.1781 ^ definitely 1.0303x faster fold-multi-put-by-offset-to-put-by-offset 12.8365+-0.1518 12.6541+-0.3505 might be 1.0144x faster fold-multi-put-by-offset-to-replace-or-transition-put-by-offset 16.2608+-0.7615 ? 16.2891+-0.6325 ? fold-put-by-id-to-multi-put-by-offset 20.7757+-0.6432 20.6923+-1.3228 fold-put-structure 12.9673+-0.1412 ? 12.9897+-0.1496 ? for-of-iterate-array-entries 5.9905+-0.2533 ? 6.1683+-0.3910 ? might be 1.0297x slower for-of-iterate-array-keys 3.2300+-0.1607 3.1245+-0.1365 might be 1.0338x faster for-of-iterate-array-values 2.7481+-0.0990 ^ 2.5673+-0.0428 ^ definitely 1.0704x faster fround 20.9366+-0.7398 ^ 19.5784+-0.4955 ^ definitely 1.0694x faster ftl-library-inlining-dataview 74.8863+-0.8824 ? 75.1863+-3.4794 ? ftl-library-inlining 99.5927+-46.9881 ? 102.0276+-52.9366 ? might be 1.0244x slower function-dot-apply 1.6519+-0.0526 ? 1.6742+-0.0573 ? might be 1.0135x slower function-test 3.5430+-0.2045 3.5167+-0.1284 function-with-eval 120.8934+-5.5986 ? 120.9648+-5.8090 ? gcse-poly-get-less-obvious 22.0850+-4.0193 20.4798+-1.9696 might be 1.0784x faster gcse-poly-get 25.4014+-6.9070 24.8161+-3.2729 might be 1.0236x faster gcse 4.5822+-0.3231 ? 5.0309+-0.3751 ? might be 1.0979x slower get-by-id-bimorphic-check-structure-elimination-simple 2.9103+-0.1541 ? 3.2197+-0.2073 ? might be 1.1063x slower get-by-id-bimorphic-check-structure-elimination 6.5918+-0.2796 ? 6.8137+-0.5745 ? might be 1.0337x slower get-by-id-chain-from-try-block 9.6505+-0.4071 9.2244+-0.0989 might be 1.0462x faster get-by-id-check-structure-elimination 5.3303+-0.1032 ? 5.3651+-0.0838 ? get-by-id-proto-or-self 18.2578+-0.8305 18.0987+-1.5031 get-by-id-quadmorphic-check-structure-elimination-simple 3.3719+-0.1125 ? 3.4268+-0.1772 ? might be 1.0163x slower get-by-id-self-or-proto 19.0322+-1.1925 18.6492+-0.3646 might be 1.0205x faster get-by-val-out-of-bounds 4.4182+-0.5876 4.3723+-0.2746 might be 1.0105x faster get_callee_monomorphic 3.8092+-0.0548 ? 3.8649+-0.8966 ? might be 1.0146x slower get_callee_polymorphic 3.6069+-0.3501 ? 3.6873+-0.5975 ? might be 1.0223x slower getter-no-activation 5.5087+-0.0284 ? 5.5539+-0.1525 ? getter-richards 143.4024+-3.4165 134.5381+-5.8983 might be 1.0659x faster getter 5.6376+-0.4906 5.5776+-0.3866 might be 1.0107x faster global-var-const-infer-fire-from-opt 1.1368+-0.2958 1.1025+-0.1825 might be 1.0311x faster global-var-const-infer 1.2357+-0.2881 1.1119+-0.0646 might be 1.1113x faster HashMap-put-get-iterate-keys 27.8543+-0.3644 ? 27.8900+-1.0916 ? HashMap-put-get-iterate 28.8660+-1.2289 28.2205+-0.4301 might be 1.0229x faster HashMap-string-put-get-iterate 26.9251+-0.2626 ? 27.4424+-1.1430 ? might be 1.0192x slower hoist-make-rope 11.1230+-0.5568 ? 11.7859+-0.8235 ? might be 1.0596x slower hoist-poly-check-structure-effectful-loop 5.3917+-0.1689 ? 5.4487+-0.1748 ? might be 1.0106x slower hoist-poly-check-structure 4.0930+-0.0719 ? 4.1097+-0.1453 ? imul-double-only 8.6276+-2.4438 7.6853+-0.7394 might be 1.1226x faster imul-int-only 9.9036+-0.8605 9.7900+-0.5837 might be 1.0116x faster imul-mixed 7.7981+-0.2088 ? 8.0478+-0.7758 ? might be 1.0320x slower in-four-cases 20.7560+-0.6594 20.4482+-0.3098 might be 1.0151x faster in-one-case-false 10.8998+-0.2533 ? 10.9473+-0.1537 ? in-one-case-true 10.7655+-0.2068 ? 10.8900+-0.2737 ? might be 1.0116x slower in-two-cases 11.2731+-0.2297 ? 11.3483+-0.0917 ? indexed-properties-in-objects 3.3524+-0.0693 ^ 3.1743+-0.1027 ^ definitely 1.0561x faster infer-closure-const-then-mov-no-inline 3.9322+-0.0540 ? 3.9429+-0.0850 ? infer-closure-const-then-mov 21.3298+-1.5117 21.0990+-1.1821 might be 1.0109x faster infer-closure-const-then-put-to-scope-no-inline 11.6750+-0.4476 ? 11.8330+-0.4868 ? might be 1.0135x slower infer-closure-const-then-put-to-scope 23.1090+-0.6700 23.0232+-1.1283 infer-closure-const-then-reenter-no-inline 51.8533+-0.9239 ? 52.4043+-1.1039 ? might be 1.0106x slower infer-closure-const-then-reenter 23.0754+-1.2916 22.9355+-1.0139 infer-constant-global-property 3.7462+-0.0765 3.7457+-0.0346 infer-constant-property 2.8824+-0.1339 2.8339+-0.0309 might be 1.0171x faster infer-one-time-closure-ten-vars 12.7078+-0.1522 ? 12.9315+-0.3147 ? might be 1.0176x slower infer-one-time-closure-two-vars 12.7789+-0.0380 12.5913+-0.5429 might be 1.0149x faster infer-one-time-closure 12.6867+-0.3456 12.3888+-0.3981 might be 1.0240x faster infer-one-time-deep-closure 21.9045+-1.1867 21.6550+-1.0125 might be 1.0115x faster inline-arguments-access 1.5640+-0.0120 ? 1.5988+-0.0312 ? might be 1.0222x slower inline-arguments-aliased-access 1.8273+-0.0392 ? 1.8313+-0.0736 ? inline-arguments-local-escape 11.5682+-0.3473 11.5118+-0.4805 inline-get-scoped-var 4.9287+-0.2751 ? 5.0033+-0.3203 ? might be 1.0151x slower inlined-put-by-id-transition 9.2396+-0.5791 ? 9.2911+-0.9566 ? int-or-other-abs-then-get-by-val 5.4005+-0.0369 5.3276+-0.0531 might be 1.0137x faster int-or-other-abs-zero-then-get-by-val 18.6232+-1.7053 18.1973+-0.6462 might be 1.0234x faster int-or-other-add-then-get-by-val 4.4914+-0.0882 ? 4.7622+-0.4629 ? might be 1.0603x slower int-or-other-add 5.6931+-0.0636 ? 5.7339+-0.2811 ? int-or-other-div-then-get-by-val 4.6726+-0.1458 4.6234+-0.1698 might be 1.0106x faster int-or-other-max-then-get-by-val 4.8451+-0.1773 4.8084+-0.2252 int-or-other-min-then-get-by-val 4.8564+-0.2569 ? 4.9720+-0.5102 ? might be 1.0238x slower int-or-other-mod-then-get-by-val 4.2228+-0.1085 4.2192+-0.1290 int-or-other-mul-then-get-by-val 4.2392+-0.1110 4.1382+-0.0515 might be 1.0244x faster int-or-other-neg-then-get-by-val 5.2563+-0.1194 ? 5.3315+-0.2843 ? might be 1.0143x slower int-or-other-neg-zero-then-get-by-val 18.3541+-0.4172 18.2219+-0.3889 int-or-other-sub-then-get-by-val 4.6967+-0.2798 4.6279+-0.2128 might be 1.0149x faster int-or-other-sub 3.8687+-0.0717 3.8431+-0.1884 int-overflow-local 4.7060+-0.1726 4.6503+-0.0618 might be 1.0120x faster Int16Array-alloc-long-lived 48.8392+-1.0708 ? 49.7770+-1.4597 ? might be 1.0192x slower Int16Array-bubble-sort-with-byteLength 22.3328+-1.1916 ? 22.4177+-1.0566 ? Int16Array-bubble-sort 22.3277+-0.8133 ? 22.7411+-0.9208 ? might be 1.0185x slower Int16Array-load-int-mul 1.6884+-0.0623 ? 1.6915+-0.0769 ? Int16Array-to-Int32Array-set 55.1708+-1.1861 ? 55.2273+-1.8713 ? Int32Array-alloc-large 23.1280+-1.4205 23.0352+-1.3000 Int32Array-alloc-long-lived 54.5508+-1.0548 53.5994+-0.6963 might be 1.0177x faster Int32Array-alloc 2.4751+-0.1042 ? 2.5237+-0.1768 ? might be 1.0197x slower Int32Array-Int8Array-view-alloc 6.4507+-0.5487 ? 6.5375+-0.3576 ? might be 1.0135x slower int52-spill 7.0376+-0.2627 6.7969+-0.1778 might be 1.0354x faster Int8Array-alloc-long-lived 44.9936+-1.9103 ? 45.9047+-0.5472 ? might be 1.0203x slower Int8Array-load-with-byteLength 3.7342+-0.0677 3.6810+-0.1111 might be 1.0145x faster Int8Array-load 3.6348+-0.0804 3.5729+-0.0988 might be 1.0173x faster integer-divide 12.7755+-0.1487 12.5762+-0.5208 might be 1.0158x faster integer-modulo 2.4581+-0.0845 ? 2.4783+-0.1347 ? large-int-captured 6.4824+-0.1809 ? 6.6360+-0.5753 ? might be 1.0237x slower large-int-neg 17.2869+-0.7769 ? 17.3543+-0.6073 ? large-int 16.4446+-0.8811 16.1585+-0.6484 might be 1.0177x faster logical-not 5.0000+-0.1147 4.8985+-0.0465 might be 1.0207x faster lots-of-fields 9.6356+-0.2344 9.5302+-0.3939 might be 1.0111x faster make-indexed-storage 3.2197+-0.2027 2.9215+-0.2639 might be 1.1021x faster make-rope-cse 3.3561+-0.1926 ? 3.5200+-0.5297 ? might be 1.0488x slower marsaglia-larger-ints 41.3053+-1.9882 ? 41.4108+-1.5906 ? marsaglia-osr-entry 23.5760+-0.3970 ? 23.9681+-1.2116 ? might be 1.0166x slower max-boolean 2.8080+-0.1429 2.8065+-0.0173 method-on-number 18.7023+-0.4895 18.6547+-0.5054 min-boolean 2.7753+-0.0666 ? 2.8679+-0.2109 ? might be 1.0333x slower minus-boolean-double 3.3260+-0.0354 ? 3.4402+-0.1315 ? might be 1.0343x slower minus-boolean 2.7300+-0.1385 ? 2.8983+-0.8639 ? might be 1.0616x slower misc-strict-eq 40.6079+-0.7685 39.8469+-1.1326 might be 1.0191x faster mod-boolean-double 11.7131+-0.1989 ? 11.7495+-0.2576 ? mod-boolean 8.3757+-0.3269 8.3592+-0.1476 mul-boolean-double 3.9610+-0.1584 ? 4.0312+-0.2221 ? might be 1.0177x slower mul-boolean 3.0738+-0.1343 ? 3.1016+-0.1468 ? neg-boolean 3.3363+-0.0583 ? 3.3535+-0.0891 ? negative-zero-divide 0.4205+-0.0184 ? 0.4387+-0.0321 ? might be 1.0434x slower negative-zero-modulo 0.4285+-0.0210 0.4278+-0.0086 negative-zero-negate 0.4011+-0.0325 ? 0.4029+-0.0293 ? nested-function-parsing 22.8452+-0.9366 22.3411+-0.3169 might be 1.0226x faster new-array-buffer-dead 2.9957+-0.0847 2.9596+-0.1943 might be 1.0122x faster new-array-buffer-push 6.7879+-0.2935 ? 7.0552+-0.5045 ? might be 1.0394x slower new-array-dead 13.0152+-0.8124 ? 13.2318+-0.4783 ? might be 1.0166x slower new-array-push 5.2183+-0.4647 5.2147+-0.2540 number-test 3.3240+-0.5339 3.2236+-0.1270 might be 1.0312x faster object-closure-call 6.2962+-0.1356 ? 6.2972+-0.2087 ? object-test 3.3969+-0.2575 3.2592+-0.1410 might be 1.0423x faster obvious-sink-pathology-taken 132.1270+-1.5420 131.7426+-0.6623 obvious-sink-pathology 127.5347+-1.7843 126.3380+-1.6179 obviously-elidable-new-object 35.0526+-1.2462 ? 35.3226+-1.9271 ? plus-boolean-arith 2.6434+-0.0461 ? 2.7526+-0.1684 ? might be 1.0413x slower plus-boolean-double 3.4545+-0.1323 3.3889+-0.0817 might be 1.0193x faster plus-boolean 2.7292+-0.1344 2.6693+-0.0435 might be 1.0225x faster poly-chain-access-different-prototypes-simple 3.4988+-0.1129 ? 3.5765+-0.2169 ? might be 1.0222x slower poly-chain-access-different-prototypes 2.7062+-0.2216 ? 2.8676+-0.4643 ? might be 1.0596x slower poly-chain-access-simpler 3.6563+-0.2365 3.5656+-0.1999 might be 1.0255x faster poly-chain-access 3.0215+-0.1105 2.9425+-0.0894 might be 1.0269x faster poly-stricteq 60.6795+-1.6419 60.5393+-1.2972 polymorphic-array-call 1.8705+-0.1201 ? 1.9048+-0.1652 ? might be 1.0184x slower polymorphic-get-by-id 3.3312+-0.1041 ! 3.6921+-0.0733 ! definitely 1.1083x slower polymorphic-put-by-id 40.9852+-10.0612 ? 41.9191+-18.9945 ? might be 1.0228x slower polymorphic-structure 16.4787+-0.3948 ? 16.6736+-0.5978 ? might be 1.0118x slower polyvariant-monomorphic-get-by-id 9.1137+-0.1854 ? 9.2126+-0.1504 ? might be 1.0109x slower proto-getter-access 10.9146+-0.3937 10.7380+-0.5948 might be 1.0164x faster put-by-id-replace-and-transition 8.7263+-0.5306 8.5543+-0.1700 might be 1.0201x faster put-by-id-slightly-polymorphic 3.1579+-0.1625 ? 4.9968+-3.3247 ? might be 1.5823x slower put-by-id 13.2108+-1.9621 12.8184+-0.5394 might be 1.0306x faster put-by-val-direct 0.6732+-0.0593 ? 0.6746+-0.0392 ? put-by-val-large-index-blank-indexing-type 5.5708+-0.3755 ? 5.6179+-0.5759 ? put-by-val-machine-int 2.5605+-0.1386 2.5135+-0.1362 might be 1.0187x faster rare-osr-exit-on-local 16.6575+-0.9041 ? 16.6742+-0.2586 ? register-pressure-from-osr 22.8373+-0.4640 ? 22.8668+-0.8697 ? setter 5.8544+-0.0626 5.7621+-0.0817 might be 1.0160x faster simple-activation-demo 27.2723+-3.3950 26.6450+-0.6693 might be 1.0235x faster simple-getter-access 13.6547+-0.3664 ? 13.9150+-0.3314 ? might be 1.0191x slower simple-poly-call-nested 17.5310+-0.9157 17.4284+-0.8523 simple-poly-call 1.4891+-0.0608 1.4786+-0.0719 sin-boolean 21.2623+-2.1690 ? 23.2950+-1.3898 ? might be 1.0956x slower sinkable-new-object-dag 69.7457+-1.3466 69.0088+-1.6926 might be 1.0107x faster sinkable-new-object-taken 55.2547+-1.6721 ? 55.6985+-3.7662 ? sinkable-new-object 39.0153+-0.7447 38.7482+-1.2489 slow-array-profile-convergence 3.0556+-0.4349 ? 3.1131+-0.3507 ? might be 1.0188x slower slow-convergence 3.5975+-0.2365 3.5290+-0.1546 might be 1.0194x faster sparse-conditional 1.3140+-0.0586 1.2889+-0.0574 might be 1.0194x faster splice-to-remove 17.5563+-2.1044 17.1227+-0.5562 might be 1.0253x faster string-char-code-at 17.6280+-0.4940 ? 17.8255+-0.3266 ? might be 1.0112x slower string-concat-object 1.9670+-0.1882 1.9067+-0.0773 might be 1.0316x faster string-concat-pair-object 1.8524+-0.0554 ? 1.9092+-0.1388 ? might be 1.0307x slower string-concat-pair-simple 10.7057+-1.0407 10.6650+-0.1522 string-concat-simple 11.0443+-0.5514 ? 11.2291+-0.3702 ? might be 1.0167x slower string-cons-repeat 6.6663+-0.2498 6.4638+-0.2870 might be 1.0313x faster string-cons-tower 6.7377+-0.2266 6.6749+-0.1900 string-equality 18.9377+-1.6938 ? 19.1188+-1.9058 ? string-get-by-val-big-char 7.2045+-0.6313 7.0311+-0.1724 might be 1.0247x faster string-get-by-val-out-of-bounds-insane 4.0765+-0.2665 4.0157+-0.2706 might be 1.0152x faster string-get-by-val-out-of-bounds 5.7547+-0.2031 5.6697+-0.0364 might be 1.0150x faster string-get-by-val 3.5560+-0.1122 ? 3.5980+-0.3200 ? might be 1.0118x slower string-hash 2.3260+-0.0960 ? 2.4189+-0.3042 ? might be 1.0399x slower string-long-ident-equality 16.0438+-2.3755 14.9013+-0.0477 might be 1.0767x faster string-repeat-arith 32.9057+-1.5360 ? 33.1635+-0.6092 ? string-sub 68.6195+-1.1315 67.6229+-1.6259 might be 1.0147x faster string-test 3.0511+-0.0702 ? 3.1158+-0.1486 ? might be 1.0212x slower string-var-equality 32.3486+-0.7601 ? 33.5818+-1.3528 ? might be 1.0381x slower structure-hoist-over-transitions 2.7442+-0.0418 2.7245+-0.1242 substring-concat-weird 39.7516+-1.4391 39.4760+-0.4716 substring-concat 41.8594+-2.1350 ? 43.2908+-2.9467 ? might be 1.0342x slower substring 47.2927+-1.8238 ? 47.7930+-1.3508 ? might be 1.0106x slower switch-char-constant 2.9688+-0.1617 ? 2.9728+-0.0638 ? switch-char 13.4796+-0.2901 11.5527+-5.5299 might be 1.1668x faster switch-constant 11.3817+-0.7346 10.7595+-0.7788 might be 1.0578x faster switch-string-basic-big-var 15.6378+-0.2980 ? 15.6542+-0.3542 ? switch-string-basic-big 14.9979+-0.6051 ? 15.1595+-0.3014 ? might be 1.0108x slower switch-string-basic-var 15.5262+-0.5789 15.2145+-0.4149 might be 1.0205x faster switch-string-basic 14.2929+-0.9775 14.0867+-0.4165 might be 1.0146x faster switch-string-big-length-tower-var 20.9203+-0.3194 20.6750+-0.3369 might be 1.0119x faster switch-string-length-tower-var 15.8997+-0.5153 15.7520+-0.8635 switch-string-length-tower 13.2418+-0.3586 ? 13.3759+-0.2054 ? might be 1.0101x slower switch-string-short 13.3831+-0.2766 13.3092+-0.6589 switch 13.8519+-4.3005 ? 15.2289+-4.0833 ? might be 1.0994x slower tear-off-arguments-simple 2.1027+-0.0485 2.0491+-0.0889 might be 1.0262x faster tear-off-arguments 3.0452+-0.0446 2.9985+-0.0553 might be 1.0156x faster temporal-structure 12.8038+-0.5904 ? 12.9175+-0.3895 ? to-int32-boolean 14.5430+-0.5053 ? 14.7172+-0.7637 ? might be 1.0120x slower undefined-test 3.2595+-0.0738 ? 3.2726+-0.1242 ? unprofiled-licm 23.6030+-0.3281 ? 23.9576+-1.4163 ? might be 1.0150x slower weird-inlining-const-prop 2.1795+-0.0588 2.1210+-0.0249 might be 1.0276x faster <arithmetic> 16.8887+-0.2113 16.8645+-0.1685 might be 1.0014x faster <geometric> * 8.4742+-0.0282 ? 8.4859+-0.0595 ? might be 1.0014x slower <harmonic> 4.4956+-0.0284 ? 4.5113+-0.0356 ? might be 1.0035x slower base fix AsmBench: bigfib.cpp 533.4073+-3.0655 532.3923+-0.9612 cray.c 503.7513+-8.4280 498.1687+-3.5308 might be 1.0112x faster dry.c 518.4955+-20.7390 ? 529.7170+-3.7838 ? might be 1.0216x slower FloatMM.c 765.4122+-11.4284 761.0376+-2.3075 gcc-loops.cpp 4462.3986+-7.7219 ^ 4441.4378+-12.0300 ^ definitely 1.0047x faster n-body.c 1050.7624+-6.6327 1048.5807+-5.3052 Quicksort.c 458.6291+-3.1832 457.4203+-1.4507 stepanov_container.cpp 3969.3329+-16.9815 ? 3988.5981+-17.0262 ? Towers.c 288.5518+-1.3067 ? 288.7067+-1.9518 ? <arithmetic> 1394.5268+-3.0460 1394.0066+-1.3892 might be 1.0004x faster <geometric> * 861.9305+-2.4758 861.8230+-1.0032 might be 1.0001x faster <harmonic> 635.1505+-2.7647 ? 635.2793+-1.5375 ? might be 1.0002x slower base fix CompressionBench: huffman 553.4583+-3.3923 550.9216+-10.1246 arithmetic-simple 466.3145+-5.2362 464.8027+-1.4589 arithmetic-precise 341.8471+-7.9353 339.0234+-2.7158 arithmetic-complex-precise 335.5697+-2.6719 ? 338.6898+-7.2366 ? arithmetic-precise-order-0 490.8795+-5.5174 ? 493.7288+-5.2155 ? arithmetic-precise-order-1 388.4553+-9.0729 388.1159+-5.2576 arithmetic-precise-order-2 444.5966+-7.3008 444.1433+-7.9692 arithmetic-simple-order-1 503.1815+-4.2983 502.7408+-3.0549 arithmetic-simple-order-2 568.2326+-6.7428 ? 568.9690+-6.0862 ? lz-string 325.3126+-6.2124 324.6113+-7.4354 <arithmetic> 441.7848+-1.0351 441.5747+-2.8920 might be 1.0005x faster <geometric> * 433.3183+-1.1144 433.1168+-2.9291 might be 1.0005x faster <harmonic> 424.8067+-1.1740 424.6139+-2.9992 might be 1.0005x faster base fix All benchmarks: <arithmetic> 105.6171+-0.2074 105.5500+-0.1722 might be 1.0006x faster <geometric> 14.1207+-0.0248 14.1193+-0.0568 might be 1.0001x faster <harmonic> 3.6691+-0.0171 3.6448+-0.0347 might be 1.0067x faster base fix Geomean of preferred means: <scaled-result> 69.3482+-0.0567 69.1548+-0.2837 might be 1.0028x faster 1042540 16 240054 mark.lam 2014-10-17 17:32:00 -0700 Created attachment 240054 the patch. 1042542 17 mark.lam 2014-10-17 18:13:42 -0700 Thanks for the review. Landed in r174856: <http://trac.webkit.org/r174856>. 1042544 18 mark.lam 2014-10-17 18:43:59 -0700 *** Bug 137268 has been marked as a duplicate of this bug. *** 1042613 19 burg 2014-10-18 10:50:47 -0700 Confirmed fixed for me (OS X 10.9). Thanks Mark! 1042627 20 jonowells 2014-10-18 14:04:34 -0700 Confirmed fixed in OS X 10.10 as well. 1042889 21 240054 ggaren 2014-10-20 11:16:30 -0700 Comment on attachment 240054 the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=240054&action=review > Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1746 > + indexInBlock = indexOfNode(node, indexInBlock); > + indexInBlock++; FWIW, I think this would be slightly clearer as one line: "indexInBlock = indexOfNode(...) + 1;". > Source/JavaScriptCore/dfg/DFGInsertionSet.h:124 > + if (entry) { > + do { I think this can be just "while (entry) {" rather than if/do/while. 1042914 22 240054 mark.lam 2014-10-20 12:03:38 -0700 Comment on attachment 240054 the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=240054&action=review >> Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1746 >> + indexInBlock++; > > FWIW, I think this would be slightly clearer as one line: "indexInBlock = indexOfNode(...) + 1;". Agreed. >> Source/JavaScriptCore/dfg/DFGInsertionSet.h:124 >> + do { > > I think this can be just "while (entry) {" rather than if/do/while. You are correct. Previously, before the I had figured out the true solution and was still probing to understand how the insertion implementation works, I was exploring implementations that perform the insertion in different ways (e.g. insert after previous bytecode, or insert after current bytecode). Some of that implementation necessitated this if/do/while setup. This is now unnecessary. I will clean this up in a follow up patch. 1042917 23 240136 mark.lam 2014-10-20 12:10:42 -0700 Created attachment 240136 follow up patch. 1042918 24 240136 ggaren 2014-10-20 12:11:52 -0700 Comment on attachment 240136 follow up patch. r=me 1042919 25 mark.lam 2014-10-20 12:14:25 -0700 Thanks for the review. Follow up patch landed in r174899: <http://trac.webkit.org/r174899>. 240054 2014-10-17 17:32:00 -0700 2014-10-17 17:55:26 -0700 the patch. bug-137340.patch text/plain 6444 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTc0ODQ4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDQ3IEBA CisyMDE0LTEwLTE3ICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBX ZWIgUHJvY2VzcyBjcmFzaCB3aGVuIHN0YXJ0aW5nIHRoZSB3ZWIgaW5zcGVjdG9yIGFmdGVyIHIx NzQwMjUuCisgICAgICAgIDxodHRwczovL3dlYmtpdC5vcmcvYi8xMzczNDA+CisKKyAgICAgICAg UmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQWZ0ZXIgcjE3NDAyNSwgd2Ug Y2FuIGdlbmVyYXRlIGEgYmFkIGdyYXBoIGluIHRoZSBERkcgZml4dXAgcGhhc2UgbGlrZSBzbzoK KworICAgICAgICAgICAgMTAyOjwhMDotPiBTdG9yZUJhcnJpZXIoQ2hlY2s6S25vd25DZWxsOkAx OSwgLi4uLCBiYyM0NCkKKyAgICAgICAgICAgIDYwOjwhMDotPiAgUHV0U3RydWN0dXJlKENoZWNr Oktub3duQ2VsbDpAMTksIC4uLiwgYmMjNDQpCisgICAgICAgICAgICAxMDM6PCEwOi0+IENoZWNr KENoZWNrOk5vdENlbGw6QDU0LCAuLi4sIGJjIzQ0KQorICAgICAgICAgICAgICAgICAgICAvLyBe LS0gUHV0QnlPZmZzZXQncyBTdG9yZUJhcnJpZXIgaGFzIGJlZW4gZWxpZGVkIGFuZCByZXBsYWNl ZAorICAgICAgICAgICAgICAgICAgICAvLyAgICAgd2l0aCBhIHNwZWN1bGF0aW9uIGNoZWNrIHdo aWNoIGNhbiBPU1IgZXhpdC4KKyAgICAgICAgICAgIDYxOjwhMDotPiAgUHV0QnlPZmZzZXQoQ2hl Y2s6S25vd25DZWxsOkAxOSwgLi4uLCBiYyM0NCkKKworICAgICAgICBBcyBhIHJlc3VsdCwgdGhl IHN0cnVjdHVyZSBjaGFuZ2Ugd2lsbCBnZXQgZXhlY3V0ZWQgZXZlbiBpZiB3ZSBlbmQgdXAgT1NS CisgICAgICAgIGV4aXRpbmcgYmVmb3JlIHRoZSBQdXRCeU9mZnNldC4gIEluIHRoZSBiYXNlbGlu ZSBKSVQgY29kZSwgdGhlIHN0cnVjdHVyZSBub3cKKyAgICAgICAgZXJyb25lb3VzbHkgdGVsbHMg dGhlIHB1dCBvcGVyYXRpb24gdGhhdCB0aGVyZSBpcyBhIHZhbHVlIGluIHRoYXQgcHJvcGVydHkK KyAgICAgICAgc2xvdCB3aGVuIGl0IGlzIGFjdHVhbGx5IHVuaW5pdGlhbGl6ZWQgKGhlbmNlLCB0 aGUgY3Jhc2gpLgorCisgICAgICAgIFRoZSBmaXggaXMgdG8gaW5zZXJ0IHRoZSBDaGVjayBhdCB0 aGUgZWFybGllc3QgcG9pbnQgcG9zc2libGU6CisKKyAgICAgICAgMS4gSWYgdGhlIGNoZWNrZWQg bm9kZSBpcyBpbiB0aGUgc2FtZSBieXRlY29kZSBhcyB0aGUgUHV0QnlPZmZzZXQsIHRoZW4KKyAg ICAgICAgICAgdGhlIGVhcmxpZXN0IHBvaW50IHdoZXJlIHdlIGNhbiBpbnNlcnQgdGhlIENoZWNr IGlzIHJpZ2h0IGFmdGVyIHRoZQorICAgICAgICAgICBjaGVja2VkIG5vZGUuCisKKyAgICAgICAg Mi4gSWYgdGhlIGNoZWNrZWQgbm9kZSBpcyBmcm9tIGEgcHJlY2VkaW5nIGJ5dGVjb2RlIChiZWZv cmUgdGhlIFB1dEJ5T2Zmc2V0KSwKKyAgICAgICAgICAgdGhlbiB0aGUgZWFybGllc3QgcG9pbnQg d2hlcmUgd2UgY2FuIGluc2VydCB0aGUgQ2hlY2sgaXMgYXQgdGhlIHN0YXJ0CisgICAgICAgICAg IG9mIHRoZSBjdXJyZW50IGJ5dGVjb2RlLgorCisgICAgICAgIEFsc28gcmV2ZXJ0ZWQgdGhlIHdv cmthcm91bmQgZnJvbSByMTc0NzQ5OiBodHRwczovL3dlYmtpdC5vcmcvYi8xMzc3NTguCisKKyAg ICAgICAgQmVuY2htYXJrIHJlc3VsdHMgYXBwZWFyIHRvIGJlIGEgd2FzaCBvbiBhZ2dyZWdhdGUu CisKKyAgICAgICAgKiBkZmcvREZHRml4dXBQaGFzZS5jcHA6CisgICAgICAgIChKU0M6OkRGRzo6 Rml4dXBQaGFzZTo6aW5kZXhPZk5vZGUpOgorICAgICAgICAoSlNDOjpERkc6OkZpeHVwUGhhc2U6 OmluZGV4T2ZGaXJzdE5vZGVPZkV4aXRPcmlnaW4pOgorICAgICAgICAoSlNDOjpERkc6OkZpeHVw UGhhc2U6OmZpeHVwTm9kZSk6CisgICAgICAgIChKU0M6OkRGRzo6Rml4dXBQaGFzZTo6aW5zZXJ0 Q2hlY2spOgorICAgICAgICAqIGRmZy9ERkdJbnNlcnRpb25TZXQuaDoKKyAgICAgICAgKEpTQzo6 REZHOjpJbnNlcnRpb25TZXQ6Omluc2VydE91dE9mT3JkZXIpOgorICAgICAgICAoSlNDOjpERkc6 Okluc2VydGlvblNldDo6aW5zZXJ0T3V0T2ZPcmRlck5vZGUpOgorCiAyMDE0LTEwLTEwICBPbGl2 ZXIgSHVudCAgPG9saXZlckBhcHBsZS5jb20+CiAKICAgICAgICAgVmFyaW91cyBhcmd1bWVudHMg b3B0aW1pc2F0aW9ucyBpbiBjb2RlZ2VuIGZhaWwgdG8gYWNjb3VudCBmb3IgYXJndW1lbnRzIGJl aW5nIGluIGxleGljYWwgcmVjb3JkCkluZGV4OiBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RG R0ZpeHVwUGhhc2UuY3BwCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcv REZHRml4dXBQaGFzZS5jcHAJKHJldmlzaW9uIDE3NDc5OCkKKysrIFNvdXJjZS9KYXZhU2NyaXB0 Q29yZS9kZmcvREZHRml4dXBQaGFzZS5jcHAJKHdvcmtpbmcgY29weSkKQEAgLTg3LDYgKzg3LDMz IEBAIHByaXZhdGU6CiAgICAgICAgIG1faW5zZXJ0aW9uU2V0LmV4ZWN1dGUoYmxvY2spOwogICAg IH0KICAgICAKKyAgICBpbmxpbmUgdW5zaWduZWQgaW5kZXhPZk5vZGUoTm9kZSogbm9kZSwgdW5z aWduZWQgaW5kZXhUb1NlYXJjaEZyb20pCisgICAgeworICAgICAgICB1bnNpZ25lZCBpbmRleCA9 IGluZGV4VG9TZWFyY2hGcm9tOworICAgICAgICB3aGlsZSAoaW5kZXgpIHsKKyAgICAgICAgICAg IGlmIChtX2Jsb2NrLT5hdChpbmRleCkgPT0gbm9kZSkKKyAgICAgICAgICAgICAgICBicmVhazsK KyAgICAgICAgICAgIGluZGV4LS07CisgICAgICAgIH0KKyAgICAgICAgQVNTRVJUKG1fYmxvY2st PmF0KGluZGV4KSA9PSBub2RlKTsKKyAgICAgICAgcmV0dXJuIGluZGV4OworICAgIH0KKworICAg IGlubGluZSB1bnNpZ25lZCBpbmRleE9mRmlyc3ROb2RlT2ZFeGl0T3JpZ2luKENvZGVPcmlnaW4m IG9yaWdpbkZvckV4aXQsIHVuc2lnbmVkIGluZGV4VG9TZWFyY2hGcm9tKQorICAgIHsKKyAgICAg ICAgdW5zaWduZWQgaW5kZXggPSBpbmRleFRvU2VhcmNoRnJvbTsKKyAgICAgICAgQVNTRVJUKG1f YmxvY2stPmF0KGluZGV4KS0+b3JpZ2luLmZvckV4aXQgPT0gb3JpZ2luRm9yRXhpdCk7CisgICAg ICAgIHdoaWxlIChpbmRleCkgeworICAgICAgICAgICAgaW5kZXgtLTsKKyAgICAgICAgICAgIGlm IChtX2Jsb2NrLT5hdChpbmRleCktPm9yaWdpbi5mb3JFeGl0ICE9IG9yaWdpbkZvckV4aXQpIHsK KyAgICAgICAgICAgICAgICBpbmRleCsrOworICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAg ICAgICAgfQorICAgICAgICB9CisgICAgICAgIEFTU0VSVChtX2Jsb2NrLT5hdChpbmRleCktPm9y aWdpbi5mb3JFeGl0ID09IG9yaWdpbkZvckV4aXQpOworICAgICAgICByZXR1cm4gaW5kZXg7Cisg ICAgfQorICAgIAogICAgIHZvaWQgZml4dXBOb2RlKE5vZGUqIG5vZGUpCiAgICAgewogICAgICAg ICBOb2RlVHlwZSBvcCA9IG5vZGUtPm9wKCk7CkBAIC05NDMsNyArOTcwLDcgQEAgcHJpdmF0ZToK ICAgICAgICAgICAgIGlmICghbm9kZS0+Y2hpbGQxKCktPmhhc1N0b3JhZ2VSZXN1bHQoKSkKICAg ICAgICAgICAgICAgICBmaXhFZGdlPEtub3duQ2VsbFVzZT4obm9kZS0+Y2hpbGQxKCkpOwogICAg ICAgICAgICAgZml4RWRnZTxLbm93bkNlbGxVc2U+KG5vZGUtPmNoaWxkMigpKTsKLSAgICAgICAg ICAgIGluc2VydFN0b3JlQmFycmllcihtX2luZGV4SW5CbG9jaywgbm9kZS0+Y2hpbGQyKCkpOwor ICAgICAgICAgICAgaW5zZXJ0U3RvcmVCYXJyaWVyKG1faW5kZXhJbkJsb2NrLCBub2RlLT5jaGls ZDIoKSwgbm9kZS0+Y2hpbGQzKCkpOwogICAgICAgICAgICAgYnJlYWs7CiAgICAgICAgIH0KICAg ICAgICAgICAgIApAQCAtMTcxMCw3ICsxNzM3LDIwIEBAIHByaXZhdGU6CiAgICAgdm9pZCBpbnNl cnRDaGVjayh1bnNpZ25lZCBpbmRleEluQmxvY2ssIE5vZGUqIG5vZGUpCiAgICAgewogICAgICAg ICBvYnNlcnZlVXNlS2luZE9uTm9kZTx1c2VLaW5kPihub2RlKTsKLSAgICAgICAgbV9pbnNlcnRp b25TZXQuaW5zZXJ0Tm9kZSgKKyAgICAgICAgQ29kZU9yaWdpbiYgY2hlY2tlZE5vZGVPcmlnaW4g PSBub2RlLT5vcmlnaW4uZm9yRXhpdDsKKyAgICAgICAgQ29kZU9yaWdpbiYgY3VycmVudE5vZGVP cmlnaW4gPSBtX2N1cnJlbnROb2RlLT5vcmlnaW4uZm9yRXhpdDsKKyAgICAgICAgaWYgKGN1cnJl bnROb2RlT3JpZ2luID09IGNoZWNrZWROb2RlT3JpZ2luKSB7CisgICAgICAgICAgICAvLyBUaGUg Y2hlY2tlZCBub2RlIGlzIHdpdGhpbiB0aGUgc2FtZSBieXRlY29kZS4gSGVuY2UsIHRoZSBlYXJs aWVzdAorICAgICAgICAgICAgLy8gcG9zaXRpb24gd2UgY2FuIGluc2VydCB0aGUgY2hlY2sgaXMg cmlnaHQgYWZ0ZXIgdGhlIGNoZWNrZWQgbm9kZS4KKyAgICAgICAgICAgIGluZGV4SW5CbG9jayA9 IGluZGV4T2ZOb2RlKG5vZGUsIGluZGV4SW5CbG9jayk7CisgICAgICAgICAgICBpbmRleEluQmxv Y2srKzsKKyAgICAgICAgfSBlbHNlIHsKKyAgICAgICAgICAgIC8vIFRoZSBjaGVja2VkIG5vZGUg aXMgZnJvbSBhIHByZWNlZGluZyBieXRlY29kZS4gSGVuY2UsIHRoZSBlYXJsaWVzdAorICAgICAg ICAgICAgLy8gcG9zaXRpb24gd2UgY2FuIGluc2VydCB0aGUgY2hlY2sgaXMgYXQgdGhlIHN0YXJ0 IG9mIHRoZSBjdXJyZW50CisgICAgICAgICAgICAvLyBieXRlY29kZS4KKyAgICAgICAgICAgIGlu ZGV4SW5CbG9jayA9IGluZGV4T2ZGaXJzdE5vZGVPZkV4aXRPcmlnaW4oY3VycmVudE5vZGVPcmln aW4sIGluZGV4SW5CbG9jayk7CisgICAgICAgIH0KKyAgICAgICAgbV9pbnNlcnRpb25TZXQuaW5z ZXJ0T3V0T2ZPcmRlck5vZGUoCiAgICAgICAgICAgICBpbmRleEluQmxvY2ssIFNwZWNOb25lLCBD aGVjaywgbV9jdXJyZW50Tm9kZS0+b3JpZ2luLCBFZGdlKG5vZGUsIHVzZUtpbmQpKTsKICAgICB9 CiAKSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHSW5zZXJ0aW9uU2V0LmgKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdJbnNlcnRpb25TZXQuaAko cmV2aXNpb24gMTc0Nzk4KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdJbnNlcnRp b25TZXQuaAkod29ya2luZyBjb3B5KQpAQCAtMTE2LDYgKzExNiwzNCBAQCBwdWJsaWM6CiAgICAg ICAgIHJldHVybiBpbnNlcnRDb25zdGFudEZvclVzZShpbmRleCwgTm9kZU9yaWdpbihvcmlnaW4p LCB2YWx1ZSwgdXNlS2luZCk7CiAgICAgfQogCisgICAgTm9kZSogaW5zZXJ0T3V0T2ZPcmRlcihj b25zdCBJbnNlcnRpb24mIGluc2VydGlvbikKKyAgICB7CisgICAgICAgIHNpemVfdCB0YXJnZXRJ bmRleCA9IGluc2VydGlvbi5pbmRleCgpOworICAgICAgICBzaXplX3QgZW50cnkgPSBtX2luc2Vy dGlvbnMuc2l6ZSgpOworICAgICAgICBpZiAoZW50cnkpIHsKKyAgICAgICAgICAgIGRvIHsKKyAg ICAgICAgICAgICAgICBlbnRyeS0tOworICAgICAgICAgICAgICAgIGlmIChtX2luc2VydGlvbnNb ZW50cnldLmluZGV4KCkgPD0gdGFyZ2V0SW5kZXgpIHsKKyAgICAgICAgICAgICAgICAgICAgZW50 cnkrKzsKKyAgICAgICAgICAgICAgICAgICAgYnJlYWs7CisgICAgICAgICAgICAgICAgfQorICAg ICAgICAgICAgfSB3aGlsZSAoZW50cnkpOworICAgICAgICB9CisgICAgICAgIG1faW5zZXJ0aW9u cy5pbnNlcnQoZW50cnksIGluc2VydGlvbik7CisgICAgICAgIHJldHVybiBpbnNlcnRpb24uZWxl bWVudCgpOworICAgIH0KKyAgICAKKyAgICBOb2RlKiBpbnNlcnRPdXRPZk9yZGVyKHNpemVfdCBp bmRleCwgTm9kZSogZWxlbWVudCkKKyAgICB7CisgICAgICAgIHJldHVybiBpbnNlcnRPdXRPZk9y ZGVyKEluc2VydGlvbihpbmRleCwgZWxlbWVudCkpOworICAgIH0KKworICAgIHRlbXBsYXRlPHR5 cGVuYW1lLi4uIFBhcmFtcz4KKyAgICBOb2RlKiBpbnNlcnRPdXRPZk9yZGVyTm9kZShzaXplX3Qg aW5kZXgsIFNwZWN1bGF0ZWRUeXBlIHR5cGUsIFBhcmFtcy4uLiBwYXJhbXMpCisgICAgeworICAg ICAgICByZXR1cm4gaW5zZXJ0T3V0T2ZPcmRlcihpbmRleCwgbV9ncmFwaC5hZGROb2RlKHR5cGUs IHBhcmFtcy4uLikpOworICAgIH0KKwogICAgIHZvaWQgZXhlY3V0ZShCYXNpY0Jsb2NrKiBibG9j aykKICAgICB7CiAgICAgICAgIGV4ZWN1dGVJbnNlcnRpb25zKCpibG9jaywgbV9pbnNlcnRpb25z KTsK 240136 2014-10-20 12:10:42 -0700 2014-10-20 12:11:52 -0700 follow up patch. bug-137340b.patch text/plain 2540 mark.lam SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTc0ODk4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE4IEBA CisyMDE0LTEwLTIwICBNYXJrIExhbSAgPG1hcmsubGFtQGFwcGxlLmNvbT4KKworICAgICAgICBb Rm9sbG93IHVwXSBXZWIgUHJvY2VzcyBjcmFzaCB3aGVuIHN0YXJ0aW5nIHRoZSB3ZWIgaW5zcGVj dG9yIGFmdGVyIHIxNzQwMjUuCisgICAgICAgIDxodHRwczovL3dlYmtpdC5vcmcvYi8xMzczNDA+ CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgQXBwbGll ZCBHZW9mZidzIGZlZWRiYWNrIHRvIGNsZWFuIHVwIHNvbWUgY29kZSBmb3IgYmV0dGVyIGNsYXJp dHkgYWZ0ZXIKKyAgICAgICAgcjE3NDg1Ni4KKworICAgICAgICAqIGRmZy9ERkdGaXh1cFBoYXNl LmNwcDoKKyAgICAgICAgKEpTQzo6REZHOjpGaXh1cFBoYXNlOjppbnNlcnRDaGVjayk6CisgICAg ICAgICogZGZnL0RGR0luc2VydGlvblNldC5oOgorICAgICAgICAoSlNDOjpERkc6Okluc2VydGlv blNldDo6aW5zZXJ0T3V0T2ZPcmRlcik6CisKIDIwMTQtMTAtMjAgIE1hcmsgTGFtICA8bWFyay5s YW1AYXBwbGUuY29tPgogCiAgICAgICAgIEZhY3RvciBvdXQgSklUQ29kZTo6dHlwZU5hbWUoKSBm b3IgZGVidWdnaW5nIHVzZS4KSW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHRml4 dXBQaGFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdG aXh1cFBoYXNlLmNwcAkocmV2aXNpb24gMTc0ODk2KQorKysgU291cmNlL0phdmFTY3JpcHRDb3Jl L2RmZy9ERkdGaXh1cFBoYXNlLmNwcAkod29ya2luZyBjb3B5KQpAQCAtMTc0Miw4ICsxNzQyLDcg QEAgcHJpdmF0ZToKICAgICAgICAgaWYgKGN1cnJlbnROb2RlT3JpZ2luID09IGNoZWNrZWROb2Rl T3JpZ2luKSB7CiAgICAgICAgICAgICAvLyBUaGUgY2hlY2tlZCBub2RlIGlzIHdpdGhpbiB0aGUg c2FtZSBieXRlY29kZS4gSGVuY2UsIHRoZSBlYXJsaWVzdAogICAgICAgICAgICAgLy8gcG9zaXRp b24gd2UgY2FuIGluc2VydCB0aGUgY2hlY2sgaXMgcmlnaHQgYWZ0ZXIgdGhlIGNoZWNrZWQgbm9k ZS4KLSAgICAgICAgICAgIGluZGV4SW5CbG9jayA9IGluZGV4T2ZOb2RlKG5vZGUsIGluZGV4SW5C bG9jayk7Ci0gICAgICAgICAgICBpbmRleEluQmxvY2srKzsKKyAgICAgICAgICAgIGluZGV4SW5C bG9jayA9IGluZGV4T2ZOb2RlKG5vZGUsIGluZGV4SW5CbG9jaykgKyAxOwogICAgICAgICB9IGVs c2UgewogICAgICAgICAgICAgLy8gVGhlIGNoZWNrZWQgbm9kZSBpcyBmcm9tIGEgcHJlY2VkaW5n IGJ5dGVjb2RlLiBIZW5jZSwgdGhlIGVhcmxpZXN0CiAgICAgICAgICAgICAvLyBwb3NpdGlvbiB3 ZSBjYW4gaW5zZXJ0IHRoZSBjaGVjayBpcyBhdCB0aGUgc3RhcnQgb2YgdGhlIGN1cnJlbnQKSW5k ZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHSW5zZXJ0aW9uU2V0LmgKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdJbnNlcnRpb25TZXQuaAkocmV2aXNp b24gMTc0ODk2KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdJbnNlcnRpb25TZXQu aAkod29ya2luZyBjb3B5KQpAQCAtMTIwLDE0ICsxMjAsMTIgQEAgcHVibGljOgogICAgIHsKICAg ICAgICAgc2l6ZV90IHRhcmdldEluZGV4ID0gaW5zZXJ0aW9uLmluZGV4KCk7CiAgICAgICAgIHNp emVfdCBlbnRyeSA9IG1faW5zZXJ0aW9ucy5zaXplKCk7Ci0gICAgICAgIGlmIChlbnRyeSkgewot ICAgICAgICAgICAgZG8gewotICAgICAgICAgICAgICAgIGVudHJ5LS07Ci0gICAgICAgICAgICAg ICAgaWYgKG1faW5zZXJ0aW9uc1tlbnRyeV0uaW5kZXgoKSA8PSB0YXJnZXRJbmRleCkgewotICAg ICAgICAgICAgICAgICAgICBlbnRyeSsrOwotICAgICAgICAgICAgICAgICAgICBicmVhazsKLSAg ICAgICAgICAgICAgICB9Ci0gICAgICAgICAgICB9IHdoaWxlIChlbnRyeSk7CisgICAgICAgIHdo aWxlIChlbnRyeSkgeworICAgICAgICAgICAgZW50cnktLTsKKyAgICAgICAgICAgIGlmIChtX2lu c2VydGlvbnNbZW50cnldLmluZGV4KCkgPD0gdGFyZ2V0SW5kZXgpIHsKKyAgICAgICAgICAgICAg ICBlbnRyeSsrOworICAgICAgICAgICAgICAgIGJyZWFrOworICAgICAgICAgICAgfQogICAgICAg ICB9CiAgICAgICAgIG1faW5zZXJ0aW9ucy5pbnNlcnQoZW50cnksIGluc2VydGlvbik7CiAgICAg ICAgIHJldHVybiBpbnNlcnRpb24uZWxlbWVudCgpOwo=