Bug 117144

Summary: JSC asserting without LLINT with DFG JIT
Product: WebKit Reporter: Gabor Rapcsanyi <rgabor>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: fpizlo, mark.lam, oliver, zherczeg
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 108645    

Description Gabor Rapcsanyi 2013-06-03 06:09:46 PDT
JSC asserting without LLINT on Linux (x86, ARM) and Mac (x86) as well.

The test is:
  var j,k;
  function b(){
      for (var i = 0; i < 1986; ++i) {
          j *= k;

The assert:
/Users/rgabor/gitWebKit/Source/JavaScriptCore/runtime/JSCJSValueInlines.h(491) : JSC::JSCell *JSC::JSValue::asCell() const
1   0x10ac82350 WTFCrash
2   0x10a7fdf95 JSC::JSValue::asCell() const
3   0x10ab07207 JSC::JSScope::resolvePut(JSC::ExecState*, JSC::JSValue, JSC::Identifier const&, JSC::JSValue, JSC::PutToBaseOperation*)
4   0x10aa7e93b cti_op_put_to_base
5   0x10aa84620 jscGeneratedNativeCode
6   0x10aa45a44 JSC::JITCode::execute(JSC::JSStack*, JSC::ExecState*, JSC::VM*)
7   0x10aa422a6 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)
8   0x10a8c82df JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)
9   0x10a779127 _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0ENS1_15CrashOnOverflowEEEb
10  0x10a77881c jscmain(int, char**)
11  0x10a77867e main
12  0x10a770ce4 start
13  0x2
Segmentation fault: 11

I've made some debugging on this and found that JSC::JSScope::resolveWithBase called by LLINT which changes the instructions[30].u.putToBaseOperation->m_kind (on this test) from Uninitialised to GlobalVariablePut and later the JIT will compile that but without LLINT JIT will compile the bytecode before this change and that will cause the problem after OSRExitCompiler::compileExit().

#0  JSC::JSScope::resolveContainingScopeInternal<(JSC::JSScope::LookupMode)0, (JSC::JSScope::ReturnValues)3> (callFrame=0x7ffeb36f90a0, identifier=..., slot=..., 
    operations=0xf6b9e0, putToBaseOperation=0xf69300) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/JSScope.cpp:262
#1  0x00000000007af832 in JSC::JSScope::resolveContainingScope<(JSC::JSScope::ReturnValues)3> (callFrame=0x7ffeb36f90a0, identifier=..., slot=..., operations=0xf6b9e0, 
    putToBaseOperation=0xf69300, isStrict=false) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/JSScope.cpp:428
#2  0x00000000007ae19f in JSC::JSScope::resolveWithBase (callFrame=0x7ffeb36f90a0, identifier=..., base=0x7ffeb36f90b0, operations=0xf6b9e0, 
    putToBaseOperations=0xf69300) at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/JSScope.cpp:499
#3  0x00000000006ad4e4 in JSC::LLInt::llint_slow_path_resolve_with_base (exec=0x7ffeb36f90a0, pc=0xf696a0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:865
#4  0x00000000006b8add in llint_op_resolve_with_base ()
#5  0x00007ffeb36f9058 in ?? ()
#6  0x0000000000f55160 in ?? ()
#7  0x00007fffffffcde0 in ?? ()
#8  0x0000000000661017 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/rgabor/WebKit/Source/JavaScriptCore/interpreter/JSStackInlines.h:213
#9  0x000000000065fd96 in JSC::JITCode::execute (this=0x7ffeb441fe90, stack=0xf55160, callFrame=0x7ffeb36f9058, vm=0xf467b0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/jit/JITCode.h:135
#10 0x000000000065d0d0 in JSC::Interpreter::execute (this=0xf55150, program=0x7ffeb441fe70, callFrame=0x7ffeb434fb78, thisObj=0x7ffeb43cfeb0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/interpreter/Interpreter.cpp:976
#11 0x00000000007471a4 in JSC::evaluate (exec=0x7ffeb434fb78, source=..., thisValue=..., returnedException=0x7fffffffe3e0)
    at /home/rgabor/WebKit/Source/JavaScriptCore/runtime/Completion.cpp:83
#12 0x00000000004111ca in runWithScripts (globalObject=0x7ffeb434f970, scripts=..., dump=false) at /home/rgabor/WebKit/Source/JavaScriptCore/jsc.cpp:578
#13 0x0000000000411ed5 in jscmain (argc=2, argv=0x7fffffffe6a8) at /home/rgabor/WebKit/Source/JavaScriptCore/jsc.cpp:794
#14 0x0000000000410fa6 in main (argc=2, argv=0x7fffffffe6a8) at /home/rgabor/WebKit/Source/JavaScriptCore/jsc.cpp:541

I'm not sure how to fix this problem so if you have any thoughts on this please share with me :)
Comment 1 Gabor Rapcsanyi 2013-06-06 00:29:15 PDT
As I see the JITted code could differ from the stored bytecode in case of no LLInt. DFG deoptimization has a recovery method which set back the values in the memory with the help of the stored bytecode.
The problem is that this bytecode differs from the one which we used to compile the JIT code and we don't have neither the original nor the changes. So it will set back a value which the JIT not expected. In this case it will set back an Undefined JS value while the JIT is expected CellTag.