| Summary: | REGRESSION(r174025): Web Process crash when starting the web inspector after r174025 | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Carlos Garcia Campos <cgarcia> | ||||||
| Component: | JavaScriptCore | Assignee: | Mark Lam <mark.lam> | ||||||
| Status: | RESOLVED FIXED | ||||||||
| Severity: | Normal | CC: | burg, fpizlo, jonowells, mark.lam, mhahnenb, ossy, pnormand, timothy, webkit-bug-importer | ||||||
| Priority: | P2 | Keywords: | Gtk, InRadar, Regression | ||||||
| Version: | 528+ (Nightly build) | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Bug Depends on: | |||||||||
| Bug Blocks: | 137161 | ||||||||
| Attachments: |
|
||||||||
|
Description
Carlos Garcia Campos
2014-10-02 03:46:32 PDT
With setting JSC_useDFGJIT=0 environment variable, inspector works again, so it must be a DFG JIT bug. I'll try to reproduce this bug in debug mode and try to get a crash backtrace to help debugging. (In reply to comment #1) > With setting JSC_useDFGJIT=0 environment variable, > inspector works again, so it must be a DFG JIT bug. > > I'll try to reproduce this bug in debug mode and try > to get a crash backtrace to help debugging. Careful. The purpose of that DFG change was to not insert obviously unnecessary GC barriers. It could just be revealing missing barriers in the runtime. Here is the crash log:
Core was generated by `/home/ossy/WebKit/WebKitBuild/Debug/bin/WebKitWebProcess 20'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x00007f01d9d0604c in JSC::JSCell::isGetterSetter (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:169
169 return m_type == GetterSetterType;
(gdb) bt
#0 0x00007f01d9d0604c in JSC::JSCell::isGetterSetter (this=0x0) at ../../Source/JavaScriptCore/runtime/JSCellInlines.h:169
#1 0x00007f01d9d060ae in JSC::JSValue::isGetterSetter (this=0x7fff09305740) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:559
#2 0x00007f01d4d9937a in JSC::JSObject::put (cell=0x7f015395ccf0, exec=0x7fff093058e0, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSObject.cpp:376
#3 0x00007f01d4a8188e in JSC::JSValue::put (this=0x7fff09305860, exec=0x7fff093058e0, propertyName=..., value=..., slot=...) at ../../Source/JavaScriptCore/runtime/JSCJSValueInlines.h:729
#4 0x00007f01d4c1e289 in JSC::operationPutByIdNonStrictBuildList (exec=0x7fff093058e0, stubInfo=0x2bde110, encodedValue=139643678252784, encodedBase=139643674021104,
uid=0x7f01df0775d0 <WebCore::HTMLNames::dataData>) at ../../Source/JavaScriptCore/jit/JITOperations.cpp:391
#5 0x00007f0181decf8b in ?? ()
#6 0x000000000000000a in ?? ()
#7 0x00007f01802fda30 in ?? ()
#8 0x00007fff09305970 in ?? ()
#9 0x00007f0181ddab36 in ?? ()
#10 0x0000000001b9b4f0 in ?? ()
#11 0x00007f018058f470 in ?? ()
#12 0x00007f01802fda30 in ?? ()
#13 0x0000001b00000004 in ?? ()
#14 0x00007f015395ccf0 in ?? ()
#15 0x00007f01df194950 in ?? ()
#16 0x00007f017063acf0 in ?? ()
#17 0x00007f0153d65ef0 in ?? ()
#18 0x000000000000000a in ?? ()
#19 0x000000000000000a in ?? ()
#20 0x00007f015395cd30 in ?? ()
#21 0x000000000000000a in ?? ()
#22 0x0000000000000000 in ?? ()
Any hint how is it possible to debug this regression? I'm looking into this. This issue is not unique to the GTK port. I can reproduce it on OSX. With the DFG disabled, the issue does not reproduce. With the DFG enabled and inlining disabled, the issue still reproduces. With JSC_alwaysDoFullCollection=true, the issue still reproduces. *** Bug 137629 has been marked as a duplicate of this bug. *** Here's a debug crash stack trace:
(lldb) bt 15
* thread #1: tid = 0xd38ed6, 0x000000010e351aec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x5)
* frame #0: 0x000000010e351aec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169
frame #1: 0x000000010e34df8c JavaScriptCore`JSC::JSValue::isGetterSetter(this=0x00007fff5b048ad0) const + 60 at JSCJSValueInlines.h:559
frame #2: 0x000000010e938b28 JavaScriptCore`JSC::JSObject::put(cell=0x000000011c25fcb0, exec=0x00007fff5b048d10, propertyName=PropertyName at 0x00007fff5b048ba8, value=JSValue at 0x00007fff5b048ba0, slot=0x00007fff5b048c70) + 1304 at JSObject.cpp:376
frame #3: 0x000000010e64fec2 JavaScriptCore`JSC::JSValue::put(this=0x00007fff5b048c98, exec=0x00007fff5b048d10, propertyName=PropertyName at 0x00007fff5b048c18, value=JSValue at 0x00007fff5b048c10, slot=0x00007fff5b048c70) + 210 at JSCJSValueInlines.h:729
frame #4: 0x000000010e89284f JavaScriptCore`operationPutByIdStrictBuildList(exec=0x00007fff5b048d10, stubInfo=0x00007fef6d078ec0, encodedValue=4698428880, encodedBase=4767218864, uid=0x00007fef63724600) + 239 at JITOperations.cpp:371
frame #5: 0x00004d326250e4ed
frame #6: 0x00004d32625125a8
(lldb) up
frame #1: 0x000000010e34df8c JavaScriptCore`JSC::JSValue::isGetterSetter(this=0x00007fff5b048ad0) const + 60 at JSCJSValueInlines.h:559
556
557 inline bool JSValue::isGetterSetter() const
558 {
-> 559 return isCell() && asCell()->isGetterSetter();
560 }
561
562 inline bool JSValue::isCustomGetterSetter() const
(lldb) p isCell()
(bool) $3 = true
(lldb) p this
(JSC::JSValue *) $4 = 0x00007fff5b048ad0
(lldb) p asCell()
(JSC::JSCell *) $5 = 0x0000000000000000
(lldb) p *this
(JSC::JSValue) $6 = {
u = {
asInt64 = 0
ptr = 0x0000000000000000
asBits = (payload = 0, tag = 0)
}
}
The crash is because we got handed a NULL pointer.
==== Some more debugging notes: ===========================
1. To reiterate, this does not look like a barrier issue because I am able to reproduce the issue with JSC_alwaysDoFullCollection=true.
2. The issue is racy. I need to reload the page while the WebInspector at the right time in order to reproduce the issue. If I wait too long, the issue seems to go away.
3. When I crash, the crash always appear to be from here:
frame #2: 0x0000000111059b28 JavaScriptCore`JSC::JSObject::put(cell=0x000000012020fc30, exec=0x00007fff58924d50, propertyName=PropertyName at 0x00007fff58924be8, value=JSValue at 0x00007fff58924be0, slot=0x00007fff58924cb0) + 1304 at JSObject.cpp:376
373 }
374
375 JSValue gs = obj->getDirect(offset);
-> 376 if (gs.isGetterSetter()) {
377 callSetter(exec, cell, gs, value, slot.isStrictMode() ? StrictMode : NotStrictMode);
378 if (!thisObject->structure()->isDictionary())
379 slot.setCacheableSetter(obj, offset);
where gs is a NULL JSValue.
4. The "offset" value is always 4 (from the 2 samples I have so far).
5. Though I turn on zombie mode (JSC_useZombieMode=true), the offending object does not appear to be zombified:
(lldb) p obj
(JSC::JSObject *) $17 = 0x000000012020fc30
(lldb) x/20x obj
0x12020fc30: 0x000022a1 0x01001200 0x00000000 0x00000000
0x12020fc40: 0x00000020 0xffff0000 0x0000002b 0xffff0000
0x12020fc50: 0x1a0dfa90 0x00000001 0x2020fd30 0x00000001
0x12020fc60: 0x00000000 0x00000000 0x00000000 0x00000000
0x12020fc70: 0x00000066 0x01302800 0x00000000 0x00000000
More debugging notes:
6. The Structure of the offending object says:
(lldb) p obj->structure()
(JSC::Structure *) $23 = 0x000000011a8a3500
(lldb) p *obj->structure()
(JSC::Structure) $24 = {
JSC::JSCell = (m_structureID = 1, m_indexingType = '\0', m_type = CellType, m_flags = '\0', m_gcData = '\x01')
m_blob = {
u = {
fields = {
structureID = 8865
indexingType = '\0'
type = FinalObjectType
inlineTypeFlags = '\0'
defaultGCData = NotMarked
}
words = (word1 = 8865, word2 = 16781824)
doubleWord = 72077385247236769
}
}
m_outOfLineTypeFlags = '\0'
m_globalObject = {
JSC::WriteBarrierBase<JSC::JSGlobalObject> = {
m_cell = 0x000000011a27f470
}
}
m_prototype = {
JSC::WriteBarrierBase<JSC::<anonymous enum> > = (m_value = 4791946544)
}
m_cachedPrototypeChain = {
JSC::WriteBarrierBase<JSC::StructureChain> = {
m_cell = 0x000000011a36d0c0
}
}
m_previousOrRareData = {
JSC::WriteBarrierBase<JSC::JSCell> = {
m_cell = 0x000000011a290cb0
}
}
m_nameInPrevious = {
m_ptr = 0x00007f9aa453c3b0
}
m_classInfo = 0x00000001116554a8
m_transitionTable = (m_data = 4739840353)
m_propertyTableUnsafe = {
JSC::WriteBarrierBase<JSC::PropertyTable> = {
m_cell = 0x000000011a294d90
}
}
m_transitionWatchpointSet = (m_data = 5)
m_offset = 4
m_inlineCapacity = '\x06'
m_lock = (m_lock = '\0')
m_bitField = 10485760
}
7. The ClassInfo of the offending object says:
(lldb) p obj->structure()->classInfo()
(const JSC::ClassInfo *) $25 = 0x00000001116554a8
(lldb) p *obj->structure()->classInfo()
(const JSC::ClassInfo) $26 = {
className = 0x000000011140d567 "Object"
parentClass = 0x00000001116553c0
staticPropHashTable = 0x0000000000000000
methodTable = {
destroy = 0x0000000110ffb8d0 (JavaScriptCore`JSC::JSCell::destroy(JSC::JSCell*) at JSCell.cpp:40)
visitChildren = 0x000000011105c870 (JavaScriptCore`JSC::JSFinalObject::visitChildren(JSC::JSCell*, JSC::SlotVisitor&) at JSObject.cpp:230)
copyBackingStore = 0x0000000111059480 (JavaScriptCore`JSC::JSObject::copyBackingStore(JSC::JSCell*, JSC::CopyVisitor&, JSC::CopyToken) at JSObject.cpp:217)
getCallData = 0x0000000110ffbb40 (JavaScriptCore`JSC::JSCell::getCallData(JSC::JSCell*, JSC::CallData&) at JSCell.cpp:82)
getConstructData = 0x0000000110ffbb80 (JavaScriptCore`JSC::JSCell::getConstructData(JSC::JSCell*, JSC::ConstructData&) at JSCell.cpp:90)
put = 0x0000000111059610 (JavaScriptCore`JSC::JSObject::put(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName, JSC::JSValue, JSC::PutPropertySlot&) at JSObject.cpp:334)
putByIndex = 0x0000000111059f70 (JavaScriptCore`JSC::JSObject::putByIndex(JSC::JSCell*, JSC::ExecState*, unsigned int, JSC::JSValue, bool) at JSObject.cpp:412)
deleteProperty = 0x000000011105a890 (JavaScriptCore`JSC::JSObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) at JSObject.cpp:1270)
deletePropertyByIndex = 0x000000011105aae0 (JavaScriptCore`JSC::JSObject::deletePropertyByIndex(JSC::JSCell*, JSC::ExecState*, unsigned int) at JSObject.cpp:1315)
getOwnPropertySlot = 0x0000000110a6c3d0 (JavaScriptCore`JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) at JSObject.h:1246)
getOwnPropertySlotByIndex = 0x000000011105af70 (JavaScriptCore`JSC::JSObject::getOwnPropertySlotByIndex(JSC::JSObject*, JSC::ExecState*, unsigned int, JSC::PropertySlot&) at JSObject.cpp:261)
toThis = 0x000000011105b4c0 (JavaScriptCore`JSC::JSObject::toThis(JSC::JSCell*, JSC::ExecState*, JSC::ECMAMode) at JSObject.cpp:1594)
defaultValue = 0x000000011105b500 (JavaScriptCore`JSC::JSObject::defaultValue(JSC::JSObject const*, JSC::ExecState*, JSC::PreferredPrimitiveType) at JSObject.cpp:1401)
getOwnPropertyNames = 0x000000011105b840 (JavaScriptCore`JSC::JSObject::getOwnPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:1493)
getOwnNonIndexPropertyNames = 0x000000011105bec0 (JavaScriptCore`JSC::JSObject::getOwnNonIndexPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:1567)
getPropertyNames = 0x000000011105bf80 (JavaScriptCore`JSC::JSObject::getPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:1470)
getEnumerableLength = 0x000000011105c110 (JavaScriptCore`JSC::JSObject::getEnumerableLength(JSC::ExecState*, JSC::JSObject*) at JSObject.cpp:2706)
getStructurePropertyNames = 0x000000011105c540 (JavaScriptCore`JSC::JSObject::getStructurePropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:2758)
getGenericPropertyNames = 0x000000011105c590 (JavaScriptCore`JSC::JSObject::getGenericPropertyNames(JSC::JSObject*, JSC::ExecState*, JSC::PropertyNameArray&, JSC::EnumerationMode) at JSObject.cpp:2764)
className = 0x000000011105c740 (JavaScriptCore`JSC::JSObject::className(JSC::JSObject const*) at JSObject.cpp:254)
customHasInstance = 0x0000000110ffc470 (JavaScriptCore`JSC::JSCell::customHasInstance(JSC::JSObject*, JSC::ExecState*, JSC::JSValue) at JSCell.cpp:216)
defineOwnProperty = 0x000000011105c7c0 (JavaScriptCore`JSC::JSObject::defineOwnProperty(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertyDescriptor const&, bool) at JSObject.cpp:2673)
slowDownAndWasteMemory = 0x0000000110ffc500 (JavaScriptCore`JSC::JSCell::slowDownAndWasteMemory(JSC::JSArrayBufferView*) at JSCell.cpp:228)
getTypedArrayImpl = 0x0000000110ffc540 (JavaScriptCore`JSC::JSCell::getTypedArrayImpl(JSC::JSArrayBufferView*) at JSCell.cpp:234)
dumpToStream = 0x0000000110ffb920 (JavaScriptCore`JSC::JSCell::dumpToStream(JSC::JSCell const*, WTF::PrintStream&) at JSCell.cpp:50)
}
typedArrayStorageType = NotTypedArray
}
More debugging notes: Michael made the observation that if we made the DFG fix up for PutByOffset always insert a store barrier, the issue will stop manifesting. With that, we did some investigation and showed that the crash only manifests when the store barrier is omitted for a PutByOffset when the written value shouldSpeculateNotCell(). The value's prediction is 0x20200000, which is SpecOther | SpecInt32. More debugging notes:
// Some printfs and logging:
...
mlam [93284] 0x128613480 PutByOffset: prediction = 20200000 // <== The PutByOffset that triggered the insertStoreBarrier of interest.
mlam [93284] 0x128613480 insertStoreBarrier() cb 0x7f8415bb2a20 Baseline 'result': value->shouldSpeculateNotCell() prediction = 20200000 (538968064) // <== The insertStoreBarrier where we elided the StoreBarrier.
...
// Note: the store barrier was elided from a codeBlock that has a baseline codeBlock (0x7f8415bb2a20 ) with inferredName 'result'.
// And later on, we see this codeBlock OSR exited to baseline CB 0x7f8415bb2a20:
Speculation failure in result#AlZ94h:[0x7f8416919de0->0x7f8415bb2a20->0x12289ee70, %sDFGFunctionCall, 197 (StrictMode)] @ exit #24 (bc#44, BadType) with executeCounter = 0.000000/0.000000, 0, reoptimizationRetryCounter = 0, optimizationDelayCounter = 0, osrExitCounter = 0
GPRs at time of exit: rax:0xffff00000000002b rdx:0x1285b0a70 rcx:0x122ba9d90 rbx:0x12205fa90 rdi:0x2 rsi:0x1285b0b70 r8:0x1259f47b0 r9:0x1285b0a30 r10:0xffff000000000020 r12:0x7f8412937760 r13:0x12226ff30
FPRs at time of exit: xmm0:cdcdcdcdcdcdcdcd:-6277438562204192487878988888393020692503707483087375482269988814848.000000 xmm1:404c800000000000:57.000000 xmm2:7fffffffffffffff:nan xmm3:1285819a0:0.000000 xmm4:2:0.000000 xmm5:2:0.000000
From observations so far, it looks like we did the right thing in eliding the store barrier. However, the speculation check has failed (with a BadType) and we OSR exited. All of this is proper. However, we did still put a value that presumably is a Cell, and we speculated it to not be a Cell. Either the spec fail code needs to execute the store barrier or the baseline JIT needs to execute it. Someone has to. Checking ...
Confirmed that the store barrier is only used for Eden collections. Since, I'm always running full collections, the store barrier should not be the issue.
More debugging info:
The crash occurred at:
(lldb) bt 15
* thread #1: tid = 0xda8e77, 0x00000001189efaec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x5)
frame #0: 0x00000001189efaec JavaScriptCore`JSC::JSCell::isGetterSetter(this=0x0000000000000000) const + 12 at JSCellInlines.h:169
frame #1: 0x00000001189ebf8c JavaScriptCore`JSC::JSValue::isGetterSetter(this=0x00007fff509a6a90) const + 60 at JSCJSValueInlines.h:559
* frame #2: 0x0000000118fd6b78 JavaScriptCore`JSC::JSObject::put(cell=0x00000001285b0a70, exec=0x00007fff509a6cd0, propertyName=PropertyName at 0x00007fff509a6b68, value=JSValue at 0x00007fff509a6b60, slot=0x00007fff509a6c30) + 1304 at JSObject.cpp:376
frame #3: 0x0000000118cedec2 JavaScriptCore`JSC::JSValue::put(this=0x00007fff509a6c58, exec=0x00007fff509a6cd0, propertyName=PropertyName at 0x00007fff509a6bd8, value=JSValue at 0x00007fff509a6bd0, slot=0x00007fff509a6c30) + 210 at JSCJSValueInlines.h:729
frame #4: 0x0000000118f3089f JavaScriptCore`operationPutByIdStrictBuildList(exec=0x00007fff509a6cd0, stubInfo=0x00007f840eb37910, encodedValue=4877622672, encodedBase=4972022384, uid=0x00007f840e944010) + 239 at JITOperations.cpp:371
frame #5: 0x00003f0ef631464c
...
The JS stack is:
frame 0x7fff509a6cd0 {
name 'JSLexical'
sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js'
isInlinedFrame 0
callee 0x122b04a30
returnPC 0x3f0ef6318927
callerFrame 0x7fff509a6d70
rawLocationBits 45 0x2d
codeBlock 0x7f8412c172a0
bytecodeOffset 45 0x2d / 70
line 224
column 9
jitType 3 <BaselineJIT> isOptimizingJIT 0
hasCodeOrigins 0
}
frame 0x7fff509a6d70 {
name 'result'
sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js'
isInlinedFrame 0
callee 0x1285d92b0
returnPC 0x3f0ef63cc214
callerFrame 0x7fff509a6dd0
rawLocationBits 177 0xb1
codeBlock 0x7f8415bb2a20
bytecodeOffset 177 0xb1 / 197
line 301
column 36
jitType 3 <BaselineJIT> isOptimizingJIT 0
hasCodeOrigins 0
}
frame 0x7fff509a6dd0 {
name 'parseJS'
sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js'
isInlinedFrame 0
callee 0x122b049b0
returnPC 0x3f0ef6396aac
callerFrame 0x7fff509a6ea0
rawLocationBits 329 0x149
codeBlock 0x7f8415baf210
bytecodeOffset 329 0x149 / 480
line 250
column 19
jitType 3 <BaselineJIT> isOptimizingJIT 0
hasCodeOrigins 0
}
frame 0x7fff509a6ea0 {
name 'token'
sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/External/CodeMirror/javascript.js'
isInlinedFrame 0
callee 0x122b029b0
returnPC 0x3f0ef63986c9
callerFrame 0x7fff509a6f80
rawLocationBits 2147483655 0x80000007
codeBlock 0x7f8415e5c900
codeOriginIdex 7 0x7 / 18
line 610
column 21
jitType 4 <DFGJIT> isOptimizingJIT 1
hasCodeOrigins 1
jitCode 0x7f8415bf3ae0 start 0x3f0ef6395980 end 0x3f0ef6397560
}
frame 0x7fff509a6f80 {
name 'extendedToken'
sourceURL 'file:///Volumes/Data/ws5/OpenSource/WebKitBuild/Debug/WebInspectorUI.framework/Resources/Views/CodeMirrorAdditions.js'
isInlinedFrame 1
InlineCallFrame 0x7f840eb8cd20
callee 0x122864d70
returnPC 0x3f0ef62fe69b
callerFrame 0x7fff509a6f80
rawLocationBits 2147483651 0x80000003
codeBlock 0x7f8415ba8dc0
...
The JS function we crashed in:
function JSLexical(indented, column, type, align, prev, info) {
this.indented = indented;
this.column = column;
this.type = type;
this.prev = prev;
this.info = info; // <=========== Crash on this assignment.
if (align != null) this.align = align;
}
Found the root cause of the issue: PutByID bytecodes used to be emitted as the following DFG nodes:
102:<!0:-> StoreBarrier(Check:KnownCell:@19, MustGen, W:SideState, bc#44)
60:<!0:-> PutStructure(Check:KnownCell:@19, MustGen, %Co:Object -> %De:Object, W:JSCell_structureID,JSCell_indexingType,JSCell_typeInfoFlags,JSCell_typeInfoType, bc#44)
103:<!0:-> StoreBarrier(Check:KnownCell:@19, MustGen, W:SideState, bc#44)
61:<!0:-> PutByOffset(Check:KnownCell:@19, Check:KnownCell:@19, @54, MustGen, id4{info}, 4, W:NamedProperties(4), bc#44)
With the change in 174025, they are now emitted as:
102:<!0:-> StoreBarrier(Check:KnownCell:@19, MustGen, W:SideState, bc#44)
60:<!0:-> PutStructure(Check:KnownCell:@19, MustGen, %Co:Object -> %De:Object, W:JSCell_structureID,JSCell_indexingType,JSCell_typeInfoFlags,JSCell_typeInfoType, bc#44)
103:<!0:-> Check(Check:NotCell:@54, MustGen, bc#44) // <=== The StoreBarrier has been elided and replaced with a speculation check which can OSR exit.
61:<!0:-> PutByOffset(Check:KnownCell:@19, Check:KnownCell:@19, @54, MustGen, id4{info}, 4, W:NamedProperties(4), bc#44)
As a result, the structure change will get executed even if we end up OSR exiting before the PutByOffset. In the baseline JIT code, the structure now erroneously tells the put operation that there is a value in that property slot when it is actually uninitialized (hence, the crash).
Fix in progress ...
The fix is to insert the Check at the earliest point possible: 1. If the checked node is in the same bytecode as the PutByOffset, then the earliest point where we can insert the Check is right after the checked node. 2. If the checked node is from a preceding bytecode (before the PutByOffset), then the earliest point where we can insert the Check is at the start of the current bytecode. Also reverted the workaround from r174749: https://webkit.org/b/137758. Benchmark results appear to be a wash on aggregate: VMs tested (based on a build of r174798): Collected 4 samples per benchmark/VM, with 4 VM invocations per benchmark. Emitted a call to gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. base fix SunSpider: 3d-cube 5.2593+-0.1976 5.2314+-0.1170 3d-morph 6.7344+-0.2151 6.5827+-0.1344 might be 1.0231x faster 3d-raytrace 6.8160+-0.1613 ? 6.8635+-0.0363 ? access-binary-trees 2.2632+-0.1377 2.1836+-0.0393 might be 1.0365x faster access-fannkuch 6.2303+-0.3647 6.1520+-0.1743 might be 1.0127x faster access-nbody 3.1624+-0.0567 3.0806+-0.0834 might be 1.0266x faster access-nsieve 4.3408+-0.4351 4.2625+-0.3515 might be 1.0184x faster bitops-3bit-bits-in-byte 1.8014+-0.0617 1.7908+-0.0612 bitops-bits-in-byte 3.7362+-0.2584 3.6378+-0.1438 might be 1.0271x faster bitops-bitwise-and 2.3635+-0.0983 2.2733+-0.1645 might be 1.0397x faster bitops-nsieve-bits 4.0065+-0.1090 ? 4.0109+-0.1858 ? controlflow-recursive 2.4164+-0.1066 ? 2.4298+-0.0759 ? crypto-aes 4.5332+-0.3323 4.4337+-0.0983 might be 1.0225x faster crypto-md5 2.6685+-0.1413 ? 2.7255+-0.0798 ? might be 1.0213x slower crypto-sha1 2.8146+-0.0589 2.8013+-0.0319 date-format-tofte 10.4015+-0.6676 ? 10.4100+-0.4387 ? date-format-xparb 5.8408+-0.8912 5.6798+-0.4522 might be 1.0283x faster math-cordic 3.4100+-0.1352 ? 3.4603+-0.2081 ? might be 1.0147x slower math-partial-sums 5.5235+-0.1539 ? 5.5563+-0.3833 ? math-spectral-norm 2.1401+-0.0260 ? 2.1782+-0.0389 ? might be 1.0178x slower regexp-dna 7.5696+-0.2302 7.5480+-0.2394 string-base64 4.4603+-0.0770 ? 4.5673+-0.2249 ? might be 1.0240x slower string-fasta 6.9024+-0.2143 6.8079+-0.2507 might be 1.0139x faster string-tagcloud 10.5628+-0.2887 10.4528+-0.5586 might be 1.0105x faster string-unpack-code 22.1400+-0.3966 21.9800+-0.5146 string-validate-input 4.9505+-0.3575 ? 5.1740+-0.4526 ? might be 1.0451x slower <arithmetic> * 5.5019+-0.0456 5.4721+-0.0909 might be 1.0054x faster <geometric> 4.5889+-0.0313 4.5648+-0.0461 might be 1.0053x faster <harmonic> 3.9687+-0.0148 3.9462+-0.0226 might be 1.0057x faster base fix LongSpider: 3d-cube 909.7713+-41.4006 891.1771+-1.2888 might be 1.0209x faster 3d-morph 1651.4618+-66.8710 1623.7175+-7.2305 might be 1.0171x faster 3d-raytrace 805.1076+-22.1194 794.7255+-6.9251 might be 1.0131x faster access-binary-trees 1034.6094+-8.5233 ? 1035.7241+-8.5454 ? access-fannkuch 345.8102+-13.0745 ? 360.1252+-8.0894 ? might be 1.0414x slower access-nbody 679.1992+-2.5817 ^ 657.0374+-3.3638 ^ definitely 1.0337x faster access-nsieve 910.9268+-5.2692 908.7668+-9.1563 bitops-3bit-bits-in-byte 49.9352+-1.4126 ? 50.1774+-1.1747 ? bitops-bits-in-byte 109.7780+-5.0817 ? 110.0837+-3.4510 ? bitops-nsieve-bits 775.5458+-19.3485 769.1240+-7.5889 controlflow-recursive 535.8005+-1.5741 ? 537.5239+-4.0549 ? crypto-aes 714.8853+-1.5094 714.6979+-1.6753 crypto-md5 651.8590+-6.0930 651.6053+-7.4265 crypto-sha1 713.9590+-22.1801 ? 735.7139+-0.9615 ? might be 1.0305x slower date-format-tofte 843.5130+-5.2038 ! 887.3766+-37.1911 ! definitely 1.0520x slower date-format-xparb 777.2550+-80.9931 ? 795.1168+-34.4671 ? might be 1.0230x slower math-cordic 634.6334+-1.1157 633.9984+-2.4558 math-partial-sums 570.4352+-2.1086 ? 573.6301+-9.6903 ? math-spectral-norm 606.3718+-1.4960 ! 623.8643+-4.7735 ! definitely 1.0288x slower string-base64 366.2111+-3.9877 362.7953+-6.4375 string-fasta 455.9738+-7.3909 ? 456.9239+-3.3807 ? string-tagcloud 230.6552+-4.2497 229.1937+-2.5320 <arithmetic> 653.3499+-5.4655 ? 654.6863+-2.2650 ? might be 1.0020x slower <geometric> * 536.4561+-4.0018 ? 538.4663+-1.6117 ? might be 1.0037x slower <harmonic> 350.7402+-4.5187 ? 352.2773+-3.3702 ? might be 1.0044x slower base fix V8Spider: crypto 60.1417+-0.7537 ? 60.5637+-1.1530 ? deltablue 95.9276+-1.0828 95.5020+-1.2122 earley-boyer 46.8889+-1.0808 ? 47.6956+-1.3054 ? might be 1.0172x slower raytrace 35.9495+-0.6895 ^ 33.5833+-1.0869 ^ definitely 1.0705x faster regexp 66.7947+-2.0093 ? 67.3785+-2.8641 ? richards 110.1313+-4.4633 ^ 98.2770+-2.4137 ^ definitely 1.1206x faster splay 31.9075+-1.3643 ? 33.3975+-1.8585 ? might be 1.0467x slower <arithmetic> 63.9630+-0.7525 62.3425+-1.0254 might be 1.0260x faster <geometric> * 58.2699+-0.5575 57.3772+-1.1025 might be 1.0156x faster <harmonic> 53.1858+-0.6933 52.7439+-1.2236 might be 1.0084x faster base fix Octane: encrypt 0.23572+-0.00035 ? 0.24109+-0.00966 ? might be 1.0228x slower decrypt 4.21976+-0.01098 4.19839+-0.01405 deltablue x2 0.21375+-0.00175 0.21151+-0.00344 might be 1.0106x faster earley 0.73949+-0.00789 ? 0.74414+-0.01053 ? boyer 5.33969+-0.02036 5.32947+-0.02097 navier-stokes x2 5.52504+-0.00786 ? 5.53581+-0.02912 ? raytrace x2 1.20483+-0.02214 1.20422+-0.01432 richards x2 0.13560+-0.00171 ^ 0.12807+-0.00403 ^ definitely 1.0588x faster splay x2 0.40295+-0.00587 0.40194+-0.00135 regexp x2 34.72269+-0.30720 ? 34.86035+-0.33212 ? pdfjs x2 54.23336+-0.35151 ? 54.34708+-1.07715 ? mandreel x2 58.23105+-0.73499 ? 58.59521+-1.56389 ? gbemu x2 50.53446+-0.64863 ^ 48.46445+-0.40203 ^ definitely 1.0427x faster closure 0.63866+-0.00562 0.63605+-0.00386 jquery 8.10849+-0.03983 8.08814+-0.04950 box2d x2 15.66741+-0.05539 ^ 15.16280+-0.37548 ^ definitely 1.0333x faster zlib x2 504.66252+-2.94226 495.74579+-29.64051 might be 1.0180x faster typescript x2 903.66840+-3.09708 895.61450+-9.65144 <arithmetic> 109.25620+-0.21744 107.99269+-2.11240 might be 1.0117x faster <geometric> * 7.51899+-0.01624 7.44370+-0.07130 might be 1.0101x faster <harmonic> 0.76721+-0.00358 ^ 0.75009+-0.01260 ^ definitely 1.0228x faster base fix Kraken: ai-astar 366.416+-2.064 361.698+-9.844 might be 1.0130x faster audio-beat-detection 121.866+-1.506 120.170+-0.884 might be 1.0141x faster audio-dft 157.122+-3.536 ? 158.341+-1.750 ? audio-fft 83.179+-0.468 83.062+-0.582 audio-oscillator 252.475+-1.676 ! 257.377+-1.232 ! definitely 1.0194x slower imaging-darkroom 189.649+-0.771 ? 194.979+-16.588 ? might be 1.0281x slower imaging-desaturate 68.949+-0.923 ! 71.450+-0.255 ! definitely 1.0363x slower imaging-gaussian-blur 118.534+-1.245 ! 120.870+-1.046 ! definitely 1.0197x slower json-parse-financial 49.126+-2.077 47.670+-1.320 might be 1.0306x faster json-stringify-tinderbox 62.843+-1.533 ? 63.490+-1.384 ? might be 1.0103x slower stanford-crypto-aes 62.040+-0.919 ? 62.417+-0.530 ? stanford-crypto-ccm 58.082+-11.275 ? 58.444+-9.093 ? stanford-crypto-pbkdf2 181.050+-1.043 180.335+-0.917 stanford-crypto-sha256-iterative 58.486+-1.842 57.111+-2.300 might be 1.0241x faster <arithmetic> * 130.701+-1.054 ? 131.244+-2.203 ? might be 1.0042x slower <geometric> 107.280+-1.643 ? 107.644+-2.054 ? might be 1.0034x slower <harmonic> 90.961+-2.089 ? 91.047+-2.152 ? might be 1.0010x slower base fix JSRegress: abs-boolean 2.9046+-0.0695 2.8672+-0.0866 might be 1.0130x faster adapt-to-double-divide 17.9116+-0.6985 17.7980+-0.3300 aliased-arguments-getbyval 1.1300+-0.3348 1.0265+-0.0485 might be 1.1008x faster allocate-big-object 2.3820+-0.1372 2.3240+-0.1205 might be 1.0250x faster arity-mismatch-inlining 0.9664+-0.0426 ? 0.9718+-0.0427 ? array-access-polymorphic-structure 6.2885+-0.0629 ? 6.8120+-0.6350 ? might be 1.0832x slower array-nonarray-polymorhpic-access 37.6785+-1.5426 37.6713+-1.2623 array-prototype-every 80.0132+-2.1330 ? 80.3256+-2.0835 ? array-prototype-forEach 78.4815+-1.7680 78.2956+-1.6721 array-prototype-map 101.1068+-1.4184 99.5477+-2.2147 might be 1.0157x faster array-prototype-some 80.6202+-1.8335 79.9163+-2.2101 array-splice-contiguous 44.1169+-2.2618 ? 45.2592+-3.6247 ? might be 1.0259x slower array-with-double-add 4.3777+-0.2191 ? 4.4830+-0.2119 ? might be 1.0241x slower array-with-double-increment 3.5120+-0.1636 ? 3.5171+-0.1583 ? array-with-double-mul-add 5.3145+-0.2154 ? 5.4254+-0.2675 ? might be 1.0209x slower array-with-double-sum 3.4752+-0.1590 ? 3.5688+-0.1051 ? might be 1.0269x slower array-with-int32-add-sub 7.2640+-0.3553 7.2554+-0.2061 array-with-int32-or-double-sum 3.5073+-0.0504 ? 3.5676+-0.2214 ? might be 1.0172x slower ArrayBuffer-DataView-alloc-large-long-lived 34.3277+-1.9830 34.0013+-1.3292 ArrayBuffer-DataView-alloc-long-lived 13.6130+-0.3740 ? 13.8604+-0.2785 ? might be 1.0182x slower ArrayBuffer-Int32Array-byteOffset 3.6931+-0.1287 ? 3.7339+-0.1771 ? might be 1.0111x slower ArrayBuffer-Int8Array-alloc-large-long-lived 34.8677+-0.8045 ? 35.5499+-1.7389 ? might be 1.0196x slower ArrayBuffer-Int8Array-alloc-long-lived-buffer 22.4033+-0.7799 ? 22.8447+-1.2871 ? might be 1.0197x slower ArrayBuffer-Int8Array-alloc-long-lived 12.9410+-0.8804 ? 12.9647+-0.8913 ? ArrayBuffer-Int8Array-alloc 11.4065+-1.2382 ? 11.4803+-1.1937 ? asmjs_bool_bug 7.8690+-0.2078 ? 7.9124+-0.5612 ? assign-custom-setter-polymorphic 3.3134+-0.1468 ? 3.3469+-0.1063 ? might be 1.0101x slower assign-custom-setter 4.6303+-0.0623 ? 4.9530+-0.6775 ? might be 1.0697x slower basic-set 11.1368+-0.6165 ? 11.2755+-0.4035 ? might be 1.0125x slower big-int-mul 4.5146+-0.2625 4.3066+-0.1982 might be 1.0483x faster boolean-test 3.2029+-0.0816 3.1763+-0.0948 branch-fold 4.0502+-0.2089 4.0031+-0.0925 might be 1.0118x faster by-val-generic 8.4173+-0.2524 ? 8.8862+-0.2277 ? might be 1.0557x slower call-spread-apply 14.6721+-0.3858 14.5281+-0.3228 call-spread-call 6.5933+-0.0562 6.4957+-0.1395 might be 1.0150x faster captured-assignments 0.5887+-0.0040 ? 0.6013+-0.0159 ? might be 1.0214x slower cast-int-to-double 5.7539+-0.1441 5.7111+-0.1125 cell-argument 8.8278+-0.3712 ? 8.8533+-0.2045 ? cfg-simplify 3.1241+-0.0963 ? 3.2176+-0.1925 ? might be 1.0299x slower chain-getter-access 10.6481+-0.2345 ? 10.8033+-0.4484 ? might be 1.0146x slower cmpeq-obj-to-obj-other 10.6615+-0.1393 10.6274+-0.0699 constant-test 5.3439+-0.1259 5.2516+-0.0882 might be 1.0176x faster DataView-custom-properties 38.8737+-2.1980 38.2969+-0.7704 might be 1.0151x faster delay-tear-off-arguments-strictmode 2.8297+-0.0572 ? 2.8743+-0.1886 ? might be 1.0157x slower destructuring-arguments 5.6000+-0.0434 5.5751+-0.0234 destructuring-swap 5.6008+-0.2248 5.5471+-0.1283 direct-arguments-getbyval 1.0400+-0.0949 ? 1.0966+-0.0575 ? might be 1.0544x slower div-boolean-double 5.6016+-0.2371 5.5225+-0.0997 might be 1.0143x faster div-boolean 8.4629+-0.3260 8.4599+-0.3059 double-get-by-val-out-of-bounds 4.6229+-0.4102 4.4782+-0.1949 might be 1.0323x faster double-pollution-getbyval 9.5883+-0.3201 9.5860+-0.2409 double-pollution-putbyoffset 4.2971+-0.1304 ? 4.4042+-0.0762 ? might be 1.0249x slower double-to-int32-typed-array-no-inline 2.5237+-0.1215 2.4988+-0.1032 double-to-int32-typed-array 2.0917+-0.0636 ? 2.1592+-0.0865 ? might be 1.0323x slower double-to-uint32-typed-array-no-inline 2.4888+-0.1098 ? 2.5784+-0.1548 ? might be 1.0360x slower double-to-uint32-typed-array 2.1835+-0.1216 ? 2.2172+-0.1098 ? might be 1.0154x slower elidable-new-object-dag 41.5396+-2.2017 ? 41.5440+-1.3863 ? elidable-new-object-roflcopter 156.1923+-0.8386 155.7128+-0.6746 elidable-new-object-then-call 38.1965+-4.7559 ? 39.3387+-2.2750 ? might be 1.0299x slower elidable-new-object-tree 43.4537+-0.9756 ? 43.8480+-0.8359 ? empty-string-plus-int 5.3450+-0.1984 ? 5.4205+-0.2977 ? might be 1.0141x slower emscripten-cube2hash 38.8495+-0.7183 38.5560+-2.2071 external-arguments-getbyval 1.5338+-0.1284 ? 1.5651+-0.1114 ? might be 1.0205x slower external-arguments-putbyval 2.2229+-0.0549 ? 2.2557+-0.1608 ? might be 1.0148x slower fixed-typed-array-storage-var-index 1.4821+-0.1122 1.4611+-0.0372 might be 1.0144x faster fixed-typed-array-storage 1.0651+-0.0971 ? 1.0850+-0.0978 ? might be 1.0186x slower Float32Array-matrix-mult 4.8337+-0.6079 4.6607+-0.1049 might be 1.0371x faster Float32Array-to-Float64Array-set 59.5255+-1.9354 59.0356+-1.4275 Float64Array-alloc-long-lived 66.8747+-0.5658 66.5723+-0.9233 Float64Array-to-Int16Array-set 76.0088+-2.6403 ? 77.5179+-1.3650 ? might be 1.0199x slower fold-double-to-int 13.9878+-0.6072 ? 14.3707+-0.3376 ? might be 1.0274x slower fold-get-by-id-to-multi-get-by-offset-rare-int 19.5161+-1.2434 ? 19.9683+-0.9491 ? might be 1.0232x slower fold-get-by-id-to-multi-get-by-offset 20.2629+-1.4064 20.1324+-0.7541 fold-multi-get-by-offset-to-get-by-offset 14.7375+-0.3091 14.5597+-0.3599 might be 1.0122x faster fold-multi-get-by-offset-to-poly-get-by-offset 15.0290+-0.2751 14.8520+-0.2005 might be 1.0119x faster fold-multi-put-by-offset-to-poly-put-by-offset 14.9886+-0.2002 ^ 14.5475+-0.1781 ^ definitely 1.0303x faster fold-multi-put-by-offset-to-put-by-offset 12.8365+-0.1518 12.6541+-0.3505 might be 1.0144x faster fold-multi-put-by-offset-to-replace-or-transition-put-by-offset 16.2608+-0.7615 ? 16.2891+-0.6325 ? fold-put-by-id-to-multi-put-by-offset 20.7757+-0.6432 20.6923+-1.3228 fold-put-structure 12.9673+-0.1412 ? 12.9897+-0.1496 ? for-of-iterate-array-entries 5.9905+-0.2533 ? 6.1683+-0.3910 ? might be 1.0297x slower for-of-iterate-array-keys 3.2300+-0.1607 3.1245+-0.1365 might be 1.0338x faster for-of-iterate-array-values 2.7481+-0.0990 ^ 2.5673+-0.0428 ^ definitely 1.0704x faster fround 20.9366+-0.7398 ^ 19.5784+-0.4955 ^ definitely 1.0694x faster ftl-library-inlining-dataview 74.8863+-0.8824 ? 75.1863+-3.4794 ? ftl-library-inlining 99.5927+-46.9881 ? 102.0276+-52.9366 ? might be 1.0244x slower function-dot-apply 1.6519+-0.0526 ? 1.6742+-0.0573 ? might be 1.0135x slower function-test 3.5430+-0.2045 3.5167+-0.1284 function-with-eval 120.8934+-5.5986 ? 120.9648+-5.8090 ? gcse-poly-get-less-obvious 22.0850+-4.0193 20.4798+-1.9696 might be 1.0784x faster gcse-poly-get 25.4014+-6.9070 24.8161+-3.2729 might be 1.0236x faster gcse 4.5822+-0.3231 ? 5.0309+-0.3751 ? might be 1.0979x slower get-by-id-bimorphic-check-structure-elimination-simple 2.9103+-0.1541 ? 3.2197+-0.2073 ? might be 1.1063x slower get-by-id-bimorphic-check-structure-elimination 6.5918+-0.2796 ? 6.8137+-0.5745 ? might be 1.0337x slower get-by-id-chain-from-try-block 9.6505+-0.4071 9.2244+-0.0989 might be 1.0462x faster get-by-id-check-structure-elimination 5.3303+-0.1032 ? 5.3651+-0.0838 ? get-by-id-proto-or-self 18.2578+-0.8305 18.0987+-1.5031 get-by-id-quadmorphic-check-structure-elimination-simple 3.3719+-0.1125 ? 3.4268+-0.1772 ? might be 1.0163x slower get-by-id-self-or-proto 19.0322+-1.1925 18.6492+-0.3646 might be 1.0205x faster get-by-val-out-of-bounds 4.4182+-0.5876 4.3723+-0.2746 might be 1.0105x faster get_callee_monomorphic 3.8092+-0.0548 ? 3.8649+-0.8966 ? might be 1.0146x slower get_callee_polymorphic 3.6069+-0.3501 ? 3.6873+-0.5975 ? might be 1.0223x slower getter-no-activation 5.5087+-0.0284 ? 5.5539+-0.1525 ? getter-richards 143.4024+-3.4165 134.5381+-5.8983 might be 1.0659x faster getter 5.6376+-0.4906 5.5776+-0.3866 might be 1.0107x faster global-var-const-infer-fire-from-opt 1.1368+-0.2958 1.1025+-0.1825 might be 1.0311x faster global-var-const-infer 1.2357+-0.2881 1.1119+-0.0646 might be 1.1113x faster HashMap-put-get-iterate-keys 27.8543+-0.3644 ? 27.8900+-1.0916 ? HashMap-put-get-iterate 28.8660+-1.2289 28.2205+-0.4301 might be 1.0229x faster HashMap-string-put-get-iterate 26.9251+-0.2626 ? 27.4424+-1.1430 ? might be 1.0192x slower hoist-make-rope 11.1230+-0.5568 ? 11.7859+-0.8235 ? might be 1.0596x slower hoist-poly-check-structure-effectful-loop 5.3917+-0.1689 ? 5.4487+-0.1748 ? might be 1.0106x slower hoist-poly-check-structure 4.0930+-0.0719 ? 4.1097+-0.1453 ? imul-double-only 8.6276+-2.4438 7.6853+-0.7394 might be 1.1226x faster imul-int-only 9.9036+-0.8605 9.7900+-0.5837 might be 1.0116x faster imul-mixed 7.7981+-0.2088 ? 8.0478+-0.7758 ? might be 1.0320x slower in-four-cases 20.7560+-0.6594 20.4482+-0.3098 might be 1.0151x faster in-one-case-false 10.8998+-0.2533 ? 10.9473+-0.1537 ? in-one-case-true 10.7655+-0.2068 ? 10.8900+-0.2737 ? might be 1.0116x slower in-two-cases 11.2731+-0.2297 ? 11.3483+-0.0917 ? indexed-properties-in-objects 3.3524+-0.0693 ^ 3.1743+-0.1027 ^ definitely 1.0561x faster infer-closure-const-then-mov-no-inline 3.9322+-0.0540 ? 3.9429+-0.0850 ? infer-closure-const-then-mov 21.3298+-1.5117 21.0990+-1.1821 might be 1.0109x faster infer-closure-const-then-put-to-scope-no-inline 11.6750+-0.4476 ? 11.8330+-0.4868 ? might be 1.0135x slower infer-closure-const-then-put-to-scope 23.1090+-0.6700 23.0232+-1.1283 infer-closure-const-then-reenter-no-inline 51.8533+-0.9239 ? 52.4043+-1.1039 ? might be 1.0106x slower infer-closure-const-then-reenter 23.0754+-1.2916 22.9355+-1.0139 infer-constant-global-property 3.7462+-0.0765 3.7457+-0.0346 infer-constant-property 2.8824+-0.1339 2.8339+-0.0309 might be 1.0171x faster infer-one-time-closure-ten-vars 12.7078+-0.1522 ? 12.9315+-0.3147 ? might be 1.0176x slower infer-one-time-closure-two-vars 12.7789+-0.0380 12.5913+-0.5429 might be 1.0149x faster infer-one-time-closure 12.6867+-0.3456 12.3888+-0.3981 might be 1.0240x faster infer-one-time-deep-closure 21.9045+-1.1867 21.6550+-1.0125 might be 1.0115x faster inline-arguments-access 1.5640+-0.0120 ? 1.5988+-0.0312 ? might be 1.0222x slower inline-arguments-aliased-access 1.8273+-0.0392 ? 1.8313+-0.0736 ? inline-arguments-local-escape 11.5682+-0.3473 11.5118+-0.4805 inline-get-scoped-var 4.9287+-0.2751 ? 5.0033+-0.3203 ? might be 1.0151x slower inlined-put-by-id-transition 9.2396+-0.5791 ? 9.2911+-0.9566 ? int-or-other-abs-then-get-by-val 5.4005+-0.0369 5.3276+-0.0531 might be 1.0137x faster int-or-other-abs-zero-then-get-by-val 18.6232+-1.7053 18.1973+-0.6462 might be 1.0234x faster int-or-other-add-then-get-by-val 4.4914+-0.0882 ? 4.7622+-0.4629 ? might be 1.0603x slower int-or-other-add 5.6931+-0.0636 ? 5.7339+-0.2811 ? int-or-other-div-then-get-by-val 4.6726+-0.1458 4.6234+-0.1698 might be 1.0106x faster int-or-other-max-then-get-by-val 4.8451+-0.1773 4.8084+-0.2252 int-or-other-min-then-get-by-val 4.8564+-0.2569 ? 4.9720+-0.5102 ? might be 1.0238x slower int-or-other-mod-then-get-by-val 4.2228+-0.1085 4.2192+-0.1290 int-or-other-mul-then-get-by-val 4.2392+-0.1110 4.1382+-0.0515 might be 1.0244x faster int-or-other-neg-then-get-by-val 5.2563+-0.1194 ? 5.3315+-0.2843 ? might be 1.0143x slower int-or-other-neg-zero-then-get-by-val 18.3541+-0.4172 18.2219+-0.3889 int-or-other-sub-then-get-by-val 4.6967+-0.2798 4.6279+-0.2128 might be 1.0149x faster int-or-other-sub 3.8687+-0.0717 3.8431+-0.1884 int-overflow-local 4.7060+-0.1726 4.6503+-0.0618 might be 1.0120x faster Int16Array-alloc-long-lived 48.8392+-1.0708 ? 49.7770+-1.4597 ? might be 1.0192x slower Int16Array-bubble-sort-with-byteLength 22.3328+-1.1916 ? 22.4177+-1.0566 ? Int16Array-bubble-sort 22.3277+-0.8133 ? 22.7411+-0.9208 ? might be 1.0185x slower Int16Array-load-int-mul 1.6884+-0.0623 ? 1.6915+-0.0769 ? Int16Array-to-Int32Array-set 55.1708+-1.1861 ? 55.2273+-1.8713 ? Int32Array-alloc-large 23.1280+-1.4205 23.0352+-1.3000 Int32Array-alloc-long-lived 54.5508+-1.0548 53.5994+-0.6963 might be 1.0177x faster Int32Array-alloc 2.4751+-0.1042 ? 2.5237+-0.1768 ? might be 1.0197x slower Int32Array-Int8Array-view-alloc 6.4507+-0.5487 ? 6.5375+-0.3576 ? might be 1.0135x slower int52-spill 7.0376+-0.2627 6.7969+-0.1778 might be 1.0354x faster Int8Array-alloc-long-lived 44.9936+-1.9103 ? 45.9047+-0.5472 ? might be 1.0203x slower Int8Array-load-with-byteLength 3.7342+-0.0677 3.6810+-0.1111 might be 1.0145x faster Int8Array-load 3.6348+-0.0804 3.5729+-0.0988 might be 1.0173x faster integer-divide 12.7755+-0.1487 12.5762+-0.5208 might be 1.0158x faster integer-modulo 2.4581+-0.0845 ? 2.4783+-0.1347 ? large-int-captured 6.4824+-0.1809 ? 6.6360+-0.5753 ? might be 1.0237x slower large-int-neg 17.2869+-0.7769 ? 17.3543+-0.6073 ? large-int 16.4446+-0.8811 16.1585+-0.6484 might be 1.0177x faster logical-not 5.0000+-0.1147 4.8985+-0.0465 might be 1.0207x faster lots-of-fields 9.6356+-0.2344 9.5302+-0.3939 might be 1.0111x faster make-indexed-storage 3.2197+-0.2027 2.9215+-0.2639 might be 1.1021x faster make-rope-cse 3.3561+-0.1926 ? 3.5200+-0.5297 ? might be 1.0488x slower marsaglia-larger-ints 41.3053+-1.9882 ? 41.4108+-1.5906 ? marsaglia-osr-entry 23.5760+-0.3970 ? 23.9681+-1.2116 ? might be 1.0166x slower max-boolean 2.8080+-0.1429 2.8065+-0.0173 method-on-number 18.7023+-0.4895 18.6547+-0.5054 min-boolean 2.7753+-0.0666 ? 2.8679+-0.2109 ? might be 1.0333x slower minus-boolean-double 3.3260+-0.0354 ? 3.4402+-0.1315 ? might be 1.0343x slower minus-boolean 2.7300+-0.1385 ? 2.8983+-0.8639 ? might be 1.0616x slower misc-strict-eq 40.6079+-0.7685 39.8469+-1.1326 might be 1.0191x faster mod-boolean-double 11.7131+-0.1989 ? 11.7495+-0.2576 ? mod-boolean 8.3757+-0.3269 8.3592+-0.1476 mul-boolean-double 3.9610+-0.1584 ? 4.0312+-0.2221 ? might be 1.0177x slower mul-boolean 3.0738+-0.1343 ? 3.1016+-0.1468 ? neg-boolean 3.3363+-0.0583 ? 3.3535+-0.0891 ? negative-zero-divide 0.4205+-0.0184 ? 0.4387+-0.0321 ? might be 1.0434x slower negative-zero-modulo 0.4285+-0.0210 0.4278+-0.0086 negative-zero-negate 0.4011+-0.0325 ? 0.4029+-0.0293 ? nested-function-parsing 22.8452+-0.9366 22.3411+-0.3169 might be 1.0226x faster new-array-buffer-dead 2.9957+-0.0847 2.9596+-0.1943 might be 1.0122x faster new-array-buffer-push 6.7879+-0.2935 ? 7.0552+-0.5045 ? might be 1.0394x slower new-array-dead 13.0152+-0.8124 ? 13.2318+-0.4783 ? might be 1.0166x slower new-array-push 5.2183+-0.4647 5.2147+-0.2540 number-test 3.3240+-0.5339 3.2236+-0.1270 might be 1.0312x faster object-closure-call 6.2962+-0.1356 ? 6.2972+-0.2087 ? object-test 3.3969+-0.2575 3.2592+-0.1410 might be 1.0423x faster obvious-sink-pathology-taken 132.1270+-1.5420 131.7426+-0.6623 obvious-sink-pathology 127.5347+-1.7843 126.3380+-1.6179 obviously-elidable-new-object 35.0526+-1.2462 ? 35.3226+-1.9271 ? plus-boolean-arith 2.6434+-0.0461 ? 2.7526+-0.1684 ? might be 1.0413x slower plus-boolean-double 3.4545+-0.1323 3.3889+-0.0817 might be 1.0193x faster plus-boolean 2.7292+-0.1344 2.6693+-0.0435 might be 1.0225x faster poly-chain-access-different-prototypes-simple 3.4988+-0.1129 ? 3.5765+-0.2169 ? might be 1.0222x slower poly-chain-access-different-prototypes 2.7062+-0.2216 ? 2.8676+-0.4643 ? might be 1.0596x slower poly-chain-access-simpler 3.6563+-0.2365 3.5656+-0.1999 might be 1.0255x faster poly-chain-access 3.0215+-0.1105 2.9425+-0.0894 might be 1.0269x faster poly-stricteq 60.6795+-1.6419 60.5393+-1.2972 polymorphic-array-call 1.8705+-0.1201 ? 1.9048+-0.1652 ? might be 1.0184x slower polymorphic-get-by-id 3.3312+-0.1041 ! 3.6921+-0.0733 ! definitely 1.1083x slower polymorphic-put-by-id 40.9852+-10.0612 ? 41.9191+-18.9945 ? might be 1.0228x slower polymorphic-structure 16.4787+-0.3948 ? 16.6736+-0.5978 ? might be 1.0118x slower polyvariant-monomorphic-get-by-id 9.1137+-0.1854 ? 9.2126+-0.1504 ? might be 1.0109x slower proto-getter-access 10.9146+-0.3937 10.7380+-0.5948 might be 1.0164x faster put-by-id-replace-and-transition 8.7263+-0.5306 8.5543+-0.1700 might be 1.0201x faster put-by-id-slightly-polymorphic 3.1579+-0.1625 ? 4.9968+-3.3247 ? might be 1.5823x slower put-by-id 13.2108+-1.9621 12.8184+-0.5394 might be 1.0306x faster put-by-val-direct 0.6732+-0.0593 ? 0.6746+-0.0392 ? put-by-val-large-index-blank-indexing-type 5.5708+-0.3755 ? 5.6179+-0.5759 ? put-by-val-machine-int 2.5605+-0.1386 2.5135+-0.1362 might be 1.0187x faster rare-osr-exit-on-local 16.6575+-0.9041 ? 16.6742+-0.2586 ? register-pressure-from-osr 22.8373+-0.4640 ? 22.8668+-0.8697 ? setter 5.8544+-0.0626 5.7621+-0.0817 might be 1.0160x faster simple-activation-demo 27.2723+-3.3950 26.6450+-0.6693 might be 1.0235x faster simple-getter-access 13.6547+-0.3664 ? 13.9150+-0.3314 ? might be 1.0191x slower simple-poly-call-nested 17.5310+-0.9157 17.4284+-0.8523 simple-poly-call 1.4891+-0.0608 1.4786+-0.0719 sin-boolean 21.2623+-2.1690 ? 23.2950+-1.3898 ? might be 1.0956x slower sinkable-new-object-dag 69.7457+-1.3466 69.0088+-1.6926 might be 1.0107x faster sinkable-new-object-taken 55.2547+-1.6721 ? 55.6985+-3.7662 ? sinkable-new-object 39.0153+-0.7447 38.7482+-1.2489 slow-array-profile-convergence 3.0556+-0.4349 ? 3.1131+-0.3507 ? might be 1.0188x slower slow-convergence 3.5975+-0.2365 3.5290+-0.1546 might be 1.0194x faster sparse-conditional 1.3140+-0.0586 1.2889+-0.0574 might be 1.0194x faster splice-to-remove 17.5563+-2.1044 17.1227+-0.5562 might be 1.0253x faster string-char-code-at 17.6280+-0.4940 ? 17.8255+-0.3266 ? might be 1.0112x slower string-concat-object 1.9670+-0.1882 1.9067+-0.0773 might be 1.0316x faster string-concat-pair-object 1.8524+-0.0554 ? 1.9092+-0.1388 ? might be 1.0307x slower string-concat-pair-simple 10.7057+-1.0407 10.6650+-0.1522 string-concat-simple 11.0443+-0.5514 ? 11.2291+-0.3702 ? might be 1.0167x slower string-cons-repeat 6.6663+-0.2498 6.4638+-0.2870 might be 1.0313x faster string-cons-tower 6.7377+-0.2266 6.6749+-0.1900 string-equality 18.9377+-1.6938 ? 19.1188+-1.9058 ? string-get-by-val-big-char 7.2045+-0.6313 7.0311+-0.1724 might be 1.0247x faster string-get-by-val-out-of-bounds-insane 4.0765+-0.2665 4.0157+-0.2706 might be 1.0152x faster string-get-by-val-out-of-bounds 5.7547+-0.2031 5.6697+-0.0364 might be 1.0150x faster string-get-by-val 3.5560+-0.1122 ? 3.5980+-0.3200 ? might be 1.0118x slower string-hash 2.3260+-0.0960 ? 2.4189+-0.3042 ? might be 1.0399x slower string-long-ident-equality 16.0438+-2.3755 14.9013+-0.0477 might be 1.0767x faster string-repeat-arith 32.9057+-1.5360 ? 33.1635+-0.6092 ? string-sub 68.6195+-1.1315 67.6229+-1.6259 might be 1.0147x faster string-test 3.0511+-0.0702 ? 3.1158+-0.1486 ? might be 1.0212x slower string-var-equality 32.3486+-0.7601 ? 33.5818+-1.3528 ? might be 1.0381x slower structure-hoist-over-transitions 2.7442+-0.0418 2.7245+-0.1242 substring-concat-weird 39.7516+-1.4391 39.4760+-0.4716 substring-concat 41.8594+-2.1350 ? 43.2908+-2.9467 ? might be 1.0342x slower substring 47.2927+-1.8238 ? 47.7930+-1.3508 ? might be 1.0106x slower switch-char-constant 2.9688+-0.1617 ? 2.9728+-0.0638 ? switch-char 13.4796+-0.2901 11.5527+-5.5299 might be 1.1668x faster switch-constant 11.3817+-0.7346 10.7595+-0.7788 might be 1.0578x faster switch-string-basic-big-var 15.6378+-0.2980 ? 15.6542+-0.3542 ? switch-string-basic-big 14.9979+-0.6051 ? 15.1595+-0.3014 ? might be 1.0108x slower switch-string-basic-var 15.5262+-0.5789 15.2145+-0.4149 might be 1.0205x faster switch-string-basic 14.2929+-0.9775 14.0867+-0.4165 might be 1.0146x faster switch-string-big-length-tower-var 20.9203+-0.3194 20.6750+-0.3369 might be 1.0119x faster switch-string-length-tower-var 15.8997+-0.5153 15.7520+-0.8635 switch-string-length-tower 13.2418+-0.3586 ? 13.3759+-0.2054 ? might be 1.0101x slower switch-string-short 13.3831+-0.2766 13.3092+-0.6589 switch 13.8519+-4.3005 ? 15.2289+-4.0833 ? might be 1.0994x slower tear-off-arguments-simple 2.1027+-0.0485 2.0491+-0.0889 might be 1.0262x faster tear-off-arguments 3.0452+-0.0446 2.9985+-0.0553 might be 1.0156x faster temporal-structure 12.8038+-0.5904 ? 12.9175+-0.3895 ? to-int32-boolean 14.5430+-0.5053 ? 14.7172+-0.7637 ? might be 1.0120x slower undefined-test 3.2595+-0.0738 ? 3.2726+-0.1242 ? unprofiled-licm 23.6030+-0.3281 ? 23.9576+-1.4163 ? might be 1.0150x slower weird-inlining-const-prop 2.1795+-0.0588 2.1210+-0.0249 might be 1.0276x faster <arithmetic> 16.8887+-0.2113 16.8645+-0.1685 might be 1.0014x faster <geometric> * 8.4742+-0.0282 ? 8.4859+-0.0595 ? might be 1.0014x slower <harmonic> 4.4956+-0.0284 ? 4.5113+-0.0356 ? might be 1.0035x slower base fix AsmBench: bigfib.cpp 533.4073+-3.0655 532.3923+-0.9612 cray.c 503.7513+-8.4280 498.1687+-3.5308 might be 1.0112x faster dry.c 518.4955+-20.7390 ? 529.7170+-3.7838 ? might be 1.0216x slower FloatMM.c 765.4122+-11.4284 761.0376+-2.3075 gcc-loops.cpp 4462.3986+-7.7219 ^ 4441.4378+-12.0300 ^ definitely 1.0047x faster n-body.c 1050.7624+-6.6327 1048.5807+-5.3052 Quicksort.c 458.6291+-3.1832 457.4203+-1.4507 stepanov_container.cpp 3969.3329+-16.9815 ? 3988.5981+-17.0262 ? Towers.c 288.5518+-1.3067 ? 288.7067+-1.9518 ? <arithmetic> 1394.5268+-3.0460 1394.0066+-1.3892 might be 1.0004x faster <geometric> * 861.9305+-2.4758 861.8230+-1.0032 might be 1.0001x faster <harmonic> 635.1505+-2.7647 ? 635.2793+-1.5375 ? might be 1.0002x slower base fix CompressionBench: huffman 553.4583+-3.3923 550.9216+-10.1246 arithmetic-simple 466.3145+-5.2362 464.8027+-1.4589 arithmetic-precise 341.8471+-7.9353 339.0234+-2.7158 arithmetic-complex-precise 335.5697+-2.6719 ? 338.6898+-7.2366 ? arithmetic-precise-order-0 490.8795+-5.5174 ? 493.7288+-5.2155 ? arithmetic-precise-order-1 388.4553+-9.0729 388.1159+-5.2576 arithmetic-precise-order-2 444.5966+-7.3008 444.1433+-7.9692 arithmetic-simple-order-1 503.1815+-4.2983 502.7408+-3.0549 arithmetic-simple-order-2 568.2326+-6.7428 ? 568.9690+-6.0862 ? lz-string 325.3126+-6.2124 324.6113+-7.4354 <arithmetic> 441.7848+-1.0351 441.5747+-2.8920 might be 1.0005x faster <geometric> * 433.3183+-1.1144 433.1168+-2.9291 might be 1.0005x faster <harmonic> 424.8067+-1.1740 424.6139+-2.9992 might be 1.0005x faster base fix All benchmarks: <arithmetic> 105.6171+-0.2074 105.5500+-0.1722 might be 1.0006x faster <geometric> 14.1207+-0.0248 14.1193+-0.0568 might be 1.0001x faster <harmonic> 3.6691+-0.0171 3.6448+-0.0347 might be 1.0067x faster base fix Geomean of preferred means: <scaled-result> 69.3482+-0.0567 69.1548+-0.2837 might be 1.0028x faster Created attachment 240054 [details]
the patch.
Thanks for the review. Landed in r174856: <http://trac.webkit.org/r174856>. *** Bug 137268 has been marked as a duplicate of this bug. *** Confirmed fixed for me (OS X 10.9). Thanks Mark! Confirmed fixed in OS X 10.10 as well. Comment on attachment 240054 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=240054&action=review > Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1746 > + indexInBlock = indexOfNode(node, indexInBlock); > + indexInBlock++; FWIW, I think this would be slightly clearer as one line: "indexInBlock = indexOfNode(...) + 1;". > Source/JavaScriptCore/dfg/DFGInsertionSet.h:124 > + if (entry) { > + do { I think this can be just "while (entry) {" rather than if/do/while. Comment on attachment 240054 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=240054&action=review >> Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1746 >> + indexInBlock++; > > FWIW, I think this would be slightly clearer as one line: "indexInBlock = indexOfNode(...) + 1;". Agreed. >> Source/JavaScriptCore/dfg/DFGInsertionSet.h:124 >> + do { > > I think this can be just "while (entry) {" rather than if/do/while. You are correct. Previously, before the I had figured out the true solution and was still probing to understand how the insertion implementation works, I was exploring implementations that perform the insertion in different ways (e.g. insert after previous bytecode, or insert after current bytecode). Some of that implementation necessitated this if/do/while setup. This is now unnecessary. I will clean this up in a follow up patch. Created attachment 240136 [details]
follow up patch.
Comment on attachment 240136 [details]
follow up patch.
r=me
Thanks for the review. Follow up patch landed in r174899: <http://trac.webkit.org/r174899>. |