Bug 143104

Summary:

REGRESSION: js/regress/inline-arguments-local-escape.html is flaky

Product:

WebKit

Reporter:

Alexey Proskuryakov <ap>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, benjamin, commit-queue, fpizlo, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

528+ (Nightly build)

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
hopefully the patch	none

Alexey Proskuryakov

Reported 2015-03-26 10:10:28 PDT

This test has started to flakily fail on multiple bots, presumably due to http://trac.webkit.org/changeset/181993 https://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=js%2Fregress%2Finline-arguments-local-escape.html

Attachments
hopefully the patch (12.84 KB, patch) 2015-03-30 09:36 PDT, Filip Pizlo	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2015-03-26 10:11:04 PDT

<rdar://problem/20310708>

Alexey Proskuryakov

Comment 2 2015-03-28 22:36:40 PDT

This test is still flakily failing.

Filip Pizlo

Comment 3 2015-03-30 08:30:59 PDT

(In reply to comment #2) > This test is still flakily failing. OK, looking at it now.

Filip Pizlo

Comment 4 2015-03-30 08:51:44 PDT

Turns out to be a pretty bad bug. PreciseLocalClobberize's readTop() method is totally wrong for accesses to "escaped" arguments. There are a handful of ways to fix this and I'll investigate. Here's a version of the test that crashes every time: function foo() { return arguments; } function bar(a, b, c, i) { var a = foo(b, c, 42); return a[i]; } noInline(bar); var expected = [2, 3, 42]; for (var i = 0; i < 10000; ++i) { var result = bar(1, 2, 3, i % 3); if (result != expected[i % 3]) throw "Error: bad result: " + result; }

Filip Pizlo

Comment 5 2015-03-30 08:57:56 PDT

Same bug, involving ForwardVarargs: function foo() { return arguments; } function baz(a, b, c) { return a + b + c; } function bar(a, b, c) { var args = foo(b, c, 42); return baz.apply(void 0, args); } noInline(bar); for (var i = 0; i < 10000; ++i) { var result = bar(1, 2, 3); if (result != 47) throw "Error: bad result: " + result; }

Filip Pizlo

Comment 6 2015-03-30 09:36:17 PDT

Created attachment 249738 [details] hopefully the patch Not yet ready for review. I'm still running tests.

Filip Pizlo

Comment 7 2015-03-30 09:58:40 PDT

Comment on attachment 249738 [details] hopefully the patch Looks like it works!

Geoffrey Garen

Comment 8 2015-03-30 10:50:44 PDT

Comment on attachment 249738 [details] hopefully the patch r=me

WebKit Commit Bot

Comment 9 2015-03-30 11:36:55 PDT

Comment on attachment 249738 [details] hopefully the patch Clearing flags on attachment: 249738 Committed r182148: <http://trac.webkit.org/changeset/182148>

WebKit Commit Bot

Comment 10 2015-03-30 11:37:00 PDT

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.