Bug 156034

Summary:

DFG JIT bug in typeof constant folding where the input to typeof is an object or function

Product:

WebKit

Reporter:

Ryosuke Niwa <rniwa>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

benjamin, commit-queue, fpizlo, ggaren, john.david.dalton, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
patch	none

Ryosuke Niwa

Reported 2016-03-30 12:36:07 PDT

Reported on https://github.com/gaearon/normalizr/pull/82#issuecomment-203589131 Repro steps: 1. Open https://jsbin.com/coquxaduhu/1/edit?html,js,output 2. Wait for a few iterations until "looks okay" turns "missing entities.tweets". There's a smaller js file reported to reproduce the same issue at: https://github.com/gaearon/normalizr/pull/82#issuecomment-203590718 I'm sorry but I don't understand what this bug is about since the comments in the Github issue is super vague :(

Attachments
patch (2.82 KB, patch) 2016-03-30 18:03 PDT, Saam Barati	no flags	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Ryosuke Niwa

Comment 1 2016-03-30 12:36:57 PDT

This is the function that's exhibiting non-deterministic behavior as far as I can tell: https://github.com/lodash/lodash/blob/55c3299d5c04ee8b035ee86f034ec222f4570167/lodash.js#L12308

Ryosuke Niwa

Comment 2 2016-03-30 12:39:05 PDT

This is currently affecting Safari users on Twitter until they push the workaround to the production.

Radar WebKit Bug Importer

Comment 3 2016-03-30 12:39:29 PDT

<rdar://problem/25446785>

Ryosuke Niwa

Comment 4 2016-03-30 14:36:46 PDT

React Proxy is claimed to be hitting the same issue: https://github.com/gaearon/react-proxy/issues/55 So it seems that problem here that we mistakenly return "object" for typeof of a function in some JITed code.

Ryosuke Niwa

Comment 5 2016-03-30 16:56:00 PDT

It looks like disabling DFG fixes this bug.

Ryosuke Niwa

Comment 6 2016-03-30 17:24:58 PDT

Saam pinpointed the bug to http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h?rev=198865#L1173

Ryosuke Niwa

Comment 7 2016-03-30 17:32:52 PDT

Minimum reproduction (credit: Saam): https://gist.github.com/anonymous/49715c82e834f8e2c184d35a821ec468

Saam Barati

Comment 8 2016-03-30 18:03:20 PDT

Created attachment 275249 [details] patch

WebKit Commit Bot

Comment 9 2016-03-31 11:28:45 PDT

Comment on attachment 275249 [details] patch Clearing flags on attachment: 275249 Committed r198902: <http://trac.webkit.org/changeset/198902>

WebKit Commit Bot

Comment 10 2016-03-31 11:28:51 PDT

All reviewed patches have been landed. Closing bug.

John-David Dalton

Comment 11 2016-08-11 15:58:48 PDT

Do you all know which updates this fix is in? I'm looking for an idea of when to pull the workaround in my code.

Benjamin Poulain

Comment 12 2016-08-11 16:18:26 PDT

(In reply to comment #11) > Do you all know which updates this fix is in? I'm looking for an idea of > when to pull the workaround in my code. The patch should be in Safari 10 and iOS 10.

Ryosuke Niwa

Comment 13 2016-08-11 18:47:39 PDT

(In reply to comment #11) > Do you all know which updates this fix is in? I'm looking for an idea of > when to pull the workaround in my code. You should be able to work around the bug in old versions of Safari by wrapping the code in try {} catch {}. e.g. try { return typdeof(obj) == 'array'; } catch (e) { } typeof would never throw but this will disable DFG JIT, which had this bug, from compiling the code in iOS 9 / Safari 9.

Note You need to log in before you can comment on or make changes to this bug.