Bug 156034

Summary: DFG JIT bug in typeof constant folding where the input to typeof is an object or function
Product: WebKit Reporter: Ryosuke Niwa <rniwa>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, john.david.dalton, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch none

Description Ryosuke Niwa 2016-03-30 12:36:07 PDT 
Reported on https://github.com/gaearon/normalizr/pull/82#issuecomment-203589131

Repro steps:
1. Open https://jsbin.com/coquxaduhu/1/edit?html,js,output
2. Wait for a few iterations until "looks okay" turns "missing entities.tweets".

There's a smaller js file reported to reproduce the same issue at:
https://github.com/gaearon/normalizr/pull/82#issuecomment-203590718

I'm sorry but I don't understand what this bug is about since the comments in the Github issue is super vague :(
Comment 1 Ryosuke Niwa 2016-03-30 12:36:57 PDT 
This is the function that's exhibiting non-deterministic behavior as far as I can tell:
https://github.com/lodash/lodash/blob/55c3299d5c04ee8b035ee86f034ec222f4570167/lodash.js#L12308
Comment 2 Ryosuke Niwa 2016-03-30 12:39:05 PDT 
This is currently affecting Safari users on Twitter until they push the workaround to the production.
Comment 3 Radar WebKit Bug Importer 2016-03-30 12:39:29 PDT 
<rdar://problem/25446785>
Comment 4 Ryosuke Niwa 2016-03-30 14:36:46 PDT 
React Proxy is claimed to be hitting the same issue:
https://github.com/gaearon/react-proxy/issues/55

So it seems that problem here that we mistakenly return "object" for typeof of a function in some JITed code.
Comment 5 Ryosuke Niwa 2016-03-30 16:56:00 PDT 
It looks like disabling DFG fixes this bug.
Comment 7 Ryosuke Niwa 2016-03-30 17:32:52 PDT 
Minimum reproduction (credit: Saam): https://gist.github.com/anonymous/49715c82e834f8e2c184d35a821ec468
Comment 8 Saam Barati 2016-03-30 18:03:20 PDT 
Created attachment 275249 [details]
patch
Comment 9 WebKit Commit Bot 2016-03-31 11:28:45 PDT 
Comment on attachment 275249 [details]
patch

Clearing flags on attachment: 275249

Committed r198902: <http://trac.webkit.org/changeset/198902>
Comment 10 WebKit Commit Bot 2016-03-31 11:28:51 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 11 John-David Dalton 2016-08-11 15:58:48 PDT 
Do you all know which updates this fix is in? I'm looking for an idea of when to pull the workaround in my code.
Comment 12 Benjamin Poulain 2016-08-11 16:18:26 PDT 
(In reply to comment #11)
> Do you all know which updates this fix is in? I'm looking for an idea of
> when to pull the workaround in my code.

The patch should be in Safari 10 and iOS 10.
Comment 13 Ryosuke Niwa 2016-08-11 18:47:39 PDT 
(In reply to comment #11)
> Do you all know which updates this fix is in? I'm looking for an idea of
> when to pull the workaround in my code.

You should be able to work around the bug in old versions of Safari by wrapping the code in try {} catch {}. e.g.

try {
    return typdeof(obj) == 'array';
} catch (e) { }

typeof would never throw but this will disable DFG JIT, which had this bug, from compiling the code in iOS 9 / Safari 9.