Bug 175812

Summary: We are using valueProfileForBytecodeOffset when there may not be a value profile
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, rmorisset, ticaiolima, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: Safari Technology Preview   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch msaboff: review+

Saam Barati
Reported 2017-08-21 22:31:16 PDT
Currently, switching to this crashes on stress/inlined-tail-call-in-inlined-setter-should-not-crash-when-getting-value-profile.js ValueProfile* CodeBlock::valueProfileForBytecodeOffset(int bytecodeOffset) { OpcodeID opcodeID = Interpreter::getOpcodeID(instructions()[bytecodeOffset]); unsigned length = opcodeLength(opcodeID); ValueProfile* result = instructions()[bytecodeOffset + length - 1].u.profile; #if !ASSERT_DISABLED bool found = false; for (unsigned i = 0; i < numberOfValueProfiles(); ++i) { ValueProfile* profile = valueProfile(i); if (profile->m_bytecodeOffset == bytecodeOffset) { ASSERT(profile == result); found = true; break; } } ASSERT(found); #endif return result; } I'll fix and land this change
Attachments
patch (15.34 KB, patch)
2017-08-21 23:40 PDT, Saam Barati 		msaboff: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2017-08-21 23:09:27 PDT
I'm moving to two functions: ValueProfile& valueProfileForBytecodeOffset(int); ValueProfile* tryGetValueProfileForBytecodeOffset(int);
Saam Barati
Comment 2 2017-08-21 23:40:42 PDT
Created attachment 318740 [details] patch
Michael Saboff
Comment 3 2017-08-22 07:26:19 PDT
Comment on attachment 318740 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=318740&action=review r=me with the suggested build fix. > Source/JavaScriptCore/jit/JITInlines.h:974 > ASSERT(valueProfile); Looks like this line needs to be removed to fix the Debug build.
Saam Barati
Comment 4 2017-08-22 09:28:33 PDT
landed in: https://trac.webkit.org/changeset/221018/webkit
Radar WebKit Bug Importer
Comment 5 2017-08-22 09:29:04 PDT
<rdar://problem/34014145>
Note You need to log in before you can comment on or make changes to this bug.