| Summary: | [JSC] linkPolymorphicCall now does GC | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Yusuke Suzuki <ysuzuki> | ||||
| Component: | New Bugs | Assignee: | Yusuke Suzuki <ysuzuki> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Yusuke Suzuki
2019-04-25 22:22:03 PDT
Created attachment 368305 [details]
Patch
Comment on attachment 368305 [details] Patch Attachment 368305 [details] did not pass jsc-ews (mac): Output: https://webkit-queues.webkit.org/results/12002939 New failing tests: stress/proxy-set-prototype-of.js.dfg-eager stress/super-property-access-tdz.js.ftl-eager stress/const-semantics.js.ftl-eager stress/string-to-string-error.js.dfg-eager-no-cjit-validate stress/lexical-let-loop-semantics.js.dfg-eager stress/proxy-get-prototype-of.js.ftl-eager stress/finally-for-in.js.ftl-eager stress/dfg-object-prototype-of.js.dfg-eager stress/proxy-set-prototype-of.js.ftl-eager-no-cjit stress/proxy-revoke.js.ftl-eager-no-cjit stress/dataview-jit-bounds-checks.js.ftl-eager stress/proxy-get-prototype-of.js.ftl-eager-no-cjit stress/const-tdz.js.ftl-eager-no-cjit stress/typedarray-access-neutered.js.dfg-eager-no-cjit-validate stress/import-syntax.js.ftl-eager stress/async-await-mozilla.js.dfg-eager-no-cjit-validate stress/arrow-functions-as-default-parameter-values.js.ftl-eager stress/lexical-let-tdz.js.dfg-eager-no-cjit-validate stress/string-to-string-error.js.ftl-eager stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager-no-cjit stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js.dfg-eager-no-cjit-validate stress/eval-func-decl-block-with-var-sinthesize.js.ftl-eager stress/super-property-access-tdz.js.ftl-eager-no-cjit stress/inline-call-to-recursive-tail-call.js.dfg-eager-no-cjit-validate stress/dfg-reflect-get-prototype-of.js.dfg-eager stress/typedarray-access-neutered.js.ftl-eager-no-cjit stress/typedarray-access-neutered.js.dfg-eager stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager stress/const-tdz.js.dfg-eager-no-cjit-validate stress/string-to-string-error.js.ftl-eager-no-cjit stress/typedarray-access-neutered.js.no-cjit-collect-continuously stress/es6-default-parameters.js.dfg-eager stress/const-tdz.js.ftl-eager stress/string-value-of-error.js.dfg-eager-no-cjit-validate stress/tail-call-recognize.js.ftl-eager-no-cjit stress/const-loop-semantics.js.dfg-eager stress/proxy-get-prototype-of.js.dfg-eager-no-cjit-validate stress/tail-call-host-call-throw.js.ftl-eager stress/dfg-object-proto-getter.js.dfg-eager stress/dfg-object-proto-accessor.js.dfg-eager stress/to-object-intrinsic.js.dfg-eager-no-cjit-validate stress/global-import-function-should-return-a-promise-when-clearing-exceptions.js.ftl-eager-no-cjit stress/string-value-of-error.js.ftl-eager stress/async-iteration-yield-star.js.ftl-eager-no-cjit stress/lexical-let-tdz.js.dfg-eager stress/typedarray-access-neutered.js.ftl-eager stress/lexical-let-tdz.js.ftl-eager stress/const-semantics.js.dfg-eager stress/const-tdz.js.dfg-eager stress/arrow-functions-as-default-parameter-values.js.ftl-eager-no-cjit stress/super-property-access-tdz.js.dfg-eager-no-cjit-validate stress/proxy-revoke.js.dfg-eager-no-cjit-validate stress/es6-default-parameters.js.ftl-eager stress/string-to-string-error.js.dfg-eager stress/dataview-typedarray-toindex.js.dfg-eager-no-cjit-validate stress/tail-call-recognize.js.dfg-eager stress/proxy-revoke.js.ftl-eager stress/arrowfunction-lexical-bind-superproperty.js.dfg-eager stress/arrowfunction-lexical-bind-this-8.js.dfg-eager stress/string-value-of-error.js.ftl-eager-no-cjit stress/lexical-let-tdz.js.ftl-eager-no-cjit stress/string-value-of-error.js.dfg-eager stress/eval-func-decl-block-with-var-sinthesize.js.ftl-eager-no-cjit stress/es6-default-parameters.js.dfg-eager-no-cjit-validate stress/super-property-access.js.dfg-eager stress/constant-folding-osr-exit.js.ftl-eager stress/super-property-access-tdz.js.dfg-eager stress/proxy-get-prototype-of.js.dfg-eager stress/arrowfunction-lexical-bind-superproperty.js.dfg-eager-no-cjit-validate stress/object-create-define.js.ftl-eager-no-cjit stress/arrowfunction-tdz-3.js.ftl-eager stress/arrow-functions-as-default-parameter-values.js.dfg-eager stress/async-await-mozilla.js.ftl-eager stress/eval-func-decl-block-with-var-sinthesize.js.dfg-eager-no-cjit-validate stress/tail-call-recognize.js.ftl-eager stress/lexical-let-loop-semantics.js.ftl-eager-no-cjit stress/to-object-intrinsic.js.dfg-eager stress/array-species-create-should-handle-masquerader.js.dfg-eager Comment on attachment 368305 [details]
Patch
Looking into the test failures.
Comment on attachment 368305 [details]
Patch
Nice find.
(In reply to Build Bot from comment #3) > Comment on attachment 368305 [details] > Patch > > Attachment 368305 [details] did not pass jsc-ews (mac): > Output: https://webkit-queues.webkit.org/results/12002939 > > New failing tests: > stress/proxy-set-prototype-of.js.dfg-eager > stress/super-property-access-tdz.js.ftl-eager > stress/const-semantics.js.ftl-eager > stress/string-to-string-error.js.dfg-eager-no-cjit-validate > stress/lexical-let-loop-semantics.js.dfg-eager > stress/proxy-get-prototype-of.js.ftl-eager > stress/finally-for-in.js.ftl-eager > stress/dfg-object-prototype-of.js.dfg-eager > stress/proxy-set-prototype-of.js.ftl-eager-no-cjit > stress/proxy-revoke.js.ftl-eager-no-cjit > stress/dataview-jit-bounds-checks.js.ftl-eager > stress/proxy-get-prototype-of.js.ftl-eager-no-cjit > stress/const-tdz.js.ftl-eager-no-cjit > stress/typedarray-access-neutered.js.dfg-eager-no-cjit-validate > stress/import-syntax.js.ftl-eager > stress/async-await-mozilla.js.dfg-eager-no-cjit-validate > stress/arrow-functions-as-default-parameter-values.js.ftl-eager > stress/lexical-let-tdz.js.dfg-eager-no-cjit-validate > stress/string-to-string-error.js.ftl-eager > stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager-no-cjit > stress/global-import-function-should-return-a-promise-when-clearing- > exceptions.js.dfg-eager-no-cjit-validate > stress/eval-func-decl-block-with-var-sinthesize.js.ftl-eager > stress/super-property-access-tdz.js.ftl-eager-no-cjit > stress/inline-call-to-recursive-tail-call.js.dfg-eager-no-cjit-validate > stress/dfg-reflect-get-prototype-of.js.dfg-eager > stress/typedarray-access-neutered.js.ftl-eager-no-cjit > stress/typedarray-access-neutered.js.dfg-eager > stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager > stress/const-tdz.js.dfg-eager-no-cjit-validate > stress/string-to-string-error.js.ftl-eager-no-cjit > stress/typedarray-access-neutered.js.no-cjit-collect-continuously > stress/es6-default-parameters.js.dfg-eager > stress/const-tdz.js.ftl-eager > stress/string-value-of-error.js.dfg-eager-no-cjit-validate > stress/tail-call-recognize.js.ftl-eager-no-cjit > stress/const-loop-semantics.js.dfg-eager > stress/proxy-get-prototype-of.js.dfg-eager-no-cjit-validate > stress/tail-call-host-call-throw.js.ftl-eager > stress/dfg-object-proto-getter.js.dfg-eager > stress/dfg-object-proto-accessor.js.dfg-eager > stress/to-object-intrinsic.js.dfg-eager-no-cjit-validate > stress/global-import-function-should-return-a-promise-when-clearing- > exceptions.js.ftl-eager-no-cjit > stress/string-value-of-error.js.ftl-eager > stress/async-iteration-yield-star.js.ftl-eager-no-cjit > stress/lexical-let-tdz.js.dfg-eager > stress/typedarray-access-neutered.js.ftl-eager > stress/lexical-let-tdz.js.ftl-eager > stress/const-semantics.js.dfg-eager > stress/const-tdz.js.dfg-eager > stress/arrow-functions-as-default-parameter-values.js.ftl-eager-no-cjit > stress/super-property-access-tdz.js.dfg-eager-no-cjit-validate > stress/proxy-revoke.js.dfg-eager-no-cjit-validate > stress/es6-default-parameters.js.ftl-eager > stress/string-to-string-error.js.dfg-eager > stress/dataview-typedarray-toindex.js.dfg-eager-no-cjit-validate > stress/tail-call-recognize.js.dfg-eager > stress/proxy-revoke.js.ftl-eager > stress/arrowfunction-lexical-bind-superproperty.js.dfg-eager > stress/arrowfunction-lexical-bind-this-8.js.dfg-eager > stress/string-value-of-error.js.ftl-eager-no-cjit > stress/lexical-let-tdz.js.ftl-eager-no-cjit > stress/string-value-of-error.js.dfg-eager > stress/eval-func-decl-block-with-var-sinthesize.js.ftl-eager-no-cjit > stress/es6-default-parameters.js.dfg-eager-no-cjit-validate > stress/super-property-access.js.dfg-eager > stress/constant-folding-osr-exit.js.ftl-eager > stress/super-property-access-tdz.js.dfg-eager > stress/proxy-get-prototype-of.js.dfg-eager > stress/arrowfunction-lexical-bind-superproperty.js.dfg-eager-no-cjit-validate > stress/object-create-define.js.ftl-eager-no-cjit > stress/arrowfunction-tdz-3.js.ftl-eager > stress/arrow-functions-as-default-parameter-values.js.dfg-eager > stress/async-await-mozilla.js.ftl-eager > stress/eval-func-decl-block-with-var-sinthesize.js.dfg-eager-no-cjit-validate > stress/tail-call-recognize.js.ftl-eager > stress/lexical-let-loop-semantics.js.ftl-eager-no-cjit > stress/to-object-intrinsic.js.dfg-eager > stress/array-species-create-should-handle-masquerader.js.dfg-eager Are these real? Maybe we want DeferGCForAWhile? (In reply to Saam Barati from comment #6) > (In reply to Build Bot from comment #3) > > Comment on attachment 368305 [details] > > Patch > > > > Attachment 368305 [details] did not pass jsc-ews (mac): > > Output: https://webkit-queues.webkit.org/results/12002939 > > > > New failing tests: > > stress/proxy-set-prototype-of.js.dfg-eager > > stress/super-property-access-tdz.js.ftl-eager > > stress/const-semantics.js.ftl-eager > > stress/string-to-string-error.js.dfg-eager-no-cjit-validate > > stress/lexical-let-loop-semantics.js.dfg-eager > > stress/proxy-get-prototype-of.js.ftl-eager > > stress/finally-for-in.js.ftl-eager > > stress/dfg-object-prototype-of.js.dfg-eager > > stress/proxy-set-prototype-of.js.ftl-eager-no-cjit > > stress/proxy-revoke.js.ftl-eager-no-cjit > > stress/dataview-jit-bounds-checks.js.ftl-eager > > stress/proxy-get-prototype-of.js.ftl-eager-no-cjit > > stress/const-tdz.js.ftl-eager-no-cjit > > stress/typedarray-access-neutered.js.dfg-eager-no-cjit-validate > > stress/import-syntax.js.ftl-eager > > stress/async-await-mozilla.js.dfg-eager-no-cjit-validate > > stress/arrow-functions-as-default-parameter-values.js.ftl-eager > > stress/lexical-let-tdz.js.dfg-eager-no-cjit-validate > > stress/string-to-string-error.js.ftl-eager > > stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager-no-cjit > > stress/global-import-function-should-return-a-promise-when-clearing- > > exceptions.js.dfg-eager-no-cjit-validate > > stress/eval-func-decl-block-with-var-sinthesize.js.ftl-eager > > stress/super-property-access-tdz.js.ftl-eager-no-cjit > > stress/inline-call-to-recursive-tail-call.js.dfg-eager-no-cjit-validate > > stress/dfg-reflect-get-prototype-of.js.dfg-eager > > stress/typedarray-access-neutered.js.ftl-eager-no-cjit > > stress/typedarray-access-neutered.js.dfg-eager > > stress/arrowfunction-lexical-bind-arguments-non-strict-1.js.ftl-eager > > stress/const-tdz.js.dfg-eager-no-cjit-validate > > stress/string-to-string-error.js.ftl-eager-no-cjit > > stress/typedarray-access-neutered.js.no-cjit-collect-continuously > > stress/es6-default-parameters.js.dfg-eager > > stress/const-tdz.js.ftl-eager > > stress/string-value-of-error.js.dfg-eager-no-cjit-validate > > stress/tail-call-recognize.js.ftl-eager-no-cjit > > stress/const-loop-semantics.js.dfg-eager > > stress/proxy-get-prototype-of.js.dfg-eager-no-cjit-validate > > stress/tail-call-host-call-throw.js.ftl-eager > > stress/dfg-object-proto-getter.js.dfg-eager > > stress/dfg-object-proto-accessor.js.dfg-eager > > stress/to-object-intrinsic.js.dfg-eager-no-cjit-validate > > stress/global-import-function-should-return-a-promise-when-clearing- > > exceptions.js.ftl-eager-no-cjit > > stress/string-value-of-error.js.ftl-eager > > stress/async-iteration-yield-star.js.ftl-eager-no-cjit > > stress/lexical-let-tdz.js.dfg-eager > > stress/typedarray-access-neutered.js.ftl-eager > > stress/lexical-let-tdz.js.ftl-eager > > stress/const-semantics.js.dfg-eager > > stress/const-tdz.js.dfg-eager > > stress/arrow-functions-as-default-parameter-values.js.ftl-eager-no-cjit > > stress/super-property-access-tdz.js.dfg-eager-no-cjit-validate > > stress/proxy-revoke.js.dfg-eager-no-cjit-validate > > stress/es6-default-parameters.js.ftl-eager > > stress/string-to-string-error.js.dfg-eager > > stress/dataview-typedarray-toindex.js.dfg-eager-no-cjit-validate > > stress/tail-call-recognize.js.dfg-eager > > stress/proxy-revoke.js.ftl-eager > > stress/arrowfunction-lexical-bind-superproperty.js.dfg-eager > > stress/arrowfunction-lexical-bind-this-8.js.dfg-eager > > stress/string-value-of-error.js.ftl-eager-no-cjit > > stress/lexical-let-tdz.js.ftl-eager-no-cjit > > stress/string-value-of-error.js.dfg-eager > > stress/eval-func-decl-block-with-var-sinthesize.js.ftl-eager-no-cjit > > stress/es6-default-parameters.js.dfg-eager-no-cjit-validate > > stress/super-property-access.js.dfg-eager > > stress/constant-folding-osr-exit.js.ftl-eager > > stress/super-property-access-tdz.js.dfg-eager > > stress/proxy-get-prototype-of.js.dfg-eager > > stress/arrowfunction-lexical-bind-superproperty.js.dfg-eager-no-cjit-validate > > stress/object-create-define.js.ftl-eager-no-cjit > > stress/arrowfunction-tdz-3.js.ftl-eager > > stress/arrow-functions-as-default-parameter-values.js.dfg-eager > > stress/async-await-mozilla.js.ftl-eager > > stress/eval-func-decl-block-with-var-sinthesize.js.dfg-eager-no-cjit-validate > > stress/tail-call-recognize.js.ftl-eager > > stress/lexical-let-loop-semantics.js.ftl-eager-no-cjit > > stress/to-object-intrinsic.js.dfg-eager > > stress/array-species-create-should-handle-masquerader.js.dfg-eager > > Are these real? Maybe we want DeferGCForAWhile? Yes, I tested it on my home machine yesterday and it was real. It seems that JITCode is changing and operationOptimize see unexpected JITType for the CodeBlock (rough investigation I did yesterday). And my impression is that we should use DeferGCForAWhile. After I figured out what is happening, and if it is fixed with DeferGCForAWhile, I'll land this with DeferGCForAWhile and comment about the behavior. (In reply to Yusuke Suzuki from comment #7) > (In reply to Saam Barati from comment #6) > > Are these real? Maybe we want DeferGCForAWhile? > > Yes, I tested it on my home machine yesterday and it was real. > It seems that JITCode is changing and operationOptimize see unexpected > JITType for the CodeBlock (rough investigation I did yesterday). > And my impression is that we should use DeferGCForAWhile. After I figured > out what is happening, and if it is fixed with DeferGCForAWhile, I'll land > this with DeferGCForAWhile and comment about the behavior. When GC happens, it may jettison CodeBlock, and it makes operationLinkPolymorphicCall's SlowPathReturnType result broken. We should not perform GC in linkPolymorphicCall. So, DeferGCForAWhile is the correct fix. Committed r244711: <https://trac.webkit.org/changeset/244711> |