Bug 197855

Summary:

Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled

Product:

WebKit

Reporter:

Tadeu Zagallo <tzagallo>

Component:

JavaScriptCore

Assignee:

Saam Barati <saam>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
maybe patch	none
Archive of layout-test-results from ews210 for win-future	none
patch	msaboff: review+

Tadeu Zagallo

Reported 2019-05-13 15:36:53 PDT

...

Attachments
Patch (32.69 KB, patch) 2019-05-13 15:47 PDT, Tadeu Zagallo	no flags	Details Formatted Diff Diff
maybe patch (1.66 KB, patch) 2019-05-13 16:35 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Archive of layout-test-results from ews210 for win-future (13.53 MB, application/zip) 2019-05-14 00:09 PDT, EWS Watchlist	no flags	Details
patch (4.39 KB, patch) 2019-05-14 15:18 PDT, Saam Barati	msaboff: review+	Details Formatted Diff Diff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.

Tadeu Zagallo

Comment 1 2019-05-13 15:47:49 PDT

Created attachment 369794 [details] Patch

Tadeu Zagallo

Comment 2 2019-05-13 15:48:10 PDT

<rdar://problem/50236506>

Saam Barati

Comment 3 2019-05-13 16:35:31 PDT

I thought about this a bit, and I'd be sad for this to go. It's helped us find a lot of bugs. Posting an alternative patch here that fixes the crash in radar

Saam Barati

Comment 4 2019-05-13 16:35:50 PDT

Created attachment 369802 [details] maybe patch

EWS Watchlist

Comment 5 2019-05-14 00:09:36 PDT

Comment on attachment 369794 [details] Patch Attachment 369794 [details] did not pass win-ews (win): Output: https://webkit-queues.webkit.org/results/12185088 New failing tests: fast/shadow-dom/svg-use-href-change-in-shadow-tree.html

EWS Watchlist

Comment 6 2019-05-14 00:09:40 PDT

Created attachment 369823 [details] Archive of layout-test-results from ews210 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews210 Port: win-future Platform: CYGWIN_NT-10.0-17763-3.0.5-338.x86_64-x86_64-64bit

Tadeu Zagallo

Comment 7 2019-05-14 02:03:17 PDT

(In reply to Saam Barati from comment #3) > I thought about this a bit, and I'd be sad for this to go. It's helped us > find a lot of bugs. Posting an alternative patch here that fixes the crash > in radar I think it's a bit unfortunate having to special case it to make it work, but it's a pretty simple patch, so sounds good to me. If ever run into this again we can reconsider. Do you want to go ahead and take the bug?

Saam Barati

Comment 8 2019-05-14 15:18:47 PDT

Created attachment 369898 [details] patch

Saam Barati

Comment 9 2019-05-14 18:32:37 PDT

Here is another test I'll check in that crashes with: --useMaximalFlushInsertionPhase=1 --jitPolicyScale=0 --useConcurrentJIT=0 ``` function f0() { } function bar() { f0(...arguments); } const a = new Uint8Array(1); function foo() { bar(0, 0); a.find(()=>{}); } for (let i=0; i<3; i++) { foo(); } ```

Michael Saboff

Comment 10 2019-05-15 13:23:17 PDT

Comment on attachment 369898 [details] patch r=me

Saam Barati

Comment 11 2019-05-15 13:30:32 PDT

landed in: https://trac.webkit.org/changeset/245341/webkit

Note You need to log in before you can comment on or make changes to this bug.