Bug 203290

Summary:

REGRESSION(r251468): Build, test failures in 32-bit JSC after BytecodeIndex refactoring

Product:

WebKit

Reporter:

Pablo Saavedra <psaavedra>

Component:

JavaScriptCore

Assignee:

Pablo Saavedra <psaavedra>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, ggaren, keith_miller, mark.lam, msaboff, pmatos, saam, tzagallo, webkit-bug-importer, ysuzuki, zan

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

202392, 203285, 203358

Bug Blocks:

203040

Attachments:

Description	Flags
patch	none
patch	none
WIP fixes	none
WIP fixes	none
patch	none
Pending fixes	none
Patch	none

Pablo Saavedra

Reported 2019-10-23 02:03:11 PDT

Error: ``` FAILED: Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-bfc896e1-11.cpp.o /home/buildbot/buildroot/buildroot/output.rpi3/host/usr/ccache/arm-buildroot-linux-gnueabihf-g++ --sysroot=/home/buildbot/buildroot/buildroot/output.rpi3/host/usr/arm-buildroot-linux-gnueabihf/sysroot -DBUILDING_JSCONLY__ -DBUILDING_JavaScriptCore -DBUILDING_WITH_CMAKE=1 -DHAVE_CONFIG_H=1 -DJavaScriptCore_EXPORTS -DSTATICALLY_LINKED_WITH_WTF -IDerivedSources/ForwardingHeaders -I. -I../../Source/JavaScriptCore -I../../Source/JavaScriptCore/API -I../../Source/JavaScriptCore/assembler -I../../Source/JavaScriptCore/b3 -I../../Source/JavaScriptCore/b3/air -I../../Source/JavaScriptCore/bindings -I../../Source/JavaScriptCore/builtins -I../../Source/JavaScriptCore/bytecode -I../../Source/JavaScriptCore/bytecompiler -I../../Source/JavaScriptCore/dfg -I../../Source/JavaScriptCore/disassembler -I../../Source/JavaScriptCore/disassembler/ARM64 -I../../Source/JavaScriptCore/disassembler/udis86 -I../../Source/JavaScriptCore/domjit -I../../Source/JavaScriptCore/ftl -I../../Source/JavaScriptCore/heap -I../../Source/JavaScriptCore/debugger -I../../Source/JavaScriptCore/inspector -I../../Source/JavaScriptCore/inspector/agents -I../../Source/JavaScriptCore/inspector/augmentable -I../../Source/JavaScriptCore/inspector/remote -I../../Source/JavaScriptCore/interpreter -I../../Source/JavaScriptCore/jit -I../../Source/JavaScriptCore/llint -I../../Source/JavaScriptCore/parser -I../../Source/JavaScriptCore/profiler -I../../Source/JavaScriptCore/runtime -I../../Source/JavaScriptCore/tools -I../../Source/JavaScriptCore/wasm -I../../Source/JavaScriptCore/wasm/js -I../../Source/JavaScriptCore/yarr -IDerivedSources/JavaScriptCore -IDerivedSources/JavaScriptCore/inspector -IDerivedSources/JavaScriptCore/runtime -IDerivedSources/JavaScriptCore/yarr -I../../Source/ThirdParty/capstone/Source/include -IDerivedSources -I../../Source/ThirdParty -fdiagnostics-color=always -Wextra -Wall -Wno-expansion-to-defined -Wno-psabi -Wno-noexcept-type -Wno-maybe-uninitialized -Wwrite-strings -Wundef -Wpointer-arith -Wmissing-format-attribute -Wformat-security -Wcast-align -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -O3 -fno-strict-aliasing -fno-exceptions -fno-rtti -DNDEBUG -fPIC -ffp-contract=off -std=c++17 -MD -MT Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-bfc896e1-11.cpp.o -MF Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-bfc896e1-11.cpp.o.d -o Source/JavaScriptCore/CMakeFiles/JavaScriptCore.dir/__/__/DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-bfc896e1-11.cpp.o -c DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-bfc896e1-11.cpp In file included from DerivedSources/JavaScriptCore/unified-sources/UnifiedSource-bfc896e1-11.cpp:5: ../../Source/JavaScriptCore/dfg/DFGOSRExit.cpp: In function ‘void JSC::DFG::reifyInlinedCallFrames(JSC::DFG::Context&, JSC::CodeBlock*, const JSC::DFG::OSRExitBase&)’: ../../Source/JavaScriptCore/dfg/DFGOSRExit.cpp:828:58: error: no matching function for call to ‘JSC::CallSiteIndex::CallSiteIndex(const JSC::Instruction*&)’ uint32_t locationBits = CallSiteIndex(instruction).bits(); ``` it is related with JIT code because WPE still builds with `-DENABLE_JIT=OFF` the fail was introduced in `BytecodeIndex should be a proper C++ class` https://trac.webkit.org/changeset/251468

Attachments
patch (9.57 KB, patch) 2019-10-23 03:23 PDT, Pablo Saavedra	no flags	Details Formatted Diff Diff
patch (9.57 KB, patch) 2019-10-23 03:25 PDT, Pablo Saavedra	no flags	Details Formatted Diff Diff
WIP fixes (11.34 KB, patch) 2019-10-23 14:32 PDT, Zan Dobersek	no flags	Details Formatted Diff Diff
WIP fixes (11.84 KB, patch) 2019-10-23 14:54 PDT, Zan Dobersek	no flags	Details Formatted Diff Diff
patch (9.52 KB, patch) 2019-10-23 23:46 PDT, Pablo Saavedra	no flags	Details Formatted Diff Diff
Pending fixes (3.21 KB, patch) 2019-10-24 02:02 PDT, Zan Dobersek	no flags	Details Formatted Diff Diff
Patch (3.95 KB, patch) 2019-10-24 03:55 PDT, Zan Dobersek	no flags	Details Formatted Diff Diff
Show Obsolete (6) View All Add attachment proposed patch, testcase, etc.

Pablo Saavedra

Comment 1 2019-10-23 03:23:09 PDT

Created attachment 381671 [details] patch

Pablo Saavedra

Comment 2 2019-10-23 03:25:26 PDT

Created attachment 381672 [details] patch

Pablo Saavedra

Comment 3 2019-10-23 03:32:17 PDT

This https://trac.webkit.org/changeset/251468/webkit#file83 is still needed. I just uploaded a patch adapting the code to the changes done in r251468.

Mark Lam

Comment 4 2019-10-23 03:37:10 PDT

Does this patch pass JSC tests on 32-bit targets? I think the i386 EWS bit is broken. So, we can’t rely on it to tell us.

Pablo Saavedra

Comment 5 2019-10-23 03:42:41 PDT

(In reply to Mark Lam from comment #4) > Does this patch pass JSC tests on 32-bit targets? I think the i386 EWS bit > is broken. So, we can’t rely on it to tell us. I just tested in ARMv7 boards right now.

Pablo Saavedra

Comment 6 2019-10-23 03:48:12 PDT

(In reply to Pablo Saavedra from comment #5) > (In reply to Mark Lam from comment #4) > > Does this patch pass JSC tests on 32-bit targets? I think the i386 EWS bit > > is broken. So, we can’t rely on it to tell us. > > I just tested in ARMv7 boards right now. Sorry, I mean, I tested build step ... not the JSC tests.

Pablo Saavedra

Comment 7 2019-10-23 04:41:17 PDT

(In reply to Pablo Saavedra from comment #6) > (In reply to Pablo Saavedra from comment #5) > > (In reply to Mark Lam from comment #4) > > > Does this patch pass JSC tests on 32-bit targets? I think the i386 EWS bit > > > is broken. So, we can’t rely on it to tell us. > > > > I just tested in ARMv7 boards right now. > > > Sorry, I mean, I tested build step ... not the JSC tests. It is being a bit complicated to ensure anything because the r251425 (https://bugs.webkit.org/show_bug.cgi?id=202392#c41) was introduced so many failures the tests JSC tests

Zan Dobersek

Comment 8 2019-10-23 14:32:51 PDT

Created attachment 381729 [details] WIP fixes This one contains both compile-time fixes as well as a few runtime fixes that temporarily cover work in #203285 or bring back 32-bit specifics from r251468. This still leaves a good handful of tests failing, seemingly due to something in the DFG layer.

Zan Dobersek

Comment 9 2019-10-23 14:54:22 PDT

Created attachment 381734 [details] WIP fixes Another fix in CodeOrigin::isHashTableDeletedValue().

Yusuke Suzuki

Comment 10 2019-10-23 16:51:44 PDT

Comment on attachment 381672 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=381672&action=review > Source/JavaScriptCore/interpreter/CallFrame.h:55 > +#if USE(JSVALUE32_64) > + explicit CallSiteIndex(const Instruction* instruction) > + : m_bytecodeIndex(bitwise_cast<uint32_t>(instruction)) > + { } > +#endif I would like to get the refactoring that removes 32 / 64bit difference here: Use 64bit's logic and remove USE(JSVALUE32_64) around CallSiteIndex. Can you do that? Soon, we will introduce another change and that change could make this 32bit logic not working.

Pablo Saavedra

Comment 11 2019-10-23 23:46:15 PDT

Created attachment 381779 [details] patch

Zan Dobersek

Comment 12 2019-10-24 00:00:16 PDT

(In reply to Yusuke Suzuki from comment #10) > Comment on attachment 381672 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=381672&action=review > > > Source/JavaScriptCore/interpreter/CallFrame.h:55 > > +#if USE(JSVALUE32_64) > > + explicit CallSiteIndex(const Instruction* instruction) > > + : m_bytecodeIndex(bitwise_cast<uint32_t>(instruction)) > > + { } > > +#endif > > I would like to get the refactoring that removes 32 / 64bit difference here: > Use 64bit's logic and remove USE(JSVALUE32_64) around CallSiteIndex. > Can you do that? > Soon, we will introduce another change and that change could make this 32bit > logic not working. We can do manual casting to BytecodeIndex where required.

Zan Dobersek

Comment 13 2019-10-24 02:02:18 PDT

Created attachment 381789 [details] Pending fixes This is a list of logic fixes that fix the remaining test failures (all but one). I'll polish this into a patch in a bit.

Zan Dobersek

Comment 14 2019-10-24 03:55:13 PDT

Created attachment 381796 [details] Patch

Zan Dobersek

Comment 15 2019-10-24 03:59:35 PDT

Comment on attachment 381796 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=381796&action=review > Source/JavaScriptCore/bytecode/BytecodeIndex.h:42 > + BytecodeIndex(WTF::HashTableDeletedValueType) > + : m_offset(deletedValue().asBits()) > + { > + } This missing constructor was the main problem of the remaining issues. Without it, the BytecodeIndex(WTF::HashTableDeletedValue) construction defaulted to the uin32_t constructor. With WTF::HashTableDeletedValue being effectively 0, this ended up constructing zero-valued BytecodeIndex objects that on their own are completely valid, non-empty and non-deleted.

Zan Dobersek

Comment 16 2019-10-24 03:59:42 PDT

View in context: https://bugs.webkit.org/attachment.cgi?id=381796&action=review > Source/JavaScriptCore/bytecode/BytecodeIndex.h:42 > + BytecodeIndex(WTF::HashTableDeletedValueType) > + : m_offset(deletedValue().asBits()) > + { > + } This missing constructor was the main problem of the remaining issues. Without it, the BytecodeIndex(WTF::HashTableDeletedValue) construction defaulted to the uin32_t constructor. With WTF::HashTableDeletedValue being effectively 0, this ended up constructing zero-valued BytecodeIndex objects that on their own are completely valid, non-empty and non-deleted.

Zan Dobersek

Comment 17 2019-10-24 04:17:38 PDT

On 32-bit ARMv7, the patch puts into working order all the tests except one ChakraCore test. That failure is due to the BytecodeIndex rework, and apparently originates from the DFG layer, but it's still unclear why it occurs.

Keith Miller

Comment 18 2019-10-24 10:13:22 PDT

Comment on attachment 381796 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=381796&action=review r=me weird that this worked on 64 bit... since I would have guessed this would break a lot of things... >> Source/JavaScriptCore/bytecode/BytecodeIndex.h:42 >> + } > > This missing constructor was the main problem of the remaining issues. Without it, the BytecodeIndex(WTF::HashTableDeletedValue) construction defaulted to the uin32_t constructor. With WTF::HashTableDeletedValue being effectively 0, this ended up constructing zero-valued BytecodeIndex objects that on their own are completely valid, non-empty and non-deleted. Ugh, we should make WTF::HashTableDeletedValueType be a enum class...

Zan Dobersek

Comment 19 2019-10-24 22:45:06 PDT

Comment on attachment 381796 [details] Patch Clearing flags on attachment: 381796 Committed r251583: <https://trac.webkit.org/changeset/251583>

Zan Dobersek

Comment 20 2019-10-24 22:45:10 PDT

All reviewed patches have been landed. Closing bug.

Radar WebKit Bug Importer

Comment 21 2019-10-24 22:47:44 PDT

<rdar://problem/56608497>

Note You need to log in before you can comment on or make changes to this bug.