Bug 70094

Summary: REGRESSION (r97030): Cannot log in to progressive.com
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, maccinema, mmcneil, oliver
Priority: P1 Keywords: InRadar, Regression
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch oliver: review+

Alexey Proskuryakov
Reported 2011-10-14 00:28:24 PDT
Steps to reproduce: 1. Open www.progressive.com 2. Enter credentials (valid or not) 3. Click Log In. Results: a new page loads, which has a yellow bubble saying "You must have JavaScript enabled to log in". Expected results: successful login, or indication that credentials are incorrect.
Attachments
the patch (4.90 KB, patch)
2011-10-26 13:50 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2011-10-14 00:29:10 PDT
This still happens as of r97440.
Gavin Barraclough
Comment 2 2011-10-20 15:01:28 PDT
rdar://problem/10320207
Filip Pizlo
Comment 3 2011-10-26 12:43:54 PDT
I can still reproduce in r98510. Investigating...
Filip Pizlo
Comment 4 2011-10-26 13:22:36 PDT
Looks like this was caused by DFG intrinsic support not keeping the callee alive in the case of the function speculation being done with CheckFunction instead of CheckMethod. As a result, OSR thought that if the intrinsic body had a speculation failure, then the callee was no longer needed and could be set to Undefined. The old JIT would then fail to make the (non-intrinsic) call because the callee was Undefined. Patch on the way.
Oliver Hunt
Comment 5 2011-10-26 13:50:25 PDT
ah ha, this sounds like what i was seeing with search on apple.com -- (some String _object_).charAt(0) was failing due to function being undefined
Filip Pizlo
Comment 6 2011-10-26 13:50:33 PDT
Created attachment 112590 [details] the patch
Filip Pizlo
Comment 7 2011-10-26 14:05:42 PDT
This appears to be neutral enough. Benchmark report for SunSpider, V8, and Kraken. VMs tested: "TipOfTree" at /Volumes/Data/pizlo/tertiary/OpenSource/WebKitBuild/Release/jsc "FixIntrinsic" at /Volumes/Data/pizlo/secondary/OpenSource/WebKitBuild/Release/jsc Collected 30 samples per benchmark/VM, with 10 VM invocations per benchmark. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. TipOfTree FixIntrinsic SunSpider: 3d-cube 7.9076+-0.0279 ? 7.9364+-0.0283 ? 3d-morph 8.5858+-0.0787 ^ 8.4033+-0.0224 ^ definitely 1.0217x faster 3d-raytrace 8.2665+-0.0779 8.2392+-0.0530 access-binary-trees 1.6938+-0.0080 ? 1.7000+-0.0120 ? access-fannkuch 7.7814+-0.0293 ? 7.7880+-0.0421 ? access-nbody 4.5360+-0.0089 ? 4.5428+-0.0133 ? access-nsieve 3.1823+-0.0085 ? 3.2028+-0.0157 ? bitops-3bit-bits-in-byte 1.3132+-0.0051 ? 1.3253+-0.0098 ? bitops-bits-in-byte 5.2879+-0.0174 5.2765+-0.0131 bitops-bitwise-and 3.4455+-0.0338 3.4255+-0.0367 bitops-nsieve-bits 5.6557+-0.0220 ? 5.6672+-0.0289 ? controlflow-recursive 2.3333+-0.0080 ? 2.3408+-0.0110 ? crypto-aes 7.6466+-0.0657 ? 7.6529+-0.0503 ? crypto-md5 2.8665+-0.0088 ? 2.8719+-0.0139 ? crypto-sha1 2.6365+-0.0068 ? 2.6395+-0.0061 ? date-format-tofte 10.6221+-0.0892 10.6129+-0.0828 date-format-xparb 10.0401+-0.1399 ? 10.2030+-0.1278 ? might be 1.0162x slower math-cordic 7.8692+-0.1607 7.7656+-0.1735 might be 1.0133x faster math-partial-sums 10.6119+-0.0382 10.5947+-0.0216 math-spectral-norm 2.8884+-0.0094 2.8831+-0.0035 regexp-dna 13.4098+-0.1236 13.3586+-0.0969 string-base64 4.4306+-0.0160 ? 4.4345+-0.0180 ? string-fasta 7.1237+-0.0313 ? 7.1520+-0.0327 ? string-tagcloud 13.3123+-0.1002 13.2537+-0.0978 string-unpack-code 22.7898+-0.1135 22.7579+-0.1608 string-validate-input 5.6190+-0.0312 ? 5.6246+-0.0251 ? <arithmetic> * 6.9944+-0.0186 6.9866+-0.0160 <geometric> 5.6515+-0.0115 5.6507+-0.0108 <harmonic> 4.4652+-0.0076 ? 4.4720+-0.0094 ? TipOfTree FixIntrinsic V8: crypto 81.3615+-0.1320 81.2786+-0.1237 deltablue 198.7770+-1.1554 ? 198.8303+-0.8179 ? earley-boyer 112.6656+-0.4977 112.2430+-0.3937 raytrace 69.7731+-0.2614 ? 69.8014+-0.2044 ? regexp 123.2958+-0.2316 ! 123.9037+-0.2628 ! definitely 1.0049x slower richards 145.2994+-0.3315 ? 145.3566+-0.3675 ? splay 125.6378+-0.2950 ^ 125.0238+-0.2855 ^ definitely 1.0049x faster <arithmetic> 122.4015+-0.2623 122.3482+-0.1259 <geometric> * 116.2024+-0.2088 116.1417+-0.1064 <harmonic> 110.2616+-0.1835 110.2013+-0.1079 TipOfTree FixIntrinsic Kraken: ai-astar 820.2246+-6.7082 ! 835.1766+-0.7111 ! definitely 1.0182x slower audio-beat-detection 213.4186+-1.0287 213.0322+-0.8044 audio-dft 262.7048+-1.5377 ? 262.7931+-2.2951 ? audio-fft 132.9054+-0.2444 ? 133.2153+-0.3970 ? audio-oscillator 291.0922+-0.6166 ? 291.3314+-0.6625 ? imaging-darkroom 449.3549+-3.0024 ? 465.5893+-16.4302 ? might be 1.0361x slower imaging-desaturate 245.1788+-0.0914 ? 245.2064+-0.1010 ? imaging-gaussian-blur 621.4067+-0.4518 ? 622.2380+-1.1309 ? json-parse-financial 70.0677+-0.1335 ^ 69.6918+-0.1879 ^ definitely 1.0054x faster json-stringify-tinderbox 79.9185+-0.1917 ? 80.3397+-0.5611 ? stanford-crypto-aes 153.2659+-0.8925 ? 154.5920+-1.1308 ? stanford-crypto-ccm 116.0096+-0.4305 115.9553+-0.3849 stanford-crypto-pbkdf2 238.1033+-1.5732 236.7514+-1.7106 stanford-crypto-sha256-iterative 85.2398+-0.1548 ? 85.3327+-0.1286 ? <arithmetic> * 269.9208+-0.4461 ! 272.2318+-1.1298 ! definitely 1.0086x slower <geometric> 205.8856+-0.1998 ! 206.7182+-0.4525 ! definitely 1.0040x slower <harmonic> 161.9389+-0.1452 ? 162.1738+-0.2282 ? TipOfTree FixIntrinsic All benchmarks: <arithmetic> 102.5012+-0.1587 ! 103.1773+-0.3432 ! definitely 1.0066x slower <geometric> 25.8726+-0.0371 ? 25.8995+-0.0350 ? <harmonic> 7.8690+-0.0132 ? 7.8808+-0.0162 ? TipOfTree FixIntrinsic Geomean of preferred means: <scaled-result> 60.3113+-0.0906 ? 60.4493+-0.1033 ?
Geoffrey Garen
Comment 8 2011-10-26 15:41:57 PDT
*** Bug 70682 has been marked as a duplicate of this bug. ***
Oliver Hunt
Comment 9 2011-10-26 15:54:45 PDT
http://trac.webkit.org/changeset/98517
Joe Strzemp
Comment 10 2011-10-30 14:00:25 PDT
*** Bug 69793 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.