Bug 97088

Summary: DFG should not assume that a ByVal access is generic just because it was unprofiled
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, fpizlo, ggaren, mark.lam, mhahnenberg, msaboff, oliver
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Attachments:
Description Flags
the patch ggaren: review+

Filip Pizlo
Reported 2012-09-19 02:20:05 PDT
This is a rare situation, but we may have a ByVal access where: 1) Value profiling has live information for the operands to the ByVal access, because for each operand there is at least one executed operation that has a data flow arc to the operand. 2) Array profiling has no live profiling, because it never executed. 3) The ByVal access was to some manner of array storage. In that case, we currently assume Generic rather than using ForceExit.
Attachments
the patch (5.45 KB, patch)
2012-09-19 02:32 PDT, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2012-09-19 02:32:13 PDT
Created attachment 164694 [details] the patch
Geoffrey Garen
Comment 2 2012-09-19 08:41:12 PDT
Comment on attachment 164694 [details] the patch r=me
Filip Pizlo
Comment 3 2012-09-19 15:47:38 PDT
Landed in http://trac.webkit.org/changeset/129053
Geoffrey Garen
Comment 5 2012-09-19 21:37:31 PDT
15.4.4.4-1 Array.prototype.reverse()<br> ASSERTION FAILED: !array->canSetIndexQuickly(index)<br> /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGOperations.cpp(577) : void operationPutByValBeyondArrayBoundsNonStrict(JSC::ExecState *, JSC::JSObject *, int32_t, EncodedJSValue)<br> 1 0x105d8be28 operationPutByValBeyondArrayBoundsNonStrict<br> 2 0x4edf7d804cd2<br> 3 0x105e49510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> 4 0x105e4540e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br> 5 0x105d0c821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br> 6 0x105be038c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br> 7 0x105bdf9d2 jscmain(int, char**)<br> 8 0x105bdf87e main<br> 9 0x105bd7704 start<br> 10 0x6<br> </tt><br> <a name='failure2'></a><dd><b>Testcase <a target='other_window' href='./ecma/ExecutionContexts/10.2.2-1.js'>ecma/ExecutionContexts/10.2.2-1.js</a> failed</b> <br> [ <a href='#failure1'>Previous Failure</a> | <a href='#failure3'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br> <tt>Expected exit code 0, got 11<br> Testcase terminated with signal 0<br> Complete testcase output was:<br> 10.2.2-1 Eval Code<br> ASSERTION FAILED: isSet()<br> /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGEdge.h(59) : NodeIndex JSC::DFG::Edge::index() const<br> 1 0x1041ba7f3 JSC::DFG::Edge::index() const<br> 2 0x104265cce JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br> 3 0x104256133 JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br> 4 0x104245e22 JSC::DFG::SpeculativeJIT::compileGetByValOnString(JSC::DFG::Node&)<br> 5 0x10427d0fc JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br> 6 0x104244942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br> 7 0x104245405 JSC::DFG::SpeculativeJIT::compile()<br> 8 0x10420e8e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br> 9 0x10420f9cb JSC::DFG::JITCompiler::compile(JSC::JITCode&)<br> 10 0x1041ff4b2 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br> 11 0x1041fecdd JSC::DFG::tryCompile(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, unsigned int)<br> 12 0x1042ac167 bool JSC::jitCompileIfAppropriate<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br> 13 0x1042acf06 bool JSC::prepareForExecution<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int)<br> 14 0x1042a7ff4 JSC::EvalExecutable::compileInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br> 15 0x1042a7515 JSC::EvalExecutable::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> 16 0x104175c4d JSC::EvalCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> 17 0x1043124ff cti_optimize<br> 18 0x10431aad0 jscGeneratedNativeCode<br> 19 0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> 20 0x1042cf596 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*, int)<br> 21 0x1042ceb7f JSC::eval(JSC::ExecState*)<br> 22 0x104317bea cti_op_call_eval<br> 23 0x10431aad0 jscGeneratedNativeCode<br> 24 0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> 25 0x1042d440e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br> 26 0x10419b821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br> 27 0x10407238c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br> 28 0x1040719d2 jscmain(int, char**)<br> 29 0x10407187e main<br> 30 0x104069704 start<br> </tt><br> <a name='failure3'></a><dd><b>Testcase <a target='other_window' href='./ecma/Expressions/11.4.8.js'>ecma/Expressions/11.4.8.js</a> failed</b> <br> [ <a href='#failure2'>Previous Failure</a> | <a href='#failure4'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br> <tt>Expected exit code 0, got 11<br> Testcase terminated with signal 0<br> Complete testcase output was:<br> ASSERTION FAILED: descriptor<br> /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3238) : void JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node &)<br> 1 0x106166fc3 JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node&)<br> 2 0x106199a60 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br> 3 0x10615a942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br> 4 0x10615b405 JSC::DFG::SpeculativeJIT::compile()<br> 5 0x1061248e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br> 6 0x106125e91 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)<br> 7 0x1061153de JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br> 8 0x106114d2c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)<br> 9 0x1061c3dba JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br> 10 0x1061c4854 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)<br> 11 0x1061bfeee JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br> 12 0x1061bfa55 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> 13 0x10609336f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)<br> 14 0x10608bd11 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> 15 0x1062284ff cti_optimize<br> 16 0x106230ad0 jscGeneratedNativeCode<br> 17 0x1061ee510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> 18 0x1061ea40e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br> 19 0x1060b1821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br> 20 0x105f8b38c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br> 21 0x105f8a9d2 jscmain(int, char**)<br> 22 0x105f8a87e main<br> 23 0x105f82704 start<br> 24 0x6<br> </tt><br>
Filip Pizlo
Comment 6 2012-09-20 00:39:08 PDT
(In reply to comment #5) > 15.4.4.4-1 Array.prototype.reverse()<br> > ASSERTION FAILED: !array->canSetIndexQuickly(index)<br> > /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGOperations.cpp(577) : void operationPutByValBeyondArrayBoundsNonStrict(JSC::ExecState *, JSC::JSObject *, int32_t, EncodedJSValue)<br> > 1 0x105d8be28 operationPutByValBeyondArrayBoundsNonStrict<br> > 2 0x4edf7d804cd2<br> > 3 0x105e49510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> > 4 0x105e4540e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br> > 5 0x105d0c821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br> > 6 0x105be038c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br> > 7 0x105bdf9d2 jscmain(int, char**)<br> > 8 0x105bdf87e main<br> > 9 0x105bd7704 start<br> > 10 0x6<br> > </tt><br> > <a name='failure2'></a><dd><b>Testcase <a target='other_window' href='./ecma/ExecutionContexts/10.2.2-1.js'>ecma/ExecutionContexts/10.2.2-1.js</a> failed</b> <br> > [ <a href='#failure1'>Previous Failure</a> | <a href='#failure3'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br> > <tt>Expected exit code 0, got 11<br> > Testcase terminated with signal 0<br> > Complete testcase output was:<br> > 10.2.2-1 Eval Code<br> > ASSERTION FAILED: isSet()<br> > /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGEdge.h(59) : NodeIndex JSC::DFG::Edge::index() const<br> > 1 0x1041ba7f3 JSC::DFG::Edge::index() const<br> > 2 0x104265cce JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br> > 3 0x104256133 JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br> > 4 0x104245e22 JSC::DFG::SpeculativeJIT::compileGetByValOnString(JSC::DFG::Node&)<br> > 5 0x10427d0fc JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br> > 6 0x104244942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br> > 7 0x104245405 JSC::DFG::SpeculativeJIT::compile()<br> > 8 0x10420e8e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br> > 9 0x10420f9cb JSC::DFG::JITCompiler::compile(JSC::JITCode&)<br> > 10 0x1041ff4b2 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br> > 11 0x1041fecdd JSC::DFG::tryCompile(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, unsigned int)<br> > 12 0x1042ac167 bool JSC::jitCompileIfAppropriate<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br> > 13 0x1042acf06 bool JSC::prepareForExecution<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int)<br> > 14 0x1042a7ff4 JSC::EvalExecutable::compileInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br> > 15 0x1042a7515 JSC::EvalExecutable::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> > 16 0x104175c4d JSC::EvalCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> > 17 0x1043124ff cti_optimize<br> > 18 0x10431aad0 jscGeneratedNativeCode<br> > 19 0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> > 20 0x1042cf596 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*, int)<br> > 21 0x1042ceb7f JSC::eval(JSC::ExecState*)<br> > 22 0x104317bea cti_op_call_eval<br> > 23 0x10431aad0 jscGeneratedNativeCode<br> > 24 0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> > 25 0x1042d440e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br> > 26 0x10419b821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br> > 27 0x10407238c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br> > 28 0x1040719d2 jscmain(int, char**)<br> > 29 0x10407187e main<br> > 30 0x104069704 start<br> > </tt><br> > <a name='failure3'></a><dd><b>Testcase <a target='other_window' href='./ecma/Expressions/11.4.8.js'>ecma/Expressions/11.4.8.js</a> failed</b> <br> > [ <a href='#failure2'>Previous Failure</a> | <a href='#failure4'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br> > <tt>Expected exit code 0, got 11<br> > Testcase terminated with signal 0<br> > Complete testcase output was:<br> > ASSERTION FAILED: descriptor<br> > /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3238) : void JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node &)<br> > 1 0x106166fc3 JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node&)<br> > 2 0x106199a60 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br> > 3 0x10615a942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br> > 4 0x10615b405 JSC::DFG::SpeculativeJIT::compile()<br> > 5 0x1061248e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br> > 6 0x106125e91 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)<br> > 7 0x1061153de JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br> > 8 0x106114d2c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)<br> > 9 0x1061c3dba JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br> > 10 0x1061c4854 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)<br> > 11 0x1061bfeee JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br> > 12 0x1061bfa55 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> > 13 0x10609336f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)<br> > 14 0x10608bd11 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br> > 15 0x1062284ff cti_optimize<br> > 16 0x106230ad0 jscGeneratedNativeCode<br> > 17 0x1061ee510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br> > 18 0x1061ea40e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br> > 19 0x1060b1821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br> > 20 0x105f8b38c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br> > 21 0x105f8a9d2 jscmain(int, char**)<br> > 22 0x105f8a87e main<br> > 23 0x105f82704 start<br> > 24 0x6<br> > </tt><br> That's bizarre! I didn't get these before committing, but then again, I made the mistake of not testing before rebasing against https://bugs.webkit.org/show_bug.cgi?id=97080
Geoffrey Garen
Comment 7 2012-09-20 11:05:58 PDT
I don't see these failures on other bots or locally. But they are reproducible on the Lion leaks bot. I'm not sure what's unique about that bot.
Note You need to log in before you can comment on or make changes to this bug.