Bug 97088

Summary:

DFG should not assume that a ByVal access is generic just because it was unprofiled

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, fpizlo, ggaren, mark.lam, mhahnenberg, msaboff, oliver

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
the patch	ggaren: review+

Description Filip Pizlo 2012-09-19 02:20:05 PDT

This is a rare situation, but we may have a ByVal access where:

1) Value profiling has live information for the operands to the ByVal access, because for each operand there is at least one executed operation that has a data flow arc to the operand.

2) Array profiling has no live profiling, because it never executed.

3) The ByVal access was to some manner of array storage.

In that case, we currently assume Generic rather than using ForceExit.

Comment 1 Filip Pizlo 2012-09-19 02:32:13 PDT

Created attachment 164694 [details]
the patch

Comment 2 Geoffrey Garen 2012-09-19 08:41:12 PDT

Comment on attachment 164694 [details]
the patch

r=me

Comment 3 Filip Pizlo 2012-09-19 15:47:38 PDT

Landed in http://trac.webkit.org/changeset/129053

Comment 4 Geoffrey Garen 2012-09-19 21:34:04 PDT

<http://trac.webkit.org/changeset/129053> may have caused lots of js test failures:

http://build.webkit.org/builders/Apple%20Lion%20%28Leaks%29/builds/2022/steps/jscore-test/logs/stdio

Comment 5 Geoffrey Garen 2012-09-19 21:37:31 PDT

15.4.4.4-1 Array.prototype.reverse()<br>
ASSERTION FAILED: !array->canSetIndexQuickly(index)<br>
/Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGOperations.cpp(577) : void operationPutByValBeyondArrayBoundsNonStrict(JSC::ExecState *, JSC::JSObject *, int32_t, EncodedJSValue)<br>
1   0x105d8be28 operationPutByValBeyondArrayBoundsNonStrict<br>
2   0x4edf7d804cd2<br>
3   0x105e49510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
4   0x105e4540e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br>
5   0x105d0c821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br>
6   0x105be038c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br>
7   0x105bdf9d2 jscmain(int, char**)<br>
8   0x105bdf87e main<br>
9   0x105bd7704 start<br>
10  0x6<br>
</tt><br>
<a name='failure2'></a><dd><b>Testcase <a target='other_window' href='./ecma/ExecutionContexts/10.2.2-1.js'>ecma/ExecutionContexts/10.2.2-1.js</a> failed</b> <br>
 [ <a href='#failure1'>Previous Failure</a> | <a href='#failure3'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
<tt>Expected exit code 0, got 11<br>
Testcase terminated with signal 0<br>
Complete testcase output was:<br>
10.2.2-1 Eval Code<br>
ASSERTION FAILED: isSet()<br>
/Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGEdge.h(59) : NodeIndex JSC::DFG::Edge::index() const<br>
1   0x1041ba7f3 JSC::DFG::Edge::index() const<br>
2   0x104265cce JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br>
3   0x104256133 JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br>
4   0x104245e22 JSC::DFG::SpeculativeJIT::compileGetByValOnString(JSC::DFG::Node&)<br>
5   0x10427d0fc JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br>
6   0x104244942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br>
7   0x104245405 JSC::DFG::SpeculativeJIT::compile()<br>
8   0x10420e8e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br>
9   0x10420f9cb JSC::DFG::JITCompiler::compile(JSC::JITCode&)<br>
10  0x1041ff4b2 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br>
11  0x1041fecdd JSC::DFG::tryCompile(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, unsigned int)<br>
12  0x1042ac167 bool JSC::jitCompileIfAppropriate<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br>
13  0x1042acf06 bool JSC::prepareForExecution<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int)<br>
14  0x1042a7ff4 JSC::EvalExecutable::compileInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br>
15  0x1042a7515 JSC::EvalExecutable::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
16  0x104175c4d JSC::EvalCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
17  0x1043124ff cti_optimize<br>
18  0x10431aad0 jscGeneratedNativeCode<br>
19  0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
20  0x1042cf596 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*, int)<br>
21  0x1042ceb7f JSC::eval(JSC::ExecState*)<br>
22  0x104317bea cti_op_call_eval<br>
23  0x10431aad0 jscGeneratedNativeCode<br>
24  0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
25  0x1042d440e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br>
26  0x10419b821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br>
27  0x10407238c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br>
28  0x1040719d2 jscmain(int, char**)<br>
29  0x10407187e main<br>
30  0x104069704 start<br>
</tt><br>
<a name='failure3'></a><dd><b>Testcase <a target='other_window' href='./ecma/Expressions/11.4.8.js'>ecma/Expressions/11.4.8.js</a> failed</b> <br>
 [ <a href='#failure2'>Previous Failure</a> | <a href='#failure4'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
<tt>Expected exit code 0, got 11<br>
Testcase terminated with signal 0<br>
Complete testcase output was:<br>
ASSERTION FAILED: descriptor<br>
/Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3238) : void JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node &)<br>
1   0x106166fc3 JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node&)<br>
2   0x106199a60 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br>
3   0x10615a942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br>
4   0x10615b405 JSC::DFG::SpeculativeJIT::compile()<br>
5   0x1061248e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br>
6   0x106125e91 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)<br>
7   0x1061153de JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br>
8   0x106114d2c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)<br>
9   0x1061c3dba JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br>
10  0x1061c4854 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)<br>
11  0x1061bfeee JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br>
12  0x1061bfa55 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
13  0x10609336f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)<br>
14  0x10608bd11 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
15  0x1062284ff cti_optimize<br>
16  0x106230ad0 jscGeneratedNativeCode<br>
17  0x1061ee510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
18  0x1061ea40e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br>
19  0x1060b1821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br>
20  0x105f8b38c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br>
21  0x105f8a9d2 jscmain(int, char**)<br>
22  0x105f8a87e main<br>
23  0x105f82704 start<br>
24  0x6<br>
</tt><br>

Comment 6 Filip Pizlo 2012-09-20 00:39:08 PDT

(In reply to comment #5)
> 15.4.4.4-1 Array.prototype.reverse()<br>
> ASSERTION FAILED: !array->canSetIndexQuickly(index)<br>
> /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGOperations.cpp(577) : void operationPutByValBeyondArrayBoundsNonStrict(JSC::ExecState *, JSC::JSObject *, int32_t, EncodedJSValue)<br>
> 1   0x105d8be28 operationPutByValBeyondArrayBoundsNonStrict<br>
> 2   0x4edf7d804cd2<br>
> 3   0x105e49510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
> 4   0x105e4540e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br>
> 5   0x105d0c821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br>
> 6   0x105be038c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br>
> 7   0x105bdf9d2 jscmain(int, char**)<br>
> 8   0x105bdf87e main<br>
> 9   0x105bd7704 start<br>
> 10  0x6<br>
> </tt><br>
> <a name='failure2'></a><dd><b>Testcase <a target='other_window' href='./ecma/ExecutionContexts/10.2.2-1.js'>ecma/ExecutionContexts/10.2.2-1.js</a> failed</b> <br>
>  [ <a href='#failure1'>Previous Failure</a> | <a href='#failure3'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
> <tt>Expected exit code 0, got 11<br>
> Testcase terminated with signal 0<br>
> Complete testcase output was:<br>
> 10.2.2-1 Eval Code<br>
> ASSERTION FAILED: isSet()<br>
> /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGEdge.h(59) : NodeIndex JSC::DFG::Edge::index() const<br>
> 1   0x1041ba7f3 JSC::DFG::Edge::index() const<br>
> 2   0x104265cce JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br>
> 3   0x104256133 JSC::DFG::StorageOperand::StorageOperand(JSC::DFG::SpeculativeJIT*, JSC::DFG::Edge)<br>
> 4   0x104245e22 JSC::DFG::SpeculativeJIT::compileGetByValOnString(JSC::DFG::Node&)<br>
> 5   0x10427d0fc JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br>
> 6   0x104244942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br>
> 7   0x104245405 JSC::DFG::SpeculativeJIT::compile()<br>
> 8   0x10420e8e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br>
> 9   0x10420f9cb JSC::DFG::JITCompiler::compile(JSC::JITCode&)<br>
> 10  0x1041ff4b2 JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br>
> 11  0x1041fecdd JSC::DFG::tryCompile(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, unsigned int)<br>
> 12  0x1042ac167 bool JSC::jitCompileIfAppropriate<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br>
> 13  0x1042acf06 bool JSC::prepareForExecution<JSC::EvalCodeBlock>(JSC::ExecState*, WTF::OwnPtr<JSC::EvalCodeBlock>&, JSC::JITCode&, JSC::JITCode::JITType, unsigned int)<br>
> 14  0x1042a7ff4 JSC::EvalExecutable::compileInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br>
> 15  0x1042a7515 JSC::EvalExecutable::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
> 16  0x104175c4d JSC::EvalCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
> 17  0x1043124ff cti_optimize<br>
> 18  0x10431aad0 jscGeneratedNativeCode<br>
> 19  0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
> 20  0x1042cf596 JSC::Interpreter::execute(JSC::EvalExecutable*, JSC::ExecState*, JSC::JSValue, JSC::JSScope*, int)<br>
> 21  0x1042ceb7f JSC::eval(JSC::ExecState*)<br>
> 22  0x104317bea cti_op_call_eval<br>
> 23  0x10431aad0 jscGeneratedNativeCode<br>
> 24  0x1042d8510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
> 25  0x1042d440e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br>
> 26  0x10419b821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br>
> 27  0x10407238c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br>
> 28  0x1040719d2 jscmain(int, char**)<br>
> 29  0x10407187e main<br>
> 30  0x104069704 start<br>
> </tt><br>
> <a name='failure3'></a><dd><b>Testcase <a target='other_window' href='./ecma/Expressions/11.4.8.js'>ecma/Expressions/11.4.8.js</a> failed</b> <br>
>  [ <a href='#failure2'>Previous Failure</a> | <a href='#failure4'>Next Failure</a> | <a href='#tippy_top'>Top of Page</a> ]<br>
> <tt>Expected exit code 0, got 11<br>
> Testcase terminated with signal 0<br>
> Complete testcase output was:<br>
> ASSERTION FAILED: descriptor<br>
> /Volumes/Data/slave/lion-leaks/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3238) : void JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node &)<br>
> 1   0x106166fc3 JSC::DFG::SpeculativeJIT::compileGetArrayLength(JSC::DFG::Node&)<br>
> 2   0x106199a60 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&)<br>
> 3   0x10615a942 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&)<br>
> 4   0x10615b405 JSC::DFG::SpeculativeJIT::compile()<br>
> 5   0x1061248e9 JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&)<br>
> 6   0x106125e91 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&)<br>
> 7   0x1061153de JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int)<br>
> 8   0x106114d2c JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int)<br>
> 9   0x1061c3dba JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort)<br>
> 10  0x1061c4854 JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind)<br>
> 11  0x1061bfeee JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int)<br>
> 12  0x1061bfa55 JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
> 13  0x10609336f JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind)<br>
> 14  0x10608bd11 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int)<br>
> 15  0x1062284ff cti_optimize<br>
> 16  0x106230ad0 jscGeneratedNativeCode<br>
> 17  0x1061ee510 JSC::JITCode::execute(JSC::RegisterFile*, JSC::ExecState*, JSC::JSGlobalData*)<br>
> 18  0x1061ea40e JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*)<br>
> 19  0x1060b1821 JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, JSC::JSValue*)<br>
> 20  0x105f8b38c _ZL14runWithScriptsP12GlobalObjectRKN3WTF6VectorI6ScriptLm0EEEb<br>
> 21  0x105f8a9d2 jscmain(int, char**)<br>
> 22  0x105f8a87e main<br>
> 23  0x105f82704 start<br>
> 24  0x6<br>
> </tt><br>

That's bizarre!  I didn't get these before committing, but then again, I made the mistake of not testing before rebasing against https://bugs.webkit.org/show_bug.cgi?id=97080

Comment 7 Geoffrey Garen 2012-09-20 11:05:58 PDT

I don't see these failures on other bots or locally. But they are reproducible on the Lion leaks bot. I'm not sure what's unique about that bot.