The following test crashes on the assertion above: function toFuzz() { if (PriorityQueue.prototype.doSort() instanceof (this ^= function() { })) return 2; } toFuzz(); Tested on: Linux 13.04, PC, x86_64. Backtrace: ========== Program received signal SIGSEGV, Segmentation fault. 0x0000000000435185 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:339 339 *(int *)(uintptr_t)0xbbadbeef = 0; (gdb) bt #0 0x0000000000435185 in WTFCrash () at /home/reni/Data/REPOS/webkitnix/Source/WTF/wtf/Assertions.cpp:339 #1 0x000000000073ec02 in JSC::ASTBuilder::setExceptionLocation (node=0xeed7b0, start=28, divot=72, end=100, divotLine=3, divotLineStart=94) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/ASTBuilder.h:656 #2 0x00000000007353a4 in JSC::ASTBuilder::makeBinaryNode (this=0x7fffffffba00, location=..., token=30605, lhs=<incomplete type>, rhs=<incomplete type>) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/ASTBuilder.h:902 #3 0x000000000073e6a4 in JSC::ASTBuilder::appendBinaryOperation (this=0x7fffffffba00, location=..., operandStackDepth=@0x7fffffffb400: 1, lhs=..., rhs=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/ASTBuilder.h:575 #4 0x000000000075a6bf in JSC::Parser<JSC::Lexer<unsigned char> >::parseBinaryExpression<JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:1286 #5 0x000000000075934b in JSC::Parser<JSC::Lexer<unsigned char> >::parseConditionalExpression<JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:1218 #6 0x0000000000757101 in JSC::Parser<JSC::Lexer<unsigned char> >::parseAssignmentExpression<JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:1157 #7 0x00000000007547f4 in JSC::Parser<JSC::Lexer<unsigned char> >::parseExpression<JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:1128 #8 0x000000000074bb42 in JSC::Parser<JSC::Lexer<unsigned char> >::parseIfStatement<JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:1048 #9 0x0000000000749907 in JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder> (this=0x7fffffffc000, context=..., directive=@0x7fffffffb818: 0x0, directiveLiteralLength=0x7fffffffb800) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:755 #10 0x0000000000753756 in JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<(JSC::SourceElementsMode)1, JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:172 #11 0x000000000074b4fd in JSC::Parser<JSC::Lexer<unsigned char> >::parseBlockStatement<JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:724 #12 0x00000000007497f2 in JSC::Parser<JSC::Lexer<unsigned char> >::parseStatement<JSC::ASTBuilder> (this=0x7fffffffc000, context=..., directive=@0x7fffffffb948: 0x0, directiveLiteralLength=0x7fffffffb930) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:741 #13 0x0000000000747a53 in JSC::Parser<JSC::Lexer<unsigned char> >::parseSourceElements<(JSC::SourceElementsMode)0, JSC::ASTBuilder> (this=0x7fffffffc000, context=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:172 #14 0x0000000000740a91 in JSC::Parser<JSC::Lexer<unsigned char> >::parseInner (this=0x7fffffffc000) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.cpp:118 #15 0x0000000000624de8 in JSC::Parser<JSC::Lexer<unsigned char> >::parse<JSC::FunctionBodyNode> (this=0x7fffffffc000, error=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.h:1023 #16 0x000000000062426b in JSC::parse<JSC::FunctionBodyNode> (vm=0xecfb60, source=..., parameters=0xedd1f0, name=..., strictness=JSC::JSParseNormal, parserMode=JSC::JSParseFunctionCode, error=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/parser/Parser.h:1091 #17 0x0000000000621fc9 in JSC::generateFunctionCodeBlock (vm=..., scope=0x7ffff7f5f870, executable=0x7fffb437ff90, source=..., kind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:52 #18 0x0000000000622ade in JSC::UnlinkedFunctionExecutable::codeBlockFor (this=0x7fffb437ff90, vm=..., scope=0x7ffff7f5f870, source=..., specializationKind=JSC::CodeForCall, debuggerMode=JSC::DebuggerOff, profilerMode=JSC::ProfilerOff, error=...) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/bytecode/UnlinkedCodeBlock.cpp:161 #19 0x00000000004eda7e in JSC::FunctionExecutable::produceCodeBlockFor (this=0x7fffb43bfd70, scope=0x7ffff7f5f870, specializationKind=JSC::CodeForCall, exception=@0x7fffffffcb98: 0x0) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/Executable.cpp:503 #20 0x00000000004eddcd in JSC::FunctionExecutable::compileForCallInternal (this=0x7fffb43bfd70, exec=0x7fffb44020a0, scope=0x7ffff7f5f870, jitType=JSC::JITCode::BaselineJIT, bytecodeIndex=4294967295) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/Executable.cpp:533 #21 0x0000000000498b08 in JSC::FunctionExecutable::compileForCall (this=0x7fffb43bfd70, exec=0x7fffb44020a0, scope=0x7ffff7f5f870) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/Executable.h:612 #22 0x00000000004b4ad2 in JSC::FunctionExecutable::compileFor (this=0x7fffb43bfd70, exec=0x7fffb44020a0, scope=0x7ffff7f5f870, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/Executable.h:670 #23 0x00000000007abff4 in JSC::LLInt::setUpCall (execCallee=0x7fffb44020a0, pc=0xeed4b8, kind=JSC::CodeForCall, calleeAsValue=<incomplete type>, callLinkInfo=0xef04d0) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1392 #24 0x00000000007ac391 in JSC::LLInt::genericCall (exec=0x7fffb4402058, pc=0xeed4b8, kind=JSC::CodeForCall) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1434 #25 0x00000000007a9667 in JSC::LLInt::llint_slow_path_call (exec=0x7fffb4402058, pc=0xeed4b8) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1440 ---Type <return> to continue, or q <return> to quit--- #26 0x00000000005d4185 in llint_op_call () #27 0x00007fffb4402058 in ?? () #28 0x0000000000edf610 in ?? () #29 0x00007fffffffce00 in ?? () #30 0x000000000049aa77 in JSC::JSStack::installTrapsAfterFrame (this=0x0, frame=0x0) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/interpreter/JSStackInlines.h:212 #31 0x0000000000497fec in JSC::JITCode::execute (this=0x7fffb43bfe90, stack=0xedf610, callFrame=0x7fffb4402058, vm=0xecfb60) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jit/JITCode.h:135 #32 0x000000000049405c in JSC::Interpreter::execute (this=0xedf600, program=0x7fffb43bfe70, callFrame=0x7ffff7f5f8d8, thisObj=0x7ffff7e6feb0) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/interpreter/Interpreter.cpp:948 #33 0x00000000004e9785 in JSC::evaluate (exec=0x7ffff7f5f8d8, source=..., thisValue=<incomplete type>, returnedException=0x7fffffffd970) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/runtime/Completion.cpp:83 #34 0x000000000041f710 in runWithScripts (globalObject=0x7ffff7f5f870, scripts=..., dump=false) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jsc.cpp:600 #35 0x00000000004205b6 in jscmain (argc=2, argv=0x7fffffffdc38) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jsc.cpp:816 #36 0x000000000041f50d in main (argc=2, argv=0x7fffffffdc38) at /home/reni/Data/REPOS/webkitnix/Source/JavaScriptCore/jsc.cpp:558
Created attachment 206647 [details] Test case
This assertion failure was introduced in the fix for <https://bugs.webkit.org/show_bug.cgi?id=118481>. The solution for https://bugs.webkit.org/show_bug.cgi?id=118481 (r152494) aimed to ensure that line and column numbers are captured for the divot position in the ExpressionRangeInfo. There were many assertions added to ensure that we have sane lineStart values for computing column numbers. However, some of these assertions are failing now because the presumed captured divot position isn't always used as the divot when emitting the ExpressionRangeInfo. There's is also a startOffset and an endOffset that can be used to compute an adjusted divot position relative to the passed in divot value. Unfortunately, this does not yield us the correct line and lineStart info for the adjustedDivot. This issue is the source of the assertion failures. The solution is to introduce a new JSTokenPosition that captures a line number, source offset, and source line start offset. Together, these 3 pieces of info defines a coherent position in the source string. When emitting an ExpressionRangeInfo, we emitted 3 values: 1. a divot position, 2. a startOffset relative to the divot position, and 3. an endOffset relative to the divot position. Previously, the fix in r152494 also added the line and lineStartOffset of the passed in divot position. When the NodesCodegen tries to use the start or end position as the divot instead of the passed in the divot position, then the passed in line and lineStart values are now invalid. Now, with the current fix, we're going to pass the divot, start, and end positions all as JSTokenPositions i.e. all 3 will have their line and lineStartOffset detail captured. This way, no matter which position (divot, start, or end) the NodesCodegen chooses as the divot position to emit, we'll have the appropriate line and lineStart values to go with it. Preliminary layout test results of the current fix shows no new test failures. Perf benchmark results also show no regression (differences are in the noise). Here are the detailed results (ws7 is a baseline build of r152583, ws5 is r152583 + the current fix): === BEGIN ===================================== Generating benchmark report at /Volumes/Source/ws5/OpenSource/SunSpiderV8SpiderOctaneKrakenJSBenchJSRegressDSP_Eon_20130716_0130_report.txt And raw data at /Volumes/Source/ws5/OpenSource/SunSpiderV8SpiderOctaneKrakenJSBenchJSRegressDSP_Eon_20130716_0130.json Benchmark report for SunSpider, V8Spider, Octane, Kraken, JSBench, JSRegress, and DSP on Eon (MacBookAir5,1). VMs tested: "Conf#1" at /Volumes/Source/ws7/OpenSource/WebKitBuild/Release/DumpRenderTree (r152583) "Conf#2" at /Volumes/Source/ws5/OpenSource/WebKitBuild/Release/DumpRenderTree (r152583) Collected 12 samples per benchmark/VM, with 4 VM invocations per benchmark. Emitted a call to gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. Conf#1 Conf#2 SunSpider: 3d-cube 9.3223+-0.3498 ? 9.3627+-0.3299 ? 3d-morph 7.8883+-0.0655 ? 8.3416+-0.8772 ? might be 1.0575x slower 3d-raytrace 10.4790+-0.2261 ? 11.0784+-0.9571 ? might be 1.0572x slower access-binary-trees 2.3254+-0.2986 ? 2.4112+-0.3274 ? might be 1.0369x slower access-fannkuch 8.0938+-1.2990 7.0423+-0.0774 might be 1.1493x faster access-nbody 4.7696+-0.7781 4.1717+-0.0465 might be 1.1433x faster access-nsieve 4.3107+-0.1454 ? 4.3573+-0.0638 ? might be 1.0108x slower bitops-3bit-bits-in-byte 1.9830+-0.0288 ? 2.0419+-0.1008 ? might be 1.0297x slower bitops-bits-in-byte 2.7566+-0.0351 2.7322+-0.0514 bitops-bitwise-and 2.6184+-0.0593 2.5968+-0.0300 bitops-nsieve-bits 4.9445+-0.6688 4.3322+-0.0762 might be 1.1413x faster controlflow-recursive 2.6797+-0.2018 ? 3.0085+-0.6940 ? might be 1.1227x slower crypto-aes 7.6999+-0.2748 ? 8.8789+-1.8346 ? might be 1.1531x slower crypto-md5 4.1596+-0.0759 4.1591+-0.1091 crypto-sha1 3.4380+-0.2775 3.3485+-0.0557 might be 1.0268x faster date-format-tofte 12.3159+-0.7845 ? 12.7705+-0.8415 ? might be 1.0369x slower date-format-xparb 9.7883+-0.6157 ? 9.7965+-0.5808 ? math-cordic 3.8725+-0.0234 ? 3.8969+-0.0246 ? math-partial-sums 9.7911+-1.8169 9.1072+-0.5437 might be 1.0751x faster math-spectral-norm 2.9363+-0.2395 2.7892+-0.0329 might be 1.0527x faster regexp-dna 10.7449+-0.5993 10.7233+-0.5056 string-base64 5.1336+-0.4824 ? 5.2396+-0.5379 ? might be 1.0207x slower string-fasta 10.4737+-0.0847 ? 11.0207+-0.9473 ? might be 1.0522x slower string-tagcloud 12.6691+-0.1835 ? 13.0441+-0.2545 ? might be 1.0296x slower string-unpack-code 27.7667+-0.3169 ? 27.8846+-0.3285 ? string-validate-input 9.2620+-1.5414 8.4467+-0.2292 might be 1.0965x faster <arithmetic> * 7.3932+-0.1852 ? 7.4070+-0.2115 ? might be 1.0019x slower <geometric> 5.9427+-0.1369 5.9343+-0.1561 might be 1.0014x faster <harmonic> 4.8480+-0.0969 4.8436+-0.1208 might be 1.0009x faster Conf#1 Conf#2 V8Spider: crypto 75.3191+-0.7948 ? 76.0389+-0.8876 ? deltablue 113.2428+-1.7175 ? 114.0694+-2.2094 ? earley-boyer 66.0507+-0.4138 ? 67.4076+-2.9583 ? might be 1.0205x slower raytrace 57.3419+-2.2467 56.0001+-0.9102 might be 1.0240x faster regexp 91.9139+-1.5549 89.5532+-1.0246 might be 1.0264x faster richards 100.1643+-1.8618 98.9682+-0.7084 might be 1.0121x faster splay 55.9167+-3.0460 ? 57.9345+-3.7159 ? might be 1.0361x slower <arithmetic> 79.9928+-0.9648 ? 79.9960+-0.9711 ? might be 1.0000x slower <geometric> * 77.3439+-1.1045 ? 77.4490+-1.1613 ? might be 1.0014x slower <harmonic> 74.8133+-1.2810 ? 75.0205+-1.3679 ? might be 1.0028x slower Conf#1 Conf#2 Octane and V8v7: encrypt 0.40724+-0.00449 ? 0.40839+-0.00726 ? decrypt 7.40209+-0.06643 7.38687+-0.12881 deltablue x2 0.52602+-0.00990 0.51906+-0.00514 might be 1.0134x faster earley 0.73706+-0.01503 0.73237+-0.01211 boyer 9.36106+-0.10371 ? 9.47685+-0.11086 ? might be 1.0124x slower raytrace x2 4.26678+-0.06591 4.25450+-0.06255 regexp x2 30.03634+-0.27958 29.73955+-0.38836 richards x2 0.25599+-0.00255 ? 0.25764+-0.00367 ? splay x2 0.62450+-0.01826 ? 0.64846+-0.02139 ? might be 1.0384x slower navier-stokes x2 10.02076+-0.10268 10.00299+-0.06790 closure 0.33169+-0.00720 ? 0.33815+-0.00978 ? might be 1.0195x slower jquery 4.21293+-0.53721 ? 4.26116+-0.55448 ? might be 1.0114x slower gbemu x2 123.66946+-1.05245 ? 123.90472+-1.02352 ? mandreel x2 164.13769+-1.29417 ? 164.35895+-1.36208 ? pdfjs x2 90.53668+-0.78162 ? 91.21170+-3.01742 ? box2d x2 31.41203+-0.31192 31.32483+-0.34317 V8v7: <arithmetic> 6.83551+-0.03068 6.80306+-0.05007 might be 1.0048x faster <geometric> * 2.16990+-0.01151 ? 2.17510+-0.00864 ? might be 1.0024x slower <harmonic> 0.81561+-0.00580 ? 0.82034+-0.00636 ? might be 1.0058x slower Octane including V8v7: <arithmetic> 35.90094+-0.15290 ? 35.96341+-0.31824 ? might be 1.0017x slower <geometric> * 6.44702+-0.04996 ? 6.46727+-0.04800 ? might be 1.0031x slower <harmonic> 1.13070+-0.00867 ? 1.13921+-0.01082 ? might be 1.0075x slower Conf#1 Conf#2 Kraken: ai-astar 337.764+-9.097 335.027+-4.946 audio-beat-detection 214.936+-3.447 ? 216.139+-3.956 ? audio-dft 368.201+-11.933 363.961+-11.362 might be 1.0117x faster audio-fft 124.559+-2.176 ? 128.364+-3.981 ? might be 1.0305x slower audio-oscillator 224.054+-6.780 ? 224.403+-2.553 ? imaging-darkroom 272.669+-8.842 272.243+-4.116 imaging-desaturate 134.929+-10.162 ? 135.242+-7.073 ? imaging-gaussian-blur 435.109+-11.139 429.545+-5.707 might be 1.0130x faster json-parse-financial 65.548+-0.836 64.649+-0.292 might be 1.0139x faster json-stringify-tinderbox 90.412+-1.146 ? 91.090+-2.671 ? stanford-crypto-aes 103.536+-4.300 100.444+-2.362 might be 1.0308x faster stanford-crypto-ccm 101.851+-2.428 ? 109.620+-11.114 ? might be 1.0763x slower stanford-crypto-pbkdf2 227.351+-5.124 ? 232.381+-7.821 ? might be 1.0221x slower stanford-crypto-sha256-iterative 112.346+-3.080 ? 115.008+-5.232 ? might be 1.0237x slower <arithmetic> * 200.948+-1.875 ? 201.294+-1.965 ? might be 1.0017x slower <geometric> 171.342+-1.339 ? 172.347+-1.829 ? might be 1.0059x slower <harmonic> 146.649+-1.118 ? 147.637+-1.612 ? might be 1.0067x slower Conf#1 Conf#2 JSBench: amazon 7.0833+-0.1834 ? 7.1667+-0.2473 ? might be 1.0118x slower facebook 33.9167+-1.0302 ? 37.0000+-4.2579 ? might be 1.0909x slower google 71.1667+-2.4806 70.6667+-2.5027 twitter 9.0833+-0.5038 ? 9.1667+-0.4560 ? yahoo 3.1667+-0.3668 3.0833+-0.1834 might be 1.0270x faster <arithmetic> * 24.8833+-0.6928 ? 25.4167+-0.8694 ? might be 1.0214x slower <geometric> 13.7106+-0.5019 ? 13.9141+-0.4369 ? might be 1.0148x slower <harmonic> 8.1266+-0.5605 8.1232+-0.3503 might be 1.0004x faster Conf#1 Conf#2 JSRegress: adapt-to-double-divide 24.4981+-0.3042 24.3621+-0.0820 aliased-arguments-getbyval 0.9802+-0.0158 ? 0.9812+-0.0154 ? allocate-big-object 3.6635+-1.3319 3.5941+-1.2134 might be 1.0193x faster arity-mismatch-inlining 0.8205+-0.0186 ? 0.8574+-0.0579 ? might be 1.0450x slower array-access-polymorphic-structure 7.5493+-2.0394 7.3364+-1.6780 might be 1.0290x faster array-nonarray-polymorhpic-access 50.8719+-1.7204 49.8353+-0.4917 might be 1.0208x faster array-with-double-add 5.3352+-0.5350 5.1005+-0.0788 might be 1.0460x faster array-with-double-increment 3.9475+-0.0510 ? 4.2140+-0.3713 ? might be 1.0675x slower array-with-double-mul-add 6.0992+-0.4574 6.0166+-0.3651 might be 1.0137x faster array-with-double-sum 5.5015+-0.3060 5.3799+-0.1932 might be 1.0226x faster array-with-int32-add-sub 9.5186+-2.0535 8.1338+-0.0553 might be 1.1703x faster array-with-int32-or-double-sum 5.3892+-0.0347 ? 5.3901+-0.0285 ? big-int-mul 4.6950+-0.0352 ? 4.8064+-0.1827 ? might be 1.0237x slower boolean-test 4.0313+-0.1196 4.0025+-0.1121 branch-fold 4.8506+-0.0424 ? 4.8877+-0.1009 ? cast-int-to-double 13.6058+-0.6921 13.3530+-0.2281 might be 1.0189x faster cell-argument 14.2385+-0.0767 ? 14.4229+-0.2273 ? might be 1.0129x slower cfg-simplify 3.5932+-0.1929 3.4482+-0.0562 might be 1.0420x faster cmpeq-obj-to-obj-other 10.7661+-0.0708 10.5953+-0.2454 might be 1.0161x faster constant-test 6.0606+-0.0282 ? 6.0701+-0.0352 ? direct-arguments-getbyval 0.9072+-0.0187 ? 0.9329+-0.0328 ? might be 1.0283x slower double-pollution-getbyval 11.4829+-0.0643 ? 11.5830+-0.1525 ? double-pollution-putbyoffset 5.0162+-0.5214 5.0051+-0.5427 empty-string-plus-int 12.1300+-0.9039 ? 12.3086+-1.0509 ? might be 1.0147x slower external-arguments-getbyval 2.5260+-0.1473 ? 2.7104+-0.4792 ? might be 1.0730x slower external-arguments-putbyval 3.8178+-0.1935 ? 3.9242+-0.2326 ? might be 1.0279x slower Float32Array-matrix-mult 15.6663+-1.5915 ? 18.6121+-3.3202 ? might be 1.1880x slower fold-double-to-int 18.1065+-0.1877 18.0424+-0.1236 function-dot-apply 2.9837+-0.0239 ? 3.0100+-0.0298 ? function-test 4.2928+-0.2268 4.2319+-0.0461 might be 1.0144x faster get-by-id-chain-from-try-block 5.8949+-0.0477 ? 6.2228+-0.5979 ? might be 1.0556x slower HashMap-put-get-iterate-keys 55.5120+-1.5699 ? 55.9433+-1.5649 ? HashMap-put-get-iterate 62.8880+-0.4815 ? 65.8149+-4.6556 ? might be 1.0465x slower HashMap-string-put-get-iterate 64.7048+-2.3368 64.2691+-1.5881 imul-double-only 15.9353+-1.1570 15.7084+-0.6294 might be 1.0144x faster imul-int-only 14.7803+-0.0878 14.7587+-0.0515 imul-mixed 19.4359+-0.2574 ? 20.1313+-1.0006 ? might be 1.0358x slower indexed-properties-in-objects 4.1231+-0.2960 3.9514+-0.0195 might be 1.0435x faster inline-arguments-access 1.2902+-0.0321 1.2703+-0.0235 might be 1.0157x faster inline-arguments-local-escape 22.0919+-1.0350 21.7939+-0.0939 might be 1.0137x faster inline-get-scoped-var 5.9597+-0.0342 ? 6.0010+-0.0360 ? inlined-put-by-id-transition 12.0790+-0.7788 11.7384+-0.1028 might be 1.0290x faster int-or-other-abs-then-get-by-val 8.1689+-0.3647 8.0608+-0.0552 might be 1.0134x faster int-or-other-abs-zero-then-get-by-val 29.9719+-1.1963 29.0644+-0.1136 might be 1.0312x faster int-or-other-add-then-get-by-val 10.1874+-0.1153 ? 10.5899+-0.9634 ? might be 1.0395x slower int-or-other-add 9.4850+-0.8575 9.4107+-0.5230 int-or-other-div-then-get-by-val 6.9176+-0.0707 ? 7.1647+-0.4997 ? might be 1.0357x slower int-or-other-max-then-get-by-val 8.4815+-0.2117 ? 8.4913+-0.2887 ? int-or-other-min-then-get-by-val 9.1959+-1.4464 8.5348+-0.6516 might be 1.0775x faster int-or-other-mod-then-get-by-val 6.8114+-0.4811 6.4590+-0.0353 might be 1.0546x faster int-or-other-mul-then-get-by-val 7.0799+-0.1255 ? 7.1302+-0.2599 ? int-or-other-neg-then-get-by-val 7.5015+-0.6654 7.2540+-0.0776 might be 1.0341x faster int-or-other-neg-zero-then-get-by-val 29.5982+-1.4961 28.4331+-0.4035 might be 1.0410x faster int-or-other-sub-then-get-by-val 11.5071+-1.8923 10.5830+-0.9673 might be 1.0873x faster int-or-other-sub 6.8960+-0.4853 6.6636+-0.0437 might be 1.0349x faster int-overflow-local 10.0614+-0.0387 ? 10.0870+-0.0467 ? Int16Array-bubble-sort 64.0267+-1.7348 ? 64.0355+-1.6873 ? Int16Array-load-int-mul 1.9159+-0.0303 ? 1.9714+-0.0422 ? might be 1.0289x slower Int8Array-load 5.3784+-0.4325 5.1928+-0.0490 might be 1.0357x faster integer-divide 13.7137+-0.0474 ? 13.9176+-0.4366 ? might be 1.0149x slower integer-modulo 2.0260+-0.0226 ? 2.0731+-0.0587 ? might be 1.0233x slower make-indexed-storage 4.0773+-0.8530 3.9300+-0.5219 might be 1.0375x faster method-on-number 22.0968+-1.7866 21.3596+-0.1724 might be 1.0345x faster negative-zero-divide 0.5120+-0.0481 0.4863+-0.0240 might be 1.0528x faster negative-zero-modulo 0.4487+-0.0139 ? 0.4637+-0.0112 ? might be 1.0334x slower negative-zero-negate 0.4389+-0.0144 ? 0.4688+-0.0480 ? might be 1.0680x slower nested-function-parsing-random 355.5492+-15.9494 354.5327+-17.1234 nested-function-parsing 46.3173+-4.9236 44.3146+-3.9065 might be 1.0452x faster new-array-buffer-dead 3.8880+-0.1301 ? 3.9833+-0.1497 ? might be 1.0245x slower new-array-buffer-push 11.5474+-2.3144 ? 13.3346+-3.2970 ? might be 1.1548x slower new-array-dead 29.6316+-0.5554 ? 29.6685+-0.0552 ? new-array-push 10.1692+-1.7894 ? 10.4871+-1.7946 ? might be 1.0313x slower number-test 3.9517+-0.1138 3.9458+-0.1358 object-closure-call 7.2565+-0.1904 ? 7.2631+-0.1900 ? object-test 4.2993+-0.1309 ? 4.3260+-0.1457 ? poly-stricteq 93.0709+-5.3986 91.4283+-2.3041 might be 1.0180x faster polymorphic-structure 18.5463+-1.0348 18.5009+-1.1176 polyvariant-monomorphic-get-by-id 10.0098+-0.0810 ? 10.0269+-0.0793 ? rare-osr-exit-on-local 19.1975+-0.0708 ? 19.8140+-1.2345 ? might be 1.0321x slower register-pressure-from-osr 30.4913+-2.7568 30.3046+-1.4490 simple-activation-demo 37.0251+-3.5050 34.0520+-0.3040 might be 1.0873x faster slow-array-profile-convergence 4.2671+-0.1819 ? 4.2978+-0.2148 ? slow-convergence 3.2819+-0.0640 ? 3.3907+-0.1368 ? might be 1.0332x slower sparse-conditional 1.3012+-0.1137 1.2396+-0.0321 might be 1.0497x faster splice-to-remove 37.6768+-1.3087 37.5877+-1.3138 string-concat-object 2.7921+-0.1007 2.7823+-0.0382 string-concat-pair-object 2.8962+-0.3174 2.7608+-0.0660 might be 1.0490x faster string-concat-pair-simple 13.9999+-0.3431 13.9579+-0.3585 string-concat-simple 15.4469+-1.5193 15.0863+-1.6582 might be 1.0239x faster string-cons-repeat 11.9592+-0.6915 ? 12.0810+-0.8834 ? might be 1.0102x slower string-cons-tower 33.1878+-20.2314 32.1794+-19.6571 might be 1.0313x faster string-equality 44.6222+-0.1467 ? 47.2120+-3.2083 ? might be 1.0580x slower string-hash 2.7266+-0.1967 ? 2.7935+-0.1490 ? might be 1.0245x slower string-repeat-arith 43.0047+-5.4157 41.0725+-1.3655 might be 1.0470x faster string-sub 84.7998+-6.9775 84.6552+-4.0052 string-test 3.6161+-0.0614 ? 3.7535+-0.1796 ? might be 1.0380x slower structure-hoist-over-transitions 3.4519+-0.5379 ? 3.5229+-0.5868 ? might be 1.0206x slower tear-off-arguments-simple 1.7267+-0.0272 1.7046+-0.0285 might be 1.0129x faster tear-off-arguments 3.1773+-0.2768 3.0225+-0.0249 might be 1.0512x faster temporal-structure 19.1003+-0.7587 18.8324+-0.2254 might be 1.0142x faster to-int32-boolean 24.9396+-1.7310 23.8502+-0.8773 might be 1.0457x faster undefined-test 3.9230+-0.1039 3.9185+-0.1083 <arithmetic> 18.3038+-0.4438 18.2182+-0.3072 might be 1.0047x faster <geometric> * 8.3319+-0.1258 8.3222+-0.1035 might be 1.0012x faster <harmonic> 4.0112+-0.0335 ? 4.0370+-0.0337 ? might be 1.0064x slower Conf#1 Conf#2 DSP: filtrr-posterize-tint 46.0693+-0.9292 ? 47.6643+-1.9318 ? might be 1.0346x slower filtrr-tint-contrast-sat-bright 65.6808+-1.9887 ? 66.9988+-3.1196 ? might be 1.0201x slower filtrr-tint-sat-adj-contr-mult 77.7575+-3.2348 74.7756+-2.0677 might be 1.0399x faster filtrr-blur-overlay-sat-contr 193.0435+-3.7883 192.0557+-1.8926 filtrr-sat-blur-mult-sharpen-contr 224.4384+-5.0942 ? 232.8045+-12.2815 ? might be 1.0373x slower filtrr-sepia-bias 35.0078+-3.8666 33.2419+-1.3235 might be 1.0531x faster route9-vp8 x5 1005.5667+-6.9765 ? 1018.4940+-13.9018 ? might be 1.0129x slower starfield x5 1174.4776+-5.5371 1168.9744+-5.1948 bellard-jslinux x5 3039.2500+-28.2983 3024.0000+-15.6925 zynaps-quake3 x5 1136.2288+-11.8573 ? 1139.0970+-11.1175 ? zynaps-mandelbrot x5 1028.6639+-6.8603 ? 1031.6522+-7.2681 ? ammojs-asm-js x5 250.7458+-18.2217 245.5918+-12.5175 might be 1.0210x faster ammojs-regular-js x5 255.2495+-13.0212 253.1553+-13.0909 <arithmetic> 977.8758+-4.2110 976.8870+-4.2980 might be 1.0010x faster <geometric> * 592.3372+-9.4488 591.0040+-7.4361 might be 1.0023x faster <harmonic> 276.4239+-9.7169 274.4566+-6.8077 might be 1.0072x faster Conf#1 Conf#2 All benchmarks: <arithmetic> 210.7836+-0.8557 210.6037+-0.9630 might be 1.0009x faster <geometric> 22.5198+-0.2050 ? 22.5206+-0.2023 ? might be 1.0000x slower <harmonic> 4.0362+-0.0222 ? 4.0606+-0.0202 ? might be 1.0060x slower Conf#1 Conf#2 Geomean of preferred means: <scaled-result> 36.7644+-0.2487 ? 36.8982+-0.2608 ? might be 1.0036x slower $ === END ===================================== Once again, the above results are preliminary. I still need to clean up and refactor the fix a bit before it's ready for review.
<rdar://problem/14423494>
*** Bug 118664 has been marked as a duplicate of this bug. ***
Created attachment 207266 [details] the patch
Created attachment 207283 [details] Perf results of the patch.
The patch has passed all javascriptcore and layout tests without any new regressions.
(In reply to comment #7) > The patch has passed all javascriptcore and layout tests without any new regressions. I meant "without any new failures" i.e. there are no regressions.
Created attachment 207289 [details] patch 2: renamed JSTokenPosition to JSTextPosition, deleted some empty lines, and added JSTextPosition::operator+(unsigned) (needed for Windows).
Created attachment 207290 [details] patch 3: removed an unused function in the new JSTextPosition.
Created attachment 207327 [details] patch 4: added some static casts to make the Windows build happy. Brent tells me that the Windows build is still unhappy and not able to decide whether to cast the uint16_t m_subexpressionStartOffset into an int or unsigned in ThrowableSubExpressionData and ThrowablePrefixedSubExpressionData. This patch adds explicit casts where needed to disambiguate that for the VS compiler.
Created attachment 207398 [details] patch 5: svn up'ed to r153074 to resolve conflicts with some recent parser changes
Comment on attachment 207398 [details] patch 5: svn up'ed to r153074 to resolve conflicts with some recent parser changes Tests are showing some regressions after the big merge. Will upload a new patch after these are resolved.
Created attachment 207743 [details] patch 6: updated (and tested) after the big merge. Patch 6 has been tested on the javascriptcore and layout tests and shows no new failures.
Thanks for the review. Landed in r153477: <http://trac.webkit.org/changeset/153477>.