118798 – DFG assumes that NewFunction will never pass its input through

Bug 118798 - DFG assumes that NewFunction will never pass its input through

Summary: DFG assumes that NewFunction will never pass its input through

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:	116980 118811
	Show dependency tree / graph

Reported:	2013-07-17 04:59 PDT by Gabor Rapcsanyi
Modified:	2013-07-17 16:42 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
proposed fix (16.55 KB, patch) 2013-07-17 05:12 PDT, Gabor Rapcsanyi	fpizlo: review- fpizlo: commit-queue-	Details \| Formatted Diff \| Diff
the patch (16.91 KB, patch) 2013-07-17 14:57 PDT, Filip Pizlo	oliver: review+	Details \| Formatted Diff \| Diff
the patch (16.90 KB, patch) 2013-07-17 15:20 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (18.49 KB, patch) 2013-07-17 15:35 PDT, Filip Pizlo	sam: review+	Details \| Formatted Diff \| Diff
patch for landing (63.99 KB, patch) 2013-07-17 16:02 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabor Rapcsanyi 2013-07-17 04:59:06 PDT

32 bit systems are segfaulting with the following test:

function run_tests() {
    function x() {
      return 3;
    }  

    var x = 13;
    return x + x;
}

for(var i=0; i<100; ++i)
    run_tests();


The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.

Comment 1 Gabor Rapcsanyi 2013-07-17 05:12:14 PDT

Created attachment 206885 [details]
proposed fix

Comment 2 Gabor Rapcsanyi 2013-07-17 05:19:23 PDT

(In reply to comment #0)
> 32 bit systems are segfaulting with the following test:
> 
> function run_tests() {
>     function x() {
>       return 3;
>     }  
> 
>     var x = 13;
>     return x + x;
> }
> 
> for(var i=0; i<100; ++i)
>     run_tests();
> 
> 
> The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.

On 64 bit systems fillJSValue() doesn't set the jsvalue tag but we should fix that as well.

Comment 3 Filip Pizlo 2013-07-17 08:41:21 PDT

(In reply to comment #2)
> (In reply to comment #0)
> > 32 bit systems are segfaulting with the following test:
> > 
> > function run_tests() {
> >     function x() {
> >       return 3;
> >     }  
> > 
> >     var x = 13;
> >     return x + x;
> > }
> > 
> > for(var i=0; i<100; ++i)
> >     run_tests();
> > 
> > 
> > The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.
> 
> On 64 bit systems fillJSValue() doesn't set the jsvalue tag but we should fix that as well.

It seems like your fix is all wrong.

- NewFunction should set the data format to cell, and that's not the big. 

- On 64-bit systems there is no such thing as a cell tag.

Comment 4 Filip Pizlo 2013-07-17 08:42:17 PDT

(In reply to comment #3)
> (In reply to comment #2)
> > (In reply to comment #0)
> > > 32 bit systems are segfaulting with the following test:
> > > 
> > > function run_tests() {
> > >     function x() {
> > >       return 3;
> > >     }  
> > > 
> > >     var x = 13;
> > >     return x + x;
> > > }
> > > 
> > > for(var i=0; i<100; ++i)
> > >     run_tests();
> > > 
> > > 
> > > The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.
> > 
> > On 64 bit systems fillJSValue() doesn't set the jsvalue tag but we should fix that as well.
> 
> It seems like your fix is all wrong.
> 
> - NewFunction should set the data format to cell, and that's not the big. 

*bug. 

> 
> - On 64-bit systems there is no such thing as a cell tag.

Comment 5 Gabor Rapcsanyi 2013-07-17 10:28:52 PDT

So what do you suggest then because the DFG graph has this NewFunction node which will always set the registerFormat to cell in cellResult() ?(In reply to comment #4)
> (In reply to comment #3)
> > (In reply to comment #2)
> > > (In reply to comment #0)
> > > > 32 bit systems are segfaulting with the following test:
> > > > 
> > > > function run_tests() {
> > > >     function x() {
> > > >       return 3;
> > > >     }  
> > > > 
> > > >     var x = 13;
> > > >     return x + x;
> > > > }
> > > > 
> > > > for(var i=0; i<100; ++i)
> > > >     run_tests();
> > > > 
> > > > 
> > > > The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.
> > > 
> > > On 64 bit systems fillJSValue() doesn't set the jsvalue tag but we should fix that as well.
> > 
> > It seems like your fix is all wrong.
> > 
> > - NewFunction should set the data format to cell, and that's not the big. 
> 
> *bug. 
> 
> > 
> > - On 64-bit systems there is no such thing as a cell tag.

So what do you suggest then because the DFG graph has this NewFunction node which will always set the registerFormat to cell in cellResult() ?

Comment 6 Filip Pizlo 2013-07-17 14:03:38 PDT

(In reply to comment #5)
> So what do you suggest then because the DFG graph has this NewFunction node which will always set the registerFormat to cell in cellResult() ?(In reply to comment #4)
> > (In reply to comment #3)
> > > (In reply to comment #2)
> > > > (In reply to comment #0)
> > > > > 32 bit systems are segfaulting with the following test:
> > > > > 
> > > > > function run_tests() {
> > > > >     function x() {
> > > > >       return 3;
> > > > >     }  
> > > > > 
> > > > >     var x = 13;
> > > > >     return x + x;
> > > > > }
> > > > > 
> > > > > for(var i=0; i<100; ++i)
> > > > >     run_tests();
> > > > > 
> > > > > 
> > > > > The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.
> > > > 
> > > > On 64 bit systems fillJSValue() doesn't set the jsvalue tag but we should fix that as well.
> > > 
> > > It seems like your fix is all wrong.
> > > 
> > > - NewFunction should set the data format to cell, and that's not the big. 
> > 
> > *bug. 
> > 
> > > 
> > > - On 64-bit systems there is no such thing as a cell tag.
> 
> So what do you suggest then because the DFG graph has this NewFunction node which will always set the registerFormat to cell in cellResult() ?

It's is correct for NewFunction to set the registerFormat to cell in cellResult().  NewFunction returns a cell.  cellResult() is what you call when you want to return a cell.  The type of a function is a cell.

That's not the bug here.

I will investigate what the bug is.

Comment 7 Filip Pizlo 2013-07-17 14:11:52 PDT

(In reply to comment #6)
> (In reply to comment #5)
> > So what do you suggest then because the DFG graph has this NewFunction node which will always set the registerFormat to cell in cellResult() ?(In reply to comment #4)
> > > (In reply to comment #3)
> > > > (In reply to comment #2)
> > > > > (In reply to comment #0)
> > > > > > 32 bit systems are segfaulting with the following test:
> > > > > > 
> > > > > > function run_tests() {
> > > > > >     function x() {
> > > > > >       return 3;
> > > > > >     }  
> > > > > > 
> > > > > >     var x = 13;
> > > > > >     return x + x;
> > > > > > }
> > > > > > 
> > > > > > for(var i=0; i<100; ++i)
> > > > > >     run_tests();
> > > > > > 
> > > > > > 
> > > > > > The problem is that SpeculativeJIT::fillJSValue() set the jsvalue tag to cell after a NewFunction node.
> > > > > 
> > > > > On 64 bit systems fillJSValue() doesn't set the jsvalue tag but we should fix that as well.
> > > > 
> > > > It seems like your fix is all wrong.
> > > > 
> > > > - NewFunction should set the data format to cell, and that's not the big. 
> > > 
> > > *bug. 
> > > 
> > > > 
> > > > - On 64-bit systems there is no such thing as a cell tag.
> > 
> > So what do you suggest then because the DFG graph has this NewFunction node which will always set the registerFormat to cell in cellResult() ?
> 
> It's is correct for NewFunction to set the registerFormat to cell in cellResult().  NewFunction returns a cell.  cellResult() is what you call when you want to return a cell.  The type of a function is a cell.
> 
> That's not the bug here.
> 
> I will investigate what the bug is.

Argh.  You're half right, and I'm full wrong.  The NewFunction node flows its input through like this:

if (input & SpecEmpty)
    result = (input & ~SpecEmpty) | SpecFunction
else
    result = input

The problem can either be fixed by making NewFunction explicitly behave this way in the prediction propagator, abstract state, and backend; or by changing how we parse op_new_function.  Not sure, yet, which is the lesser evil.

Comment 8 Filip Pizlo 2013-07-17 14:50:33 PDT

<rdar://problem/14473897>

Comment 9 Filip Pizlo 2013-07-17 14:57:00 PDT

Created attachment 206920 [details]
the patch

Comment 10 Filip Pizlo 2013-07-17 15:20:57 PDT

Created attachment 206922 [details]
the patch

Comment 11 Filip Pizlo 2013-07-17 15:35:01 PDT

Created attachment 206925 [details]
the patch

Comment 12 Filip Pizlo 2013-07-17 16:02:41 PDT

Created attachment 206926 [details]
patch for landing

Still running some more tests.

Comment 13 Filip Pizlo 2013-07-17 16:26:28 PDT

Landed in http://trac.webkit.org/changeset/152813

Comment 14 Filip Pizlo 2013-07-17 16:42:42 PDT

Fixed 32-bit after http://trac.webkit.org/changeset/152818.