RESOLVED FIXED 120080
REGRESSION (r153222, 32-bit): NULL JSValue() seen when running peacekeeper benchmark 
https://bugs.webkit.org/show_bug.cgi?id=120080
Summary REGRESSION (r153222, 32-bit): NULL JSValue() seen when running peacekeeper be...
Chris Curtis
Reported 2013-08-20 12:57:17 PDT
This is a follow up error coming from https://bugs.webkit.org/show_bug.cgi?id=119812. The JSValue that is passed into errorDescriptionForValue should never be isEmpty().
Attachments
Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit (1.44 KB, patch)
2013-08-28 02:25 PDT, Julien Brianceau 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Julien Brianceau
Comment 1 2013-08-23 02:42:54 PDT
After bisseting a lot, I think this empty JSValue in errorDescriptionForValue() regression appeared in r153222 (in the middle of the FTL). The test page I use to stimulate the issue: http://peacekeeper.futuremark.com/ (no need to launch the benchmark, just loading the front page). My environment: sh4 32-bit with LLINT and baseline JIT, without DFG JIT, using Qt port. The different tests I made: - with r153221: no problem, page is loaded correctly and errorDescriptionForValue() is never called with empty JSValue() - with r153222: errorDescriptionForValue() IS called with empty JSValue() - with r153222 with JIT disabled (through JSC_useJIT=false): no problem, page is loaded correctly and errorDescriptionForValue() is never called with empty JSValue() If this could help, with latest revision (r154475) with the same environment + DFG JIT enabled, I get this: - with r154475: errorDescriptionForValue() IS called with empty JSValue() - with r154475 with DFG JIT disabled (through JSC_useDFGJIT=false): errorDescriptionForValue() IS called with empty JSValue() - with r154475 with JIT disabled (through JSC_useJIT=false): no problem, page is loaded correctly Oliver, could you please take a quick look to your modifications related to 32-bit JIT made in r153222 that could lead to this ? Thanks,
Geoffrey Garen
Comment 2 2013-08-23 11:18:15 PDT
<rdar://problem/14820996>
Julien Brianceau
Comment 3 2013-08-26 15:08:03 PDT
I tested with a configuration which is more common: X86 32-bit with LLINT, baseline JIT and DFG_JIT enabled, using Qt port. I get the same results with http://peacekeeper.futuremark.com/ on r154475: - with r154475: errorDescriptionForValue() IS called with empty JSValue() - with r154475 with DFG JIT disabled (through JSC_useDFGJIT=false): errorDescriptionForValue() IS called with empty JSValue() - with r154475 with JIT disabled (through JSC_useJIT=false): no problem, page is loaded correctly
Alexey Proskuryakov
Comment 4 2013-08-27 15:51:34 PDT
See also: bug 119395.
Julien Brianceau
Comment 5 2013-08-28 02:25:35 PDT
Created attachment 209859 [details] Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit I didn't get this NULL JSValue when reverting the change introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit (JITOpcodes32_64.cpp). It doesn't create regressions for me (sh4 32-bit, Qt port, LLINT+baseline JIT+DFG) with: - Tools/Scripts/run-javascriptcore-tests - Tools/Scripts/run-fast-jsc - SunSpider 1.0 - v8-v4 test suite
Oliver Hunt
Comment 6 2013-08-28 08:50:26 PDT
Comment on attachment 209859 [details] Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit Weird, this looks fine as the 64bit path doesn't use the slow path machinery, but i'm curious as the LLINT does, and we use the SlowPathCall type for numerous other sites. I wonder if JITSlowPathCall::call isn't getting the windows calling convention right?
Julien Brianceau
Comment 7 2013-08-28 08:56:52 PDT
(In reply to comment #6) > (From update of attachment 209859 [details]) > Weird, this looks fine as the 64bit path doesn't use the slow path machinery, but i'm curious as the LLINT does, and we use the SlowPathCall type for numerous other sites. I wonder if JITSlowPathCall::call isn't getting the windows calling convention right? To be honest, this is an empirical fix, based on the diff between r153221 and 153222 + diff between 32-bit and 64-bit. It turns out that this fixes the issue and doesn't create regressions for me (sh4 32-bit Linux, Qt, LLINT+baseline JIT+DFG), but I won't be able to explain why it fixes it yet :/
Oliver Hunt
Comment 8 2013-08-28 09:02:15 PDT
(In reply to comment #7) > (In reply to comment #6) > > (From update of attachment 209859 [details] [details]) > > Weird, this looks fine as the 64bit path doesn't use the slow path machinery, but i'm curious as the LLINT does, and we use the SlowPathCall type for numerous other sites. I wonder if JITSlowPathCall::call isn't getting the windows calling convention right? > To be honest, this is an empirical fix, based on the diff between r153221 and 153222 + diff between 32-bit and 64-bit. > It turns out that this fixes the issue and doesn't create regressions for me (sh4 32-bit Linux, Qt, LLINT+baseline JIT+DFG), but I won't be able to explain why it fixes it yet :/ Okay, I _believe_ that the SlowPathCall is incorrectly reloading the call frame register from topCallFrame, should be writing the callFrameRegister to topCallFrame instead as topCallFrame is no longer guaranteed to be a reasonable call frame after we've returned to the hit - it's only valid while in host code.
Darin Adler
Comment 9 2013-08-28 09:42:48 PDT
Comment on attachment 209859 [details] Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit All WebKit bug fixes need a to come with test that shows the bug and prevents future regression. This fix looks OK but we need a test.
Michael Saboff
Comment 10 2013-08-29 13:10:30 PDT
Comment on attachment 209859 [details] Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit After some sleuthing as to what was going on, this is the right fix. The reason is due to where the results from the create_arguments call end up. slow_path_create_arguments will put the results in the virtual register specified by currentInstruction[1].u.operand as it is intended to be the used for processing op_create_arguments. When using cgi_op_create_arguments, the result is left in regT0 and regT1, and we need to explicitly emit the stores as this patch does. Notice that we actually want the result in currentInstruction[2].u.operand instead of the operand at index 1. That is because when processing op_get_argument_by_value we only call create_arguments when the arguments virtual register contains the EmptyValueTag, effectively materializing the arguments as needed.
Darin Adler
Comment 11 2013-08-29 13:12:57 PDT
Comment on attachment 209859 [details] Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit Michael, what about a test case?
WebKit Commit Bot
Comment 12 2013-08-29 13:34:30 PDT
Comment on attachment 209859 [details] Revert changes introduced by r153222 in emitSlow_op_get_argument_by_val for 32-bit Clearing flags on attachment: 209859 Committed r154839: <http://trac.webkit.org/changeset/154839>
WebKit Commit Bot
Comment 13 2013-08-29 13:34:33 PDT
All reviewed patches have been landed. Closing bug.
Michael Saboff
Comment 14 2013-08-29 13:42:11 PDT
(In reply to comment #11) > (From update of attachment 209859 [details]) > Michael, what about a test case? I'll work on one.
Michael Saboff
Comment 15 2013-08-29 15:47:39 PDT
(In reply to comment #14) > (In reply to comment #11) > > (From update of attachment 209859 [details] [details]) > > Michael, what about a test case? > > I'll work on one. Test landed in change set r154846 <http://trac.webkit.org/changeset/154846>
peavo
Comment 16 2013-09-05 06:35:26 PDT
*** Bug 119395 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.