RESOLVED FIXED 122418
ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit 
https://bugs.webkit.org/show_bug.cgi?id=122418
Summary ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_regist...
Filip Pizlo
Reported 2013-10-06 11:50:45 PDT
...
Attachments
the patch (10.50 KB, patch)
2013-10-06 13:21 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
more correcter patch (13.30 KB, patch)
2013-10-06 13:51 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (14.55 KB, patch)
2013-10-06 19:22 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (14.41 KB, patch)
2013-10-06 19:23 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (16.38 KB, patch)
2013-10-06 20:43 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-10-06 13:14:10 PDT
This is pretty awesome. With stack compression, Arguments created in the DFG will point their m_registers pointers into a different slab of stack than they would have in byte code. Hence OSR exit must repoint any Arguments objects' m_registers pointers. It neglects to do so.
Filip Pizlo
Comment 2 2013-10-06 13:21:14 PDT
Created attachment 213524 [details] the patch
Geoffrey Garen
Comment 3 2013-10-06 13:35:06 PDT
Comment on attachment 213524 [details] the patch If DFG function A calls non-DFG function B, and B throws, what prevents B from unwinding A's stack frame. and tearing off the arguments object incorrectly?
Filip Pizlo
Comment 4 2013-10-06 13:42:45 PDT
(In reply to comment #3) > (From update of attachment 213524 [details]) > If DFG function A calls non-DFG function B, and B throws, what prevents B from unwinding A's stack frame. and tearing off the arguments object incorrectly? The code in Interpreter.cpp handles this directly and this has nothing to do with this bug. See unwindCallFrame(). It calls StackVisitor::existingArguments(). This gets the right Arguments object. It then tears off the Arguments correctly depending on the kind of Arguments that we have. Note that there is no such thing as non-DFG function B doing unwinding any differently than it would have, if function B was a DFG function. Everyone calls into the same unwinding machinery and that machinery decides what to do on a per-call-frame basis and it takes into account inlining. Also it just so happens that for non-inlined code, DFG Arguments look the same as non-DFG Arguments. That could change and if it did, we would edit the code in unwindCallFrame().
Filip Pizlo
Comment 5 2013-10-06 13:51:06 PDT
Created attachment 213526 [details] more correcter patch
Filip Pizlo
Comment 6 2013-10-06 19:22:43 PDT
Created attachment 213551 [details] the patch Fixed some more bugs - this needs rereview.
Filip Pizlo
Comment 7 2013-10-06 19:23:56 PDT
Created attachment 213552 [details] the patch Fix changelog.
Filip Pizlo
Comment 8 2013-10-06 20:26:40 PDT
*** Bug 122436 has been marked as a duplicate of this bug. ***
Filip Pizlo
Comment 9 2013-10-06 20:43:28 PDT
Created attachment 213559 [details] the patch Rebased. Now unskipping more tests than ever!
Filip Pizlo
Comment 10 2013-10-07 07:35:42 PDT
Landed in http://trac.webkit.org/changeset/157035
Note You need to log in before you can comment on or make changes to this bug.