Yup I'll take a look.

Errr, I'll pass it along to MarkH.

I can't repro this on ToT (r166932) in debug on release on Mavericks.

(In reply to comment #3) > I can't repro this on ToT (r166932) in debug on release on Mavericks. As I said it is a flakey crash on the Mountain Lion and EFL performance bots. I haven't seen this crash on Mavericks before. And it is flakey, so it doesn't crash always, see http://build.webkit.org/builders/Apple%20MountainLion%20Release%20%28Perf%29?numbuilds=200 for details.

Here is a crash on Mavericks too - http://build.webkit.org/builders/Apple%20Mavericks%20Release%20%28Perf%29/builds/1101

Is there any plan to fix this serious DFG JIT bug? Or is this crash a feature not a bug? :) Apple Mountain Lion bot: (53 crashes / 200 builds) http://build.webkit.org/builders/Apple%20MountainLion%20Release%20%28Perf%29?numbuilds=200 Apple Mavericks bot: (6 crashes / 200 builds) http://build.webkit.org/builders/Apple%20Mavericks%20Release%20%28Perf%29?numbuilds=200 EFL bot: (12 crashes / 200 builds) http://build.webkit.org/builders/EFL%20Linux%2064-bit%20Release%20WK2%20%28Perf%29?numbuilds=200

<rdar://problem/16712772>

I was able to reproduce this with a release build of r167815 by running the Dromaeo/cssquery-dojo.html benchmark only via run-perf-tests in a loop on the command line. Out of 100 runs, it only reproduced once. It's not very easily reproducible. Here are some data that I've collected from that one crash: Crashed Thread: 10 JSC Compilation Thread Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x00000001a1693c80 Thread 0:: Dispatch queue: com.apple.main-thread 0 ??? 0x000041d7c0634885 0 + 72394901506181 1 ??? 0x000041d7c06976b0 0 + 72394901911216 2 ??? 0x000041d800600dba 0 + 72395975036346 3 ??? 0x000041d7c0698705 0 + 72394901915397 4 ??? 0x000041d800600dba 0 + 72395975036346 5 ??? 0x000041d7c0693dd8 0 + 72394901896664 6 com.apple.JavaScriptCore 0x0000000109d0663d callToJavaScript + 321 7 com.apple.JavaScriptCore 0x0000000109c25773 JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) + 35 (VM.h:376) 8 com.apple.JavaScriptCore 0x0000000109c0b9a8 JSC::Interpreter::executeCall(JSC::ExecState*, JSC::JSObject*, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&) + 440 (Interpreter.cpp:994) 9 com.apple.JavaScriptCore 0x0000000109a9cfaf JSC::call(JSC::ExecState*, JSC::JSValue, JSC::CallType, JSC::CallData const&, JSC::JSValue, JSC::ArgList const&, JSC::JSValue*) + 63 (Register.h:118) 10 com.apple.WebCore 0x000000010afd6489 WebCore::ScheduledAction::executeFunctionInContext(JSC::JSGlobalObject*, JSC::JSValue, WebCore::ScriptExecutionContext*) + 537 (JSMainThreadExecState.h:89) 11 com.apple.WebCore 0x000000010afd60f0 WebCore::ScheduledAction::execute(WebCore::Document*) + 144 (ScheduledAction.cpp:125) 12 com.apple.WebCore 0x000000010a6c7d80 WebCore::DOMTimer::fired() + 304 (InspectorInstrumentation.h:290) 13 com.apple.WebCore 0x000000010b18050f WebCore::ThreadTimers::sharedTimerFiredInternal() + 175 (ThreadTimers.cpp:135) 14 com.apple.WebCore 0x000000010b03582a WebCore::timerFired(__CFRunLoopTimer*, void*) + 58 (SharedTimerMac.mm:134) ... Thread 10 Crashed:: JSC Compilation Thread 0 com.apple.JavaScriptCore 0x0000000109dd2d6e JSC::speculationFromCell(JSC::JSCell*) + 46 (StructureIDTable.h:86) 1 com.apple.JavaScriptCore 0x0000000109b5ede3 JSC::DFG::PredictionPropagationPhase::propagate(JSC::DFG::Node*) + 1795 (DFGPredictionPropagationPhase.cpp:140) 2 com.apple.JavaScriptCore 0x0000000109b5d5ca JSC::DFG::PredictionPropagationPhase::run() + 106 (DFGPredictionPropagationPhase.cpp:623) 3 com.apple.JavaScriptCore 0x0000000109b5d4fc JSC::DFG::performPredictionPropagation(JSC::DFG::Graph&) + 44 (DFGCommon.h:68) 4 com.apple.JavaScriptCore 0x0000000109b5c57b JSC::DFG::Plan::compileInThreadImpl(JSC::DFG::LongLivedState&) + 427 (DFGPlan.cpp:228) 5 com.apple.JavaScriptCore 0x0000000109b5c1eb JSC::DFG::Plan::compileInThread(JSC::DFG::LongLivedState&, JSC::DFG::ThreadData*) + 299 (DFGPlan.cpp:155) 6 com.apple.JavaScriptCore 0x0000000109bc98b6 JSC::DFG::Worklist::runThread(JSC::DFG::ThreadData*) + 566 (Locker.h:43) 7 com.apple.JavaScriptCore 0x0000000109e648cf WTF::wtfThreadEntryPoint(void*) + 15 (ThreadingPthreads.cpp:168) 8 libsystem_pthread.dylib 0x00007fff863fe899 _pthread_body + 138 9 libsystem_pthread.dylib 0x00007fff863fe72a _pthread_start + 137 10 libsystem_pthread.dylib 0x00007fff86402fc9 thread_start + 13 The crashing site: inline Structure* StructureIDTable::get(StructureID structureID) { #if USE(JSVALUE64) return table()[structureID].structure; // <======= CRASHED here. #else return structureID; #endif } Probably called from: SpeculatedType speculationFromCell(JSCell* cell) { if (JSString* string = jsDynamicCast<JSString*>(cell)) { if (const StringImpl* impl = string->tryGetValueImpl()) { if (impl->isAtomic()) return SpecStringIdent; } return SpecStringVar; } return speculationFromStructure(cell->structure()); // <========== here } Probably called from: SpeculatedType speculationFromValue(JSValue value) { ... if (value.isCell()) return speculationFromCell(value.asCell()); // <============= here ... } Called from: void propagate(Node* node) // in DFGPredictionPropagationPhase.cpp { NodeType op = node->op(); bool changed = false; switch (op) { case JSConstant: case WeakJSConstant: { SpeculatedType type = speculationFromValue(m_graph.valueOfJSConstant(node)); // <============ here ... }

Created attachment 230950 [details] the patch. Still running perf numbers and regression tests.

Comment on attachment 230950 [details] the patch. View in context: https://bugs.webkit.org/attachment.cgi?id=230950&action=review r=me > Source/JavaScriptCore/bytecode/VariableWatchpointSet.h:82 > + SymbolTable* m_symbolTable; Since this pointer is never null, and available at initialization time, it should be a reference.

Perf numbers for patch 1: Benchmark report for SunSpider, LongSpider, V8Spider, Octane, Kraken, JSRegress, and AsmBench on albion (MacPro5,1). VMs tested: "Conf#1" at /Volumes/Data-HD/ws6/OpenSource/WebKitBuild/Release/jsc (r168386) "Conf#2" at /Volumes/Data-HD/ws4/OpenSource/WebKitBuild/Release/jsc (r168386) Collected 4 samples per benchmark/VM, with 4 VM invocations per benchmark. Emitted a call to gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. Conf#1 Conf#2 SunSpider: 3d-cube 7.5020+-0.3457 ? 7.6741+-0.1966 ? might be 1.0230x slower 3d-morph 8.9777+-0.2195 ? 9.1365+-0.1589 ? might be 1.0177x slower 3d-raytrace 9.9604+-1.2744 9.8354+-0.3609 might be 1.0127x faster access-binary-trees 2.6372+-0.1254 ? 2.6925+-0.1240 ? might be 1.0210x slower access-fannkuch 8.8266+-0.1354 ? 8.8583+-0.1746 ? access-nbody 4.6670+-0.3378 4.6115+-0.2552 might be 1.0120x faster access-nsieve 5.5468+-0.2812 ? 5.5538+-0.5039 ? bitops-3bit-bits-in-byte 1.9026+-0.1427 1.8727+-0.1043 might be 1.0160x faster bitops-bits-in-byte 6.2463+-0.1104 ? 6.2834+-0.1303 ? bitops-bitwise-and 3.1055+-0.0812 3.0975+-0.1251 bitops-nsieve-bits 5.7509+-0.1477 5.5876+-0.0329 might be 1.0292x faster controlflow-recursive 2.7903+-0.1143 2.7787+-0.0587 crypto-aes 6.2498+-0.1735 6.1704+-0.2012 might be 1.0129x faster crypto-md5 3.7258+-0.0680 3.5211+-0.2136 might be 1.0582x faster crypto-sha1 3.4042+-0.1573 3.3726+-0.1576 date-format-tofte 12.7582+-0.3804 ? 13.0303+-0.3998 ? might be 1.0213x slower date-format-xparb 9.5333+-0.7105 ? 9.5780+-0.2291 ? math-cordic 4.6667+-0.0856 ^ 4.5335+-0.0272 ^ definitely 1.0294x faster math-partial-sums 10.1859+-0.1437 10.1238+-0.1186 math-spectral-norm 3.0679+-0.1119 3.0208+-0.1398 might be 1.0156x faster regexp-dna 11.3718+-0.6948 ? 11.5696+-0.2171 ? might be 1.0174x slower string-base64 6.0460+-0.1047 ? 6.1927+-0.2134 ? might be 1.0243x slower string-fasta 10.9633+-0.6559 ? 11.1175+-0.2064 ? might be 1.0141x slower string-tagcloud 15.3752+-0.4550 ? 15.4942+-0.5573 ? string-unpack-code 32.1638+-0.4690 31.4360+-0.8297 might be 1.0231x faster string-validate-input 7.7933+-0.2166 7.4625+-0.1963 might be 1.0443x faster <arithmetic> * 7.8930+-0.0717 7.8694+-0.0887 might be 1.0030x faster <geometric> 6.4147+-0.0583 6.3882+-0.0726 might be 1.0041x faster <harmonic> 5.3190+-0.0463 5.2823+-0.0695 might be 1.0070x faster Conf#1 Conf#2 LongSpider: 3d-cube 1306.7593+-30.8449 1301.7043+-7.7947 3d-morph 2131.5762+-4.3162 ? 2133.9419+-4.1465 ? 3d-raytrace 1400.3865+-10.0884 ? 1419.3524+-21.1943 ? might be 1.0135x slower access-binary-trees 1583.6116+-11.4021 ? 1595.5197+-18.9801 ? access-fannkuch 509.2729+-36.8005 ? 517.9512+-53.0950 ? might be 1.0170x slower access-nbody 1196.0980+-2.1604 1195.0439+-3.4533 access-nsieve 1558.3048+-17.3619 ? 1559.8978+-12.0591 ? bitops-3bit-bits-in-byte 57.0106+-1.0040 56.9750+-0.2721 bitops-bits-in-byte 372.7449+-8.3813 ? 376.0921+-9.1419 ? bitops-nsieve-bits 1130.4653+-4.6447 ? 1134.6368+-4.2862 ? controlflow-recursive 820.6756+-3.6188 819.9839+-2.9866 crypto-aes 1072.2081+-4.8776 ? 1075.9193+-7.8548 ? crypto-md5 1004.2381+-5.0437 ? 1005.9482+-8.6468 ? crypto-sha1 1103.2324+-7.2710 1099.3356+-3.6492 date-format-tofte 1118.8730+-5.9827 1118.3395+-20.3861 date-format-xparb 1554.7705+-80.6755 1535.5633+-19.8170 might be 1.0125x faster math-cordic 796.9058+-4.1443 795.8225+-1.0869 math-partial-sums 1202.4246+-8.1326 ? 1203.5470+-5.7826 ? math-spectral-norm 1232.6562+-6.2700 1232.4922+-3.3570 string-base64 562.1345+-3.5402 ? 562.1895+-5.6353 ? string-fasta 1054.0327+-22.7715 ? 1061.7597+-44.8150 ? string-tagcloud 381.4352+-5.5794 377.6240+-1.3713 might be 1.0101x faster <arithmetic> 1052.2644+-3.9071 ? 1053.6200+-3.4267 ? might be 1.0013x slower <geometric> * 882.3355+-1.9511 ? 883.5952+-5.4870 ? might be 1.0014x slower <harmonic> 536.9439+-2.2391 ? 537.3549+-3.8173 ? might be 1.0008x slower Conf#1 Conf#2 V8Spider: crypto 81.4258+-0.5603 ? 82.2731+-1.6852 ? might be 1.0104x slower deltablue 96.7683+-0.6843 ? 96.9927+-1.4237 ? earley-boyer 70.6422+-4.5454 68.6530+-0.6976 might be 1.0290x faster raytrace 43.5614+-2.7385 ? 43.6927+-1.9978 ? regexp 98.3039+-1.1022 98.2133+-1.2584 richards 100.3709+-1.7948 99.7380+-1.5467 splay 48.5545+-1.8844 ? 48.9492+-0.5514 ? <arithmetic> 77.0896+-1.0485 76.9303+-0.1635 might be 1.0021x faster <geometric> * 73.5127+-1.1436 73.3941+-0.1314 might be 1.0016x faster <harmonic> 69.6499+-1.2213 69.6013+-0.4017 might be 1.0007x faster Conf#1 Conf#2 Octane: encrypt 0.42437+-0.00096 ? 0.42522+-0.00368 ? decrypt 7.62092+-0.09164 7.60890+-0.02973 deltablue x2 0.41989+-0.00764 0.41638+-0.00490 earley 0.86726+-0.00893 0.86707+-0.01210 boyer 10.01611+-0.15971 9.96110+-0.10657 navier-stokes x2 7.37602+-0.00657 ? 7.38887+-0.05396 ? raytrace x2 2.65929+-0.03940 ? 2.67111+-0.07180 ? richards x2 0.21856+-0.01310 0.21790+-0.00899 splay x2 0.62119+-0.00973 ? 0.62205+-0.00364 ? regexp x2 69.05898+-0.81065 ? 69.55539+-0.93254 ? pdfjs x2 89.00096+-0.83621 88.68435+-0.18454 mandreel x2 95.14173+-0.93153 ? 95.74943+-0.85892 ? gbemu x2 81.61711+-2.28011 81.61419+-2.13115 closure 0.85617+-0.00257 ? 0.86326+-0.00551 ? jquery 10.67687+-0.03728 ? 10.68303+-0.03524 ? box2d x2 26.77140+-0.57604 ? 27.39102+-0.30221 ? might be 1.0231x slower zlib x2 708.64376+-1.13046 ? 708.65562+-4.65431 ? typescript x2 1213.06030+-7.00925 1206.13574+-19.91231 <arithmetic> 153.98800+-0.27380 153.62042+-0.81797 might be 1.0024x faster <geometric> * 12.19685+-0.08789 ? 12.21739+-0.05858 ? might be 1.0017x slower <harmonic> 1.28522+-0.02761 1.28302+-0.02412 might be 1.0017x faster Conf#1 Conf#2 Kraken: ai-astar 539.379+-3.134 538.202+-2.085 audio-beat-detection 201.835+-2.726 ? 201.948+-2.245 ? audio-dft 243.632+-2.064 242.710+-1.045 audio-fft 119.940+-1.410 ? 119.995+-1.552 ? audio-oscillator 370.830+-12.870 366.160+-1.065 might be 1.0128x faster imaging-darkroom 278.854+-2.486 ? 279.016+-3.180 ? imaging-desaturate 121.060+-0.754 ? 121.103+-0.350 ? imaging-gaussian-blur 196.742+-16.141 186.156+-5.808 might be 1.0569x faster json-parse-financial 78.521+-1.465 78.117+-1.172 json-stringify-tinderbox 96.878+-1.198 ? 98.124+-2.207 ? might be 1.0129x slower stanford-crypto-aes 88.125+-2.671 ? 88.692+-0.933 ? stanford-crypto-ccm 82.606+-17.958 ? 84.737+-18.074 ? might be 1.0258x slower stanford-crypto-pbkdf2 230.726+-1.730 ? 231.858+-2.054 ? stanford-crypto-sha256-iterative 82.694+-1.192 82.323+-0.754 <arithmetic> * 195.130+-1.460 194.224+-1.077 might be 1.0047x faster <geometric> 161.505+-1.887 161.151+-2.464 might be 1.0022x faster <harmonic> 137.291+-2.520 ? 137.429+-3.492 ? might be 1.0010x slower Conf#1 Conf#2 JSRegress: adapt-to-double-divide 19.3823+-0.3939 19.2555+-0.8093 aliased-arguments-getbyval 1.2377+-0.0878 1.1640+-0.1028 might be 1.0633x faster allocate-big-object 3.1382+-0.2345 3.0658+-0.1090 might be 1.0236x faster arity-mismatch-inlining 1.1234+-0.1589 ! 1.7153+-0.1010 ! definitely 1.5268x slower array-access-polymorphic-structure 10.1132+-0.3152 ? 10.2735+-0.3003 ? might be 1.0158x slower array-nonarray-polymorhpic-access 60.2507+-0.5758 ? 60.3549+-0.7711 ? array-prototype-every 120.0062+-2.0865 116.9751+-1.2256 might be 1.0259x faster array-prototype-forEach 120.0565+-6.1395 116.6153+-2.1500 might be 1.0295x faster array-prototype-map 141.9522+-2.7209 140.7390+-3.3697 array-prototype-some 117.5760+-2.8921 115.9459+-1.3198 might be 1.0141x faster array-with-double-add 6.5134+-0.0329 6.5027+-0.1355 array-with-double-increment 4.6032+-0.1133 ? 4.6806+-0.3251 ? might be 1.0168x slower array-with-double-mul-add 7.4723+-0.1126 ? 7.4760+-0.1574 ? array-with-double-sum 4.8367+-0.0530 4.8276+-0.1263 array-with-int32-add-sub 11.4795+-0.1953 11.4257+-0.2075 array-with-int32-or-double-sum 4.9638+-0.0705 4.9572+-0.1424 ArrayBuffer-DataView-alloc-large-long-lived 108.9470+-0.8627 ? 109.0035+-0.5219 ? ArrayBuffer-DataView-alloc-long-lived 30.1442+-1.2520 29.9838+-1.0545 ArrayBuffer-Int32Array-byteOffset 5.3387+-0.2559 5.2867+-0.3213 ArrayBuffer-Int8Array-alloc-large-long-lived 112.6555+-0.7892 ? 112.9815+-1.4206 ? ArrayBuffer-Int8Array-alloc-long-lived-buffer 48.6693+-1.8182 47.4923+-0.0536 might be 1.0248x faster ArrayBuffer-Int8Array-alloc-long-lived 28.9188+-0.3647 ? 29.0355+-0.7111 ? ArrayBuffer-Int8Array-alloc 25.8433+-0.2106 25.4814+-0.4668 might be 1.0142x faster asmjs_bool_bug 10.4194+-0.0922 ^ 9.9984+-0.1024 ^ definitely 1.0421x faster assign-custom-setter-polymorphic 4.6334+-0.1595 ? 4.7307+-0.1954 ? might be 1.0210x slower assign-custom-setter 6.3411+-0.3211 ? 6.6371+-0.5912 ? might be 1.0467x slower basic-set 15.2784+-0.3250 14.8600+-0.4539 might be 1.0282x faster big-int-mul 6.0945+-0.1050 ! 6.5878+-0.1656 ! definitely 1.0809x slower boolean-test 4.6658+-0.1611 4.5993+-0.0821 might be 1.0145x faster branch-fold 5.0358+-0.0318 ? 5.1298+-0.1303 ? might be 1.0187x slower by-val-generic 13.9811+-0.2287 ? 14.4480+-0.6815 ? might be 1.0334x slower call-spread-apply 20.7062+-1.1787 ! 23.0069+-0.7499 ! definitely 1.1111x slower call-spread-call 8.8101+-0.2262 ! 10.3087+-0.2654 ! definitely 1.1701x slower captured-assignments 0.6540+-0.1084 0.6019+-0.1159 might be 1.0866x faster cast-int-to-double 12.3420+-0.2716 ? 12.3703+-0.3096 ? cell-argument 10.2212+-0.2965 ? 10.6597+-0.3101 ? might be 1.0429x slower cfg-simplify 4.0591+-0.1470 ? 4.0654+-0.0620 ? chain-getter-access 31.6298+-0.4345 31.4977+-0.0531 cmpeq-obj-to-obj-other 12.9720+-0.8726 12.8372+-0.2440 might be 1.0105x faster constant-test 8.5061+-0.1255 ? 8.5336+-0.1530 ? DataView-custom-properties 115.7548+-0.9234 ? 116.0894+-0.7314 ? delay-tear-off-arguments-strictmode 3.6532+-0.2058 ? 3.6577+-0.1987 ? destructuring-arguments 8.7505+-0.1566 ? 8.7685+-0.1106 ? destructuring-swap 8.6813+-0.1708 8.6613+-0.1179 direct-arguments-getbyval 1.1725+-0.1974 ? 1.2007+-0.0928 ? might be 1.0240x slower double-get-by-val-out-of-bounds 6.2817+-0.2793 ? 7.0935+-0.5770 ? might be 1.1292x slower double-pollution-getbyval 10.9280+-0.3017 ? 10.9594+-0.5057 ? double-pollution-putbyoffset 6.0344+-0.0436 ? 6.0815+-0.1072 ? double-to-int32-typed-array-no-inline 2.9221+-0.0444 ! 2.9996+-0.0137 ! definitely 1.0265x slower double-to-int32-typed-array 2.5560+-0.1584 2.5122+-0.1667 might be 1.0174x faster double-to-uint32-typed-array-no-inline 3.1728+-0.4634 3.0807+-0.0865 might be 1.0299x faster double-to-uint32-typed-array 2.6215+-0.0639 ? 2.6749+-0.1762 ? might be 1.0203x slower empty-string-plus-int 10.1248+-0.3834 10.1120+-0.5861 emscripten-cube2hash 54.2736+-2.0553 54.0609+-1.8173 external-arguments-getbyval 2.1030+-0.1480 2.0673+-0.1490 might be 1.0173x faster external-arguments-putbyval 2.9559+-0.1257 2.9467+-0.1664 fixed-typed-array-storage-var-index 1.5853+-0.0614 1.5678+-0.1016 might be 1.0111x faster fixed-typed-array-storage 1.2318+-0.1155 ? 1.2537+-0.1154 ? might be 1.0178x slower Float32Array-matrix-mult 7.7467+-0.8357 7.6463+-0.6649 might be 1.0131x faster Float32Array-to-Float64Array-set 84.9412+-1.7735 84.4825+-5.3767 Float64Array-alloc-long-lived 96.1516+-1.6012 ? 97.9599+-0.2985 ? might be 1.0188x slower Float64Array-to-Int16Array-set 111.0578+-1.3882 ^ 107.4605+-0.8315 ^ definitely 1.0335x faster fold-double-to-int 19.5593+-0.5384 19.5067+-0.4763 for-of-iterate-array-entries 9.3673+-0.2768 9.1719+-0.2327 might be 1.0213x faster for-of-iterate-array-keys 3.7280+-0.3013 3.6992+-0.2171 for-of-iterate-array-values 3.3132+-0.1696 3.3084+-0.0421 fround 23.6090+-1.1921 ? 23.9722+-1.0781 ? might be 1.0154x slower function-dot-apply 2.2555+-0.1627 ! 3.1720+-0.1455 ! definitely 1.4063x slower function-test 4.8428+-0.1145 ? 4.8855+-0.1230 ? function-with-eval 40.6710+-1.3718 ? 40.8978+-3.1424 ? get-by-id-chain-from-try-block 8.1341+-0.2648 8.0179+-0.2204 might be 1.0145x faster get-by-id-proto-or-self 24.9310+-3.7626 23.5518+-1.1237 might be 1.0586x faster get-by-id-self-or-proto 23.7039+-0.6931 ? 24.4880+-1.1776 ? might be 1.0331x slower get-by-val-out-of-bounds 6.2044+-0.0915 ! 6.7446+-0.1829 ! definitely 1.0871x slower get_callee_monomorphic 4.8813+-0.2770 ? 4.9739+-0.3232 ? might be 1.0190x slower get_callee_polymorphic 4.5435+-0.1689 ? 4.6422+-0.0845 ? might be 1.0217x slower getter 17.5087+-0.2166 17.4517+-0.3705 global-var-const-infer-fire-from-opt 1.3479+-0.1977 1.3403+-0.1451 global-var-const-infer 1.2115+-0.0864 1.1614+-0.0854 might be 1.0431x faster HashMap-put-get-iterate-keys 37.9347+-0.6169 ? 38.4453+-0.8741 ? might be 1.0135x slower HashMap-put-get-iterate 37.3751+-0.2714 ? 37.4517+-0.5478 ? HashMap-string-put-get-iterate 43.5165+-0.5064 ? 44.0725+-2.5793 ? might be 1.0128x slower imul-double-only 10.5715+-0.3007 10.0162+-0.5781 might be 1.0554x faster imul-int-only 13.6553+-0.6768 13.0123+-0.5731 might be 1.0494x faster imul-mixed 9.7104+-0.7421 ? 9.7382+-1.0968 ? in-four-cases 21.7359+-0.3586 ? 22.0422+-0.6527 ? might be 1.0141x slower in-one-case-false 12.3218+-0.1957 ? 12.3860+-0.3081 ? in-one-case-true 12.2938+-0.3299 ? 12.3043+-0.1348 ? in-two-cases 12.5948+-0.1735 ? 12.7687+-0.3027 ? might be 1.0138x slower indexed-properties-in-objects 4.3516+-0.1297 4.2625+-0.0941 might be 1.0209x faster infer-closure-const-then-mov-no-inline 4.8930+-0.1366 ? 4.9390+-0.1165 ? infer-closure-const-then-mov 28.1350+-0.8154 28.0074+-0.4876 infer-closure-const-then-put-to-scope-no-inline 18.4719+-0.3630 ! 26.4289+-0.3116 ! definitely 1.4308x slower infer-closure-const-then-put-to-scope 29.4982+-1.0813 ! 89.3005+-1.5944 ! definitely 3.0273x slower infer-closure-const-then-reenter-no-inline 85.5662+-1.0545 ! 127.3098+-0.4809 ! definitely 1.4879x slower infer-closure-const-then-reenter 31.0850+-1.8716 ! 98.4985+-24.6073 ! definitely 3.1687x slower infer-one-time-closure-ten-vars 15.7407+-0.2197 ? 16.1625+-0.5016 ? might be 1.0268x slower infer-one-time-closure-two-vars 14.8059+-0.5081 ? 15.3876+-0.5063 ? might be 1.0393x slower infer-one-time-closure 14.8836+-0.5601 ? 15.4051+-0.4167 ? might be 1.0350x slower infer-one-time-deep-closure 27.4865+-0.7895 27.4781+-0.6207 inline-arguments-access 1.6883+-0.0781 ! 2.9946+-0.0814 ! definitely 1.7738x slower inline-arguments-aliased-access 1.8993+-0.1518 ! 3.0562+-0.0818 ! definitely 1.6091x slower inline-arguments-local-escape 19.3694+-0.3772 ! 20.3154+-0.3566 ! definitely 1.0488x slower inline-get-scoped-var 7.3472+-0.2319 7.1227+-0.4824 might be 1.0315x faster inlined-put-by-id-transition 14.6092+-0.7833 14.1965+-0.1479 might be 1.0291x faster int-or-other-abs-then-get-by-val 9.7665+-1.0413 9.4841+-0.3206 might be 1.0298x faster int-or-other-abs-zero-then-get-by-val 34.7211+-1.2687 33.7867+-0.2441 might be 1.0277x faster int-or-other-add-then-get-by-val 10.9286+-0.5552 10.7180+-0.1996 might be 1.0196x faster int-or-other-add 10.7108+-0.2702 ? 10.7727+-0.1778 ? int-or-other-div-then-get-by-val 6.5704+-0.2491 ? 6.5750+-0.0827 ? int-or-other-max-then-get-by-val 8.7711+-0.1016 ^ 7.4525+-0.1130 ^ definitely 1.1769x faster int-or-other-min-then-get-by-val 7.5591+-0.1270 ? 7.5663+-0.0983 ? int-or-other-mod-then-get-by-val 6.3017+-0.1431 6.2855+-0.1877 int-or-other-mul-then-get-by-val 6.7657+-0.2217 ? 6.8494+-0.1130 ? might be 1.0124x slower int-or-other-neg-then-get-by-val 8.3448+-0.1337 8.2550+-0.1230 might be 1.0109x faster int-or-other-neg-zero-then-get-by-val 33.7281+-0.2009 ? 33.7520+-0.6384 ? int-or-other-sub-then-get-by-val 10.4709+-0.2668 ? 10.7724+-0.2315 ? might be 1.0288x slower int-or-other-sub 8.7563+-0.2447 ! 9.5318+-0.2344 ! definitely 1.0886x slower int-overflow-local 6.5071+-0.1196 ? 6.5228+-0.2053 ? Int16Array-alloc-long-lived 71.0291+-0.3624 ^ 69.9531+-0.3434 ^ definitely 1.0154x faster Int16Array-bubble-sort-with-byteLength 46.3291+-0.3777 46.0616+-0.9958 Int16Array-bubble-sort 45.8340+-1.7248 45.2162+-0.2817 might be 1.0137x faster Int16Array-load-int-mul 2.0620+-0.0766 ? 2.0980+-0.0935 ? might be 1.0175x slower Int16Array-to-Int32Array-set 83.9869+-1.5614 ? 84.9869+-1.1963 ? might be 1.0119x slower Int32Array-alloc-large 39.4028+-1.3381 38.5523+-2.0809 might be 1.0221x faster Int32Array-alloc-long-lived 78.8344+-0.5081 78.2657+-1.0937 Int32Array-alloc 4.3915+-0.0894 4.2836+-0.1381 might be 1.0252x faster Int32Array-Int8Array-view-alloc 14.0590+-0.7414 14.0288+-0.7440 int52-spill 11.3666+-0.7363 ! 12.5745+-0.2370 ! definitely 1.1063x slower Int8Array-alloc-long-lived 65.2097+-1.6101 64.6270+-0.9344 Int8Array-load-with-byteLength 5.3398+-0.1131 ? 5.3465+-0.1375 ? Int8Array-load 5.2583+-0.1037 ? 5.3652+-0.1025 ? might be 1.0203x slower integer-divide 16.2384+-0.2150 ? 16.4371+-0.4478 ? might be 1.0122x slower integer-modulo 2.8860+-0.1730 ? 2.9111+-0.0535 ? large-int-captured 10.3930+-1.1162 9.6619+-0.4606 might be 1.0757x faster large-int-neg 23.4220+-0.4590 ? 23.4911+-0.3417 ? large-int 21.4116+-0.9013 20.6468+-0.6232 might be 1.0370x faster logical-not 6.6633+-0.1766 ? 6.7620+-0.1777 ? might be 1.0148x slower lots-of-fields 13.6047+-0.1900 13.6019+-0.3541 make-indexed-storage 4.3539+-0.2230 4.2212+-0.4442 might be 1.0314x faster make-rope-cse 6.1815+-0.4589 6.1226+-0.2378 marsaglia-larger-ints 56.3451+-0.1905 ? 56.3763+-0.2843 ? marsaglia-osr-entry 30.4260+-0.9625 29.9277+-0.5548 might be 1.0167x faster method-on-number 30.0623+-1.2206 ? 30.2355+-0.8895 ? misc-strict-eq 55.8140+-0.7836 ? 56.1756+-1.1390 ? negative-zero-divide 0.4725+-0.0636 0.4645+-0.0601 might be 1.0173x faster negative-zero-modulo 0.4910+-0.1098 ? 0.5593+-0.0418 ? might be 1.1391x slower negative-zero-negate 0.5325+-0.1382 0.5151+-0.0857 might be 1.0338x faster nested-function-parsing 47.0928+-0.5043 47.0864+-0.2452 new-array-buffer-dead 4.0881+-0.1327 4.0793+-0.1021 new-array-buffer-push 10.4794+-0.1332 10.2825+-0.1708 might be 1.0192x faster new-array-dead 14.2155+-1.0692 13.5248+-0.3305 might be 1.0511x faster new-array-push 7.1294+-0.5348 6.9947+-0.3798 might be 1.0193x faster number-test 4.5419+-0.1416 4.5120+-0.0660 object-closure-call 8.4897+-0.1777 8.4897+-0.1441 object-test 4.7555+-0.1333 ? 4.8018+-0.1179 ? poly-stricteq 79.7697+-1.8223 ? 81.5659+-3.2448 ? might be 1.0225x slower polymorphic-array-call 2.3983+-0.1807 2.3513+-0.1907 might be 1.0200x faster polymorphic-get-by-id 4.6652+-0.2317 4.6365+-0.0828 polymorphic-put-by-id 85.4098+-50.4230 ? 93.7911+-59.1560 ? might be 1.0981x slower polymorphic-structure 29.4047+-0.8182 ? 29.4144+-0.6672 ? polyvariant-monomorphic-get-by-id 12.8087+-0.1850 ? 12.8325+-0.2743 ? proto-getter-access 31.5098+-0.2835 ? 31.7770+-0.4131 ? put-by-id 19.4623+-0.5660 19.4533+-0.4429 put-by-val-large-index-blank-indexing-type 10.2538+-0.3554 ? 10.4426+-0.2774 ? might be 1.0184x slower put-by-val-machine-int 3.5144+-0.0547 3.4102+-0.3020 might be 1.0306x faster rare-osr-exit-on-local 21.1505+-1.0930 20.8011+-0.1631 might be 1.0168x faster register-pressure-from-osr 30.1984+-0.7296 30.0203+-0.4136 setter 19.8678+-0.8121 19.6318+-0.1786 might be 1.0120x faster simple-activation-demo 33.8174+-0.4198 33.6327+-0.6298 simple-getter-access 49.1508+-0.2161 ! 51.5257+-1.0152 ! definitely 1.0483x slower slow-array-profile-convergence 4.4039+-0.3819 ? 4.4262+-0.1934 ? slow-convergence 4.7617+-0.1606 ? 4.9006+-0.1496 ? might be 1.0292x slower sparse-conditional 1.5641+-0.1049 ? 1.5737+-0.0673 ? splice-to-remove 74.6746+-0.6093 ? 75.2182+-1.5301 ? string-char-code-at 24.9584+-0.4459 ! 30.3880+-1.1227 ! definitely 1.2175x slower string-concat-object 2.9935+-0.4033 2.7235+-0.0316 might be 1.0991x faster string-concat-pair-object 2.6059+-0.0499 ? 2.7677+-0.1952 ? might be 1.0621x slower string-concat-pair-simple 17.4865+-0.3764 17.4315+-0.3144 string-concat-simple 17.7873+-0.4523 17.6387+-0.2793 string-cons-repeat 11.6436+-0.3814 ? 11.6874+-0.5462 ? string-cons-tower 10.6057+-0.4757 ? 10.9050+-0.5503 ? might be 1.0282x slower string-equality 42.2438+-0.5343 ? 43.5516+-0.9038 ? might be 1.0310x slower string-get-by-val-big-char 13.4163+-1.2326 13.3007+-0.6375 string-get-by-val-out-of-bounds-insane 6.4545+-0.7393 6.0129+-0.0955 might be 1.0734x faster string-get-by-val-out-of-bounds 6.9185+-0.0931 6.8848+-0.1355 string-get-by-val 5.3950+-0.0481 5.3910+-0.0920 string-hash 3.0168+-0.0589 ! 3.1777+-0.0996 ! definitely 1.0533x slower string-long-ident-equality 37.7850+-1.2317 ? 38.5128+-0.5557 ? might be 1.0193x slower string-repeat-arith 45.1643+-0.8823 ? 45.2589+-0.5554 ? string-sub 90.6378+-1.3037 89.8120+-0.5183 string-test 4.4271+-0.0965 ? 4.5472+-0.0834 ? might be 1.0271x slower string-var-equality 69.2932+-0.7696 69.2572+-1.5123 structure-hoist-over-transitions 3.7723+-0.2092 3.7150+-0.2729 might be 1.0154x faster switch-char-constant 3.5953+-0.0594 3.5768+-0.1251 switch-char 8.9301+-0.0849 ? 8.9450+-0.1050 ? switch-constant 11.2811+-0.1307 11.2540+-0.0809 switch-string-basic-big-var 25.4135+-1.5465 24.3307+-3.8757 might be 1.0445x faster switch-string-basic-big 25.1330+-6.1588 ? 28.5273+-8.7980 ? might be 1.1351x slower switch-string-basic-var 31.1096+-0.6092 30.4557+-1.6280 might be 1.0215x faster switch-string-basic 24.4887+-5.4891 ? 26.2252+-1.9563 ? might be 1.0709x slower switch-string-big-length-tower-var 28.6133+-0.5711 ? 29.0167+-0.5769 ? might be 1.0141x slower switch-string-length-tower-var 23.0243+-0.4811 22.8272+-0.8279 switch-string-length-tower 17.6232+-1.1742 17.4654+-0.4167 switch-string-short 17.2228+-0.4194 ? 17.6193+-0.3109 ? might be 1.0230x slower switch 15.4624+-0.3256 ? 15.5522+-0.2288 ? tear-off-arguments-simple 2.6891+-0.0871 2.6056+-0.1840 might be 1.0320x faster tear-off-arguments 3.8938+-0.0190 ? 3.9322+-0.0477 ? temporal-structure 14.9877+-0.4561 ! 16.8427+-0.5870 ! definitely 1.1238x slower to-int32-boolean 23.2543+-0.5554 ? 23.3248+-0.2048 ? undefined-test 4.9802+-0.7755 4.6913+-0.1375 might be 1.0616x faster unprofiled-licm 30.1825+-1.5997 30.0535+-1.1346 weird-inlining-const-prop 2.5686+-0.1604 ? 2.5983+-0.1234 ? might be 1.0115x slower <arithmetic> 22.1623+-0.1351 ! 23.0766+-0.4006 ! definitely 1.0413x slower <geometric> * 11.4755+-0.0256 ! 11.7756+-0.0769 ! definitely 1.0261x slower <harmonic> 5.5595+-0.0437 ! 5.7096+-0.0911 ! definitely 1.0270x slower Conf#1 Conf#2 AsmBench: bigfib.cpp 799.3931+-7.6966 ? 804.1427+-10.7156 ? cray.c 818.7056+-4.7348 816.1562+-5.9460 dry.c 752.0370+-72.1259 ? 769.0327+-59.8027 ? might be 1.0226x slower FloatMM.c 1057.0609+-6.6257 1054.4727+-0.6323 gcc-loops.cpp 7167.2107+-161.9924 7123.6832+-37.3784 n-body.c 1924.8619+-5.4875 ? 1925.8546+-2.6077 ? Quicksort.c 646.6255+-1.1430 642.5638+-12.0471 stepanov_container.cpp 5680.4355+-138.4362 5657.7018+-22.0248 Towers.c 472.5874+-2.3284 471.6799+-1.5571 <arithmetic> 2146.5464+-21.7027 2140.5875+-4.7127 might be 1.0028x faster <geometric> * 1323.2878+-14.6436 ? 1324.0766+-11.4450 ? might be 1.0006x slower <harmonic> 973.0885+-14.0741 ? 974.8129+-11.5385 ? might be 1.0018x slower Conf#1 Conf#2 All benchmarks: <arithmetic> 172.2293+-0.4821 ? 172.6826+-0.4129 ? might be 1.0026x slower <geometric> 19.7934+-0.0156 ! 20.1314+-0.0800 ! definitely 1.0171x slower <harmonic> 4.8054+-0.0271 ? 4.8736+-0.0576 ? might be 1.0142x slower Conf#1 Conf#2 Geomean of preferred means: <scaled-result> 78.5806+-0.2743 ? 78.8087+-0.2640 ? might be 1.0029x slower

Comment on attachment 230950 [details] the patch. r=me to fwiw

too* :-/

These look like a real regression -- as if the VariableWatchpointSet is failing to infer a constant where it used to succeed: infer-closure-const-then-put-to-scope-no-inline 18.4719+-0.3630 ! 26.4289+-0.3116 ! definitely 1.4308x slower infer-closure-const-then-put-to-scope 29.4982+-1.0813 ! 89.3005+-1.5944 ! definitely 3.0273x slower infer-closure-const-then-reenter-no-inline 85.5662+-1.0545 ! 127.3098+-0.4809 ! definitely 1.4879x slower infer-closure-const-then-reenter 31.0850+-1.8716 ! 98.4985+-24.6073 ! definitely 3.1687x slower

(In reply to comment #14) > These look like a real regression -- as if the VariableWatchpointSet is failing to infer a constant where it used to succeed: > > infer-closure-const-then-put-to-scope-no-inline 18.4719+-0.3630 ! 26.4289+-0.3116 ! definitely 1.4308x slower > infer-closure-const-then-put-to-scope 29.4982+-1.0813 ! 89.3005+-1.5944 ! definitely 3.0273x slower > infer-closure-const-then-reenter-no-inline 85.5662+-1.0545 ! 127.3098+-0.4809 ! definitely 1.4879x slower > infer-closure-const-then-reenter 31.0850+-1.8716 ! 98.4985+-24.6073 ! definitely 3.1687x slower It’s not failing to infer constants. The regression is because we took out the optimization that checks for writing the same value. Adding a counter to track how many times the DFG slow path is called, shows that infer-closure-const-then-put-to-scope was calling the slow path like 3 million times per run of the benchmark. Presumably, the other benchmarks behaved similarly. I did a quick test change to add back that value equivalence check optimization in the DFG generated code, and with that, the regression went away. I’ll implement a more rigorous fix tomorrow and redo the tests.

Created attachment 231012 [details] patch 2: don't call the This patch has passed the jsc tests and layout tests on x86_64. It has also passed the jsc tests on 32-bit x86. Performance results are a wash in aggregate though some individual test components did seem to show some consistent differences across 3 runs of the perf test. I will upload perf results shortly after this. Note: I need to rerun this updated test against the original dromaeo crash issue in this bug to ensure that the fix is still effective.

Created attachment 231013 [details] perf-run 1

Created attachment 231014 [details] perf-run 2

Created attachment 231015 [details] perf-run 3

In the 3 set of perf results that I've just uploaded, the results show no significant perf difference in aggregate. However, all 3 set of results consistently show the following differences (in approximately the same amount of difference in perf results): asmjs_bool_bug 10.4389+-0.3607 ^ 9.5516+-0.2003 ^ definitely 1.0929x faster Float32Array-to-Float64Array-set 83.1491+-1.1323 ! 88.9993+-2.8888 ! definitely 1.0704x slower function-dot-apply 2.1975+-0.0733 ^ 1.8278+-0.0814 ^ definitely 1.2023x faster infer-closure-const-then-put-to-scope-no-inline 18.5222+-0.7751 ^ 16.8975+-0.3315 ^ definitely 1.0961x faster infer-closure-const-then-reenter-no-inline 85.2867+-1.0562 ^ 73.9457+-0.5822 ^ definitely 1.1534x faster int-or-other-max-then-get-by-val 8.8130+-0.0650 ^ 7.5538+-0.1662 ^ definitely 1.1667x faster int-or-other-sub-then-get-by-val 10.5041+-0.1474 ! 11.0717+-0.1680 ! definitely 1.0540x slower int-or-other-sub 8.8774+-0.1046 ! 9.4892+-0.1166 ! definitely 1.0689x slower Int16Array-alloc-long-lived 71.8928+-1.5212 ^ 69.3307+-0.3483 ^ definitely 1.0370x faster temporal-structure 15.2799+-0.5182 ! 18.5397+-0.3622 ! definitely 1.2133x slower

Comment on attachment 231012 [details] patch 2: don't call the r=me

Thanks. I've run 10 iterations of the Dromaeo/cssquery-dojo.html test so far and have not seen a crash. Without the fix, I would normally have seen crash by now. The patch is landed in r168443: <http://trac.webkit.org/r168443>

FYI, I've completed 100 runs of Dromaeo/cssquery-dojo.html with no crashes.