156034 – DFG JIT bug in typeof constant folding where the input to typeof is an object or function

Bug 156034 - DFG JIT bug in typeof constant folding where the input to typeof is an object or function

Summary: DFG JIT bug in typeof constant folding where the input to typeof is an object...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Saam Barati

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2016-03-30 12:36 PDT by Ryosuke Niwa
Modified:	2016-08-11 18:47 PDT (History)
CC List:	11 users (show)

See Also:

Attachments
patch (2.82 KB, patch) 2016-03-30 18:03 PDT, Saam Barati	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ryosuke Niwa 2016-03-30 12:36:07 PDT

Reported on https://github.com/gaearon/normalizr/pull/82#issuecomment-203589131

Repro steps:
1. Open https://jsbin.com/coquxaduhu/1/edit?html,js,output
2. Wait for a few iterations until "looks okay" turns "missing entities.tweets".

There's a smaller js file reported to reproduce the same issue at:
https://github.com/gaearon/normalizr/pull/82#issuecomment-203590718

I'm sorry but I don't understand what this bug is about since the comments in the Github issue is super vague :(

Comment 1 Ryosuke Niwa 2016-03-30 12:36:57 PDT

This is the function that's exhibiting non-deterministic behavior as far as I can tell:
https://github.com/lodash/lodash/blob/55c3299d5c04ee8b035ee86f034ec222f4570167/lodash.js#L12308

Comment 2 Ryosuke Niwa 2016-03-30 12:39:05 PDT

This is currently affecting Safari users on Twitter until they push the workaround to the production.

Comment 3 Radar WebKit Bug Importer 2016-03-30 12:39:29 PDT

<rdar://problem/25446785>

Comment 4 Ryosuke Niwa 2016-03-30 14:36:46 PDT

React Proxy is claimed to be hitting the same issue:
https://github.com/gaearon/react-proxy/issues/55

So it seems that problem here that we mistakenly return "object" for typeof of a function in some JITed code.

Comment 5 Ryosuke Niwa 2016-03-30 16:56:00 PDT

It looks like disabling DFG fixes this bug.

Comment 6 Ryosuke Niwa 2016-03-30 17:24:58 PDT

Saam pinpointed the bug to http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h?rev=198865#L1173

Comment 7 Ryosuke Niwa 2016-03-30 17:32:52 PDT

Minimum reproduction (credit: Saam): https://gist.github.com/anonymous/49715c82e834f8e2c184d35a821ec468

Comment 8 Saam Barati 2016-03-30 18:03:20 PDT

Created attachment 275249 [details]
patch

Comment 9 WebKit Commit Bot 2016-03-31 11:28:45 PDT

Comment on attachment 275249 [details]
patch

Clearing flags on attachment: 275249

Committed r198902: <http://trac.webkit.org/changeset/198902>

Comment 10 WebKit Commit Bot 2016-03-31 11:28:51 PDT

All reviewed patches have been landed.  Closing bug.

Comment 11 John-David Dalton 2016-08-11 15:58:48 PDT

Do you all know which updates this fix is in? I'm looking for an idea of when to pull the workaround in my code.

Comment 12 Benjamin Poulain 2016-08-11 16:18:26 PDT

(In reply to comment #11)
> Do you all know which updates this fix is in? I'm looking for an idea of
> when to pull the workaround in my code.

The patch should be in Safari 10 and iOS 10.

Comment 13 Ryosuke Niwa 2016-08-11 18:47:39 PDT

(In reply to comment #11)
> Do you all know which updates this fix is in? I'm looking for an idea of
> when to pull the workaround in my code.

You should be able to work around the bug in old versions of Safari by wrapping the code in try {} catch {}. e.g.

try {
    return typdeof(obj) == 'array';
} catch (e) { }

typeof would never throw but this will disable DFG JIT, which had this bug, from compiling the code in iOS 9 / Safari 9.