RESOLVED FIXED 156034
DFG JIT bug in typeof constant folding where the input to typeof is an object or function 
https://bugs.webkit.org/show_bug.cgi?id=156034
Summary DFG JIT bug in typeof constant folding where the input to typeof is an object...
Ryosuke Niwa
Reported 2016-03-30 12:36:07 PDT
Reported on https://github.com/gaearon/normalizr/pull/82#issuecomment-203589131 Repro steps: 1. Open https://jsbin.com/coquxaduhu/1/edit?html,js,output 2. Wait for a few iterations until "looks okay" turns "missing entities.tweets". There's a smaller js file reported to reproduce the same issue at: https://github.com/gaearon/normalizr/pull/82#issuecomment-203590718 I'm sorry but I don't understand what this bug is about since the comments in the Github issue is super vague :(
Attachments
patch (2.82 KB, patch)
2016-03-30 18:03 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Ryosuke Niwa
Comment 1 2016-03-30 12:36:57 PDT
This is the function that's exhibiting non-deterministic behavior as far as I can tell: https://github.com/lodash/lodash/blob/55c3299d5c04ee8b035ee86f034ec222f4570167/lodash.js#L12308
Ryosuke Niwa
Comment 2 2016-03-30 12:39:05 PDT
This is currently affecting Safari users on Twitter until they push the workaround to the production.
Radar WebKit Bug Importer
Comment 3 2016-03-30 12:39:29 PDT
<rdar://problem/25446785>
Ryosuke Niwa
Comment 4 2016-03-30 14:36:46 PDT
React Proxy is claimed to be hitting the same issue: https://github.com/gaearon/react-proxy/issues/55 So it seems that problem here that we mistakenly return "object" for typeof of a function in some JITed code.
Ryosuke Niwa
Comment 5 2016-03-30 16:56:00 PDT
It looks like disabling DFG fixes this bug.
Ryosuke Niwa
Comment 7 2016-03-30 17:32:52 PDT
Minimum reproduction (credit: Saam): https://gist.github.com/anonymous/49715c82e834f8e2c184d35a821ec468
Saam Barati
Comment 8 2016-03-30 18:03:20 PDT
Created attachment 275249 [details] patch
WebKit Commit Bot
Comment 9 2016-03-31 11:28:45 PDT
Comment on attachment 275249 [details] patch Clearing flags on attachment: 275249 Committed r198902: <http://trac.webkit.org/changeset/198902>
WebKit Commit Bot
Comment 10 2016-03-31 11:28:51 PDT
All reviewed patches have been landed. Closing bug.
John-David Dalton
Comment 11 2016-08-11 15:58:48 PDT
Do you all know which updates this fix is in? I'm looking for an idea of when to pull the workaround in my code.
Benjamin Poulain
Comment 12 2016-08-11 16:18:26 PDT
(In reply to comment #11) > Do you all know which updates this fix is in? I'm looking for an idea of > when to pull the workaround in my code. The patch should be in Safari 10 and iOS 10.
Ryosuke Niwa
Comment 13 2016-08-11 18:47:39 PDT
(In reply to comment #11) > Do you all know which updates this fix is in? I'm looking for an idea of > when to pull the workaround in my code. You should be able to work around the bug in old versions of Safari by wrapping the code in try {} catch {}. e.g. try { return typdeof(obj) == 'array'; } catch (e) { } typeof would never throw but this will disable DFG JIT, which had this bug, from compiling the code in iOS 9 / Safari 9.
Note You need to log in before you can comment on or make changes to this bug.