RESOLVED FIXED 157138
Assertion failure for direct eval in non-class method 
https://bugs.webkit.org/show_bug.cgi?id=157138
Summary Assertion failure for direct eval in non-class method
André Bargull
Reported 2016-04-28 07:49:24 PDT
SVN: rev200124 Build with: perl Tools/Scripts/build-jsc --gtk --debug The following test case triggers this assertion error: --- ASSERTION FAILED: derivedContextType is always None because class methods and class constructors are always evaluated as the strict code. derivedContextType == DerivedContextType::None --- Test case: --- ({ m() { (eval("")) } }).m(); --- Stack trace: --- #0 0x00007ffff6e289ac in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:322 #1 0x00007ffff699b477 in JSC::EvalCodeCache::getSlow (this=0x7ffff0dba140, exec=0x7fffffffca70, owner=0x7fffaed9ba60, inStrictContext=false, thisTDZMode=<incomplete type>, derivedContextType=JSC::DerivedContextType::DerivedMethodContext, isArrowFunctionContext=false, evalContextType=JSC::EvalContextType::FunctionEvalContext, evalSource=..., scope=0x7fffaeddbf00) at ../../Source/JavaScriptCore/bytecode/EvalCodeCache.h:112 #2 0x00007ffff6995385 in JSC::eval (callFrame=0x7fffffffca70) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:200 #3 0x00007ffff6a29fd7 in JSC::(anonymous namespace)::llint_slow_path_call_eval (exec=0x7fffffffcb00, pc=0x7ffff0df0e98) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1354 #4 0x00007ffff6a33ea2 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:75 #5 0x00007ffff6a33818 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:75 #6 0x00007ffff6a2d895 in vmEntryToJavaScript () at ../../Source/WTF/wtf/RefPtr.h:75 #7 0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c618, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80 #8 0x00007ffff6997f4f in JSC::Interpreter::execute (this=0x7ffff0def058, program=0x7fffaedfbf70, callFrame=0x7fffaede7940, thisObj=0x7fffaedba360) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:960 #9 0x00007ffff6b849ad in JSC::evaluate (exec=0x7fffaede7940, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106 #10 0x000000000043a120 in runInteractive (globalObject=0x7fffaede7900) at ../../Source/JavaScriptCore/jsc.cpp:2083 #11 0x000000000043abcb in runJSC (vm=0x7fffb09f1000, options=...) at ../../Source/JavaScriptCore/jsc.cpp:2244 #12 0x000000000043b0a1 in jscmain (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:2293 #13 0x000000000043967f in main (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:1947 ---
Attachments
Patch (8.56 KB, patch)
2016-05-12 11:37 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2016-04-30 12:55:40 PDT
isClassContext becomes true in generateUnlinkedFunctionExecutable incorrectly.
Saam Barati
Comment 2 2016-05-01 16:04:00 PDT
Is this because of caching?
Yusuke Suzuki
Comment 3 2016-05-06 12:04:04 PDT
(In reply to comment #2) > Is this because of caching? After investigating, I think I asserts wrongly. The method definitions in the object literal can use the super.
Yusuke Suzuki
Comment 4 2016-05-12 11:37:47 PDT
Created attachment 278740 [details] Patch
Yusuke Suzuki
Comment 5 2016-05-12 11:39:51 PDT
Performance evaluation results. "eval" is important for date-format-tofte. Benchmark report for SunSpider on hanayamata. VMs tested: "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/eval-master/Release/bin/jsc "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/eval/Release/bin/jsc Collected 40 samples per benchmark/VM, with 40 VM invocations per benchmark. Emitted a call to gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. baseline patched 3d-cube 5.7819+-0.0120 ? 5.7905+-0.0114 ? 3d-morph 25.7286+-0.0827 25.7249+-0.0529 3d-raytrace 6.6194+-0.2154 ? 6.6919+-0.2636 ? might be 1.0110x slower access-binary-trees 2.2649+-0.0647 ? 2.3094+-0.0770 ? might be 1.0196x slower access-fannkuch 6.9386+-0.2573 6.8916+-0.2746 access-nbody 2.7712+-0.0425 2.7645+-0.0102 access-nsieve 3.0841+-0.0153 ? 3.0880+-0.0250 ? bitops-3bit-bits-in-byte 1.1529+-0.0307 ? 1.1606+-0.0319 ? bitops-bits-in-byte 2.9837+-0.0729 2.9500+-0.0606 might be 1.0114x faster bitops-bitwise-and 1.9498+-0.0044 ? 1.9554+-0.0088 ? bitops-nsieve-bits 3.1277+-0.1237 3.1037+-0.1040 controlflow-recursive 2.6841+-0.0881 2.6583+-0.1017 crypto-aes 4.8931+-0.1151 4.8647+-0.0179 crypto-md5 2.5592+-0.0280 2.5401+-0.0356 crypto-sha1 2.4266+-0.0358 2.4176+-0.0313 date-format-tofte 9.6971+-0.1016 ? 9.7514+-0.1176 ? date-format-xparb 5.7347+-0.0229 5.7123+-0.0200 math-cordic 3.0679+-0.1248 3.0662+-0.1938 math-partial-sums 10.3352+-0.0166 10.3208+-0.0126 math-spectral-norm 2.2134+-0.1135 2.1648+-0.0405 might be 1.0225x faster regexp-dna 7.1371+-0.0194 7.1265+-0.0211 string-base64 3.9876+-0.0399 ? 4.0364+-0.0262 ? might be 1.0122x slower string-fasta 6.2163+-0.1391 ? 6.3027+-0.1861 ? might be 1.0139x slower string-tagcloud 9.3792+-0.1377 9.3678+-0.1345 string-unpack-code 19.3083+-0.2220 19.0486+-0.2156 might be 1.0136x faster string-validate-input 4.2233+-0.1062 4.1945+-0.0705 <arithmetic> 6.0102+-0.0241 6.0001+-0.0200 might be 1.0017x faster
Saam Barati
Comment 6 2016-05-13 00:40:09 PDT
Comment on attachment 278740 [details] Patch r=me
Yusuke Suzuki
Comment 7 2016-05-13 07:06:40 PDT
Comment on attachment 278740 [details] Patch Thanks!
WebKit Commit Bot
Comment 8 2016-05-13 07:27:38 PDT
Comment on attachment 278740 [details] Patch Clearing flags on attachment: 278740 Committed r200856: <http://trac.webkit.org/changeset/200856>
WebKit Commit Bot
Comment 9 2016-05-13 07:27:42 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.