157138 – Assertion failure for direct eval in non-class method

Bug 157138 - Assertion failure for direct eval in non-class method

Summary: Assertion failure for direct eval in non-class method

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-04-28 07:49 PDT by André Bargull
Modified:	2016-05-13 07:27 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (8.56 KB, patch) 2016-05-12 11:37 PDT, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description André Bargull 2016-04-28 07:49:24 PDT

SVN: rev200124
Build with: perl Tools/Scripts/build-jsc --gtk --debug


The following test case triggers this assertion error:
---
ASSERTION FAILED: derivedContextType is always None because class methods and class constructors are always evaluated as the strict code.
derivedContextType == DerivedContextType::None
---


Test case:
---
({ m() { (eval("")) } }).m();
---


Stack trace:
---
#0  0x00007ffff6e289ac in WTFCrash () at ../../Source/WTF/wtf/Assertions.cpp:322
#1  0x00007ffff699b477 in JSC::EvalCodeCache::getSlow (this=0x7ffff0dba140, exec=0x7fffffffca70, owner=0x7fffaed9ba60, inStrictContext=false, thisTDZMode=<incomplete type>, 
    derivedContextType=JSC::DerivedContextType::DerivedMethodContext, isArrowFunctionContext=false, evalContextType=JSC::EvalContextType::FunctionEvalContext, evalSource=..., scope=0x7fffaeddbf00)
    at ../../Source/JavaScriptCore/bytecode/EvalCodeCache.h:112
#2  0x00007ffff6995385 in JSC::eval (callFrame=0x7fffffffca70) at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:200
#3  0x00007ffff6a29fd7 in JSC::(anonymous namespace)::llint_slow_path_call_eval (exec=0x7fffffffcb00, pc=0x7ffff0df0e98) at ../../Source/JavaScriptCore/llint/LLIntSlowPaths.cpp:1354
#4  0x00007ffff6a33ea2 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:75
#5  0x00007ffff6a33818 in llint_entry () at ../../Source/WTF/wtf/RefPtr.h:75
#6  0x00007ffff6a2d895 in vmEntryToJavaScript () at ../../Source/WTF/wtf/RefPtr.h:75
#7  0x00007ffff69d46d2 in JSC::JITCode::execute (this=0x7ffff0d9c618, vm=0x7fffb09f1000, protoCallFrame=0x7fffffffcd30) at ../../Source/JavaScriptCore/jit/JITCode.cpp:80
#8  0x00007ffff6997f4f in JSC::Interpreter::execute (this=0x7ffff0def058, program=0x7fffaedfbf70, callFrame=0x7fffaede7940, thisObj=0x7fffaedba360)
    at ../../Source/JavaScriptCore/interpreter/Interpreter.cpp:960
#9  0x00007ffff6b849ad in JSC::evaluate (exec=0x7fffaede7940, source=..., thisValue=..., returnedException=...) at ../../Source/JavaScriptCore/runtime/Completion.cpp:106
#10 0x000000000043a120 in runInteractive (globalObject=0x7fffaede7900) at ../../Source/JavaScriptCore/jsc.cpp:2083
#11 0x000000000043abcb in runJSC (vm=0x7fffb09f1000, options=...) at ../../Source/JavaScriptCore/jsc.cpp:2244
#12 0x000000000043b0a1 in jscmain (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:2293
#13 0x000000000043967f in main (argc=1, argv=0x7fffffffdbb8) at ../../Source/JavaScriptCore/jsc.cpp:1947
---

Comment 1 Yusuke Suzuki 2016-04-30 12:55:40 PDT

isClassContext becomes true in generateUnlinkedFunctionExecutable incorrectly.

Comment 2 Saam Barati 2016-05-01 16:04:00 PDT

Is this because of caching?

Comment 3 Yusuke Suzuki 2016-05-06 12:04:04 PDT

(In reply to comment #2)
> Is this because of caching?

After investigating, I think I asserts wrongly.
The method definitions in the object literal can use the super.

Comment 4 Yusuke Suzuki 2016-05-12 11:37:47 PDT

Created attachment 278740 [details]
Patch

Comment 5 Yusuke Suzuki 2016-05-12 11:39:51 PDT

Performance evaluation results. "eval" is important for date-format-tofte.

Benchmark report for SunSpider on hanayamata.

VMs tested:
"baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/eval-master/Release/bin/jsc
"patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/eval/Release/bin/jsc

Collected 40 samples per benchmark/VM, with 40 VM invocations per benchmark. Emitted a call to gc()
between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the
jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times
with 95% confidence intervals in milliseconds.

                                   baseline                  patched                                      

3d-cube                         5.7819+-0.0120     ?      5.7905+-0.0114        ?
3d-morph                       25.7286+-0.0827           25.7249+-0.0529        
3d-raytrace                     6.6194+-0.2154     ?      6.6919+-0.2636        ? might be 1.0110x slower
access-binary-trees             2.2649+-0.0647     ?      2.3094+-0.0770        ? might be 1.0196x slower
access-fannkuch                 6.9386+-0.2573            6.8916+-0.2746        
access-nbody                    2.7712+-0.0425            2.7645+-0.0102        
access-nsieve                   3.0841+-0.0153     ?      3.0880+-0.0250        ?
bitops-3bit-bits-in-byte        1.1529+-0.0307     ?      1.1606+-0.0319        ?
bitops-bits-in-byte             2.9837+-0.0729            2.9500+-0.0606          might be 1.0114x faster
bitops-bitwise-and              1.9498+-0.0044     ?      1.9554+-0.0088        ?
bitops-nsieve-bits              3.1277+-0.1237            3.1037+-0.1040        
controlflow-recursive           2.6841+-0.0881            2.6583+-0.1017        
crypto-aes                      4.8931+-0.1151            4.8647+-0.0179        
crypto-md5                      2.5592+-0.0280            2.5401+-0.0356        
crypto-sha1                     2.4266+-0.0358            2.4176+-0.0313        
date-format-tofte               9.6971+-0.1016     ?      9.7514+-0.1176        ?
date-format-xparb               5.7347+-0.0229            5.7123+-0.0200        
math-cordic                     3.0679+-0.1248            3.0662+-0.1938        
math-partial-sums              10.3352+-0.0166           10.3208+-0.0126        
math-spectral-norm              2.2134+-0.1135            2.1648+-0.0405          might be 1.0225x faster
regexp-dna                      7.1371+-0.0194            7.1265+-0.0211        
string-base64                   3.9876+-0.0399     ?      4.0364+-0.0262        ? might be 1.0122x slower
string-fasta                    6.2163+-0.1391     ?      6.3027+-0.1861        ? might be 1.0139x slower
string-tagcloud                 9.3792+-0.1377            9.3678+-0.1345        
string-unpack-code             19.3083+-0.2220           19.0486+-0.2156          might be 1.0136x faster
string-validate-input           4.2233+-0.1062            4.1945+-0.0705        

<arithmetic>                    6.0102+-0.0241            6.0001+-0.0200          might be 1.0017x faster

Comment 6 Saam Barati 2016-05-13 00:40:09 PDT

Comment on attachment 278740 [details]
Patch

r=me

Comment 7 Yusuke Suzuki 2016-05-13 07:06:40 PDT

Comment on attachment 278740 [details]
Patch

Thanks!

Comment 8 WebKit Commit Bot 2016-05-13 07:27:38 PDT

Comment on attachment 278740 [details]
Patch

Clearing flags on attachment: 278740

Committed r200856: <http://trac.webkit.org/changeset/200856>

Comment 9 WebKit Commit Bot 2016-05-13 07:27:42 PDT

All reviewed patches have been landed.  Closing bug.