Bug 159279 - Generators violate bytecode liveness validation
Summary: Generators violate bytecode liveness validation
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-29 15:01 PDT by Filip Pizlo
Modified: 2016-06-30 11:14 PDT (History)
8 users (show)

See Also:

Attachments
the patch (15.13 KB, patch)
2016-06-29 16:25 PDT, Filip Pizlo 		ysuzuki: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2016-06-29 15:01:54 PDT 
[filip@hodor OpenSource] cd PerformanceTests/ES6SampleBench/Basic/
[filip@hodor Basic] DYLD_FRAMEWORK_PATH=../../../WebKitBuild/Release/ ../../../WebKitBuild/Release/jsc test.js --validateBytecode=true
Validation failure in #BxvGBu:[0x103794330->0x1037905d0, NoneFunctionCall, 2046 (StrictMode)]:

    Variable loc9 is expected to be dead.
    Result: -------1-1----------------------

#BxvGBu:[0x103794330->0x1037905d0, NoneFunctionCall, 2046 (StrictMode)]: 2046 m_instructions; 16368 bytes; 5 parameter(s); 32 callee register(s); 6 variable(s)
[   0] enter             
[   1] get_scope         loc3
[   3] mov               loc4, loc3
[   6] switch_imm        0, 2038(->2044), arg2
[  10] mov               loc5, Undefined(const0)
[  13] create_lexical_environment loc6, loc3, Cell: 0x1037a1720 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const1), <JSValue()>(const2)
[  18] mov               loc3, loc6
[  21] stricteq          loc7, arg4, Int32: 0(const3)
[  25] jtrue             loc7, 14(->39)
[  28] stricteq          loc7, arg4, Int32: 2(const4)
[  32] jtrue             loc7, 5(->37)
[  35] ret               arg3
[  37] throw             arg3
[  39] put_to_scope      loc6, sourceLineNumber(@id0), Int32: 0(const5), 4<ThrowIfNotFound|LocalClosureVar|Initialization>, <structure>, 0
[  46] create_lexical_environment loc7, loc3, Cell: 0x1037a16c0 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const6), <JSValue()>(const2)
[  51] mov               loc3, loc7
[  54] resolve_scope     loc12, loc3, string(@id1), <ClosureVar>, 2, 0x1037a2560
[  61] get_from_scope    loc12, loc12, string(@id1), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[  69] get_by_id         loc8, loc12, split(@id2)    predicting None
[  78] mov               loc11, String (atomic) (identifier): 
, ID: 4(const7)
[  81] call              loc8, loc8, 2, 18 status(Could Take Slow Path)    Original; predicting None
[  90] get_by_id         loc9, loc8, Symbol.iterator(@id3)    predicting None
[  99] mov               loc10, loc8
[ 102] call              loc9, loc9, 1, 16 status(Could Take Slow Path)    Original; predicting None
[ 111] mov               loc10, Undefined(const0)
[ 114] jmp               1806(->1920)
[ 116] loop_hint         
[ 117] put_to_scope      loc7, line(@id4), loc10, 4<ThrowIfNotFound|LocalClosureVar|Initialization>, <structure>, 0
[ 124] create_lexical_environment loc19, loc3, Cell: 0x1037a1660 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const8), <JSValue()>(const2)
[ 129] mov               loc3, loc19
[ 132] mov               loc11, <JSValue()>(const2)
[ 135] mov               loc12, <JSValue()>(const2)
[ 138] mov               loc14, <JSValue()>(const2)
[ 141] mov               loc15, <JSValue()>(const2)
[ 144] mov               loc17, <JSValue()>(const2)
[ 147] mov               loc18, <JSValue()>(const2)
[ 150] new_func_exp      loc20, loc3, f0
[ 154] mov               loc16, loc20
[ 157] new_func_exp      loc20, loc3, f1
[ 161] mov               loc13, loc20
[ 164] get_from_scope    loc20, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 172] inc               loc20
[ 174] put_to_scope      loc6, sourceLineNumber(@id0), loc20, 2052<ThrowIfNotFound|LocalClosureVar|NotInitialization>, <structure>, 0
[ 181] new_regexp        loc18, bad_regexp(0)
[ 184] new_regexp        loc17, bad_regexp(1)
[ 187] new_regexp        loc14, bad_regexp(2)
[ 190] new_regexp        loc11, bad_regexp(3)
[ 193] new_regexp        loc15, bad_regexp(4)
[ 196] new_regexp        loc12, bad_regexp(5)
[ 199] mov               loc20, loc16
[ 202] mov               loc22, Undefined(const0)
[ 205] call              loc20, loc20, 1, 28 status(Could Take Slow Path)    Original; predicting None
[ 214] new_regexp        loc24, bad_regexp(6)
[ 217] get_by_id         loc20, loc24, test(@id5)    predicting None
[ 226] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 234] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 243] jtrue             loc20, 64(->307)
[ 246] resolve_scope     loc20, loc3, Error(@id6), <GlobalProperty>, 5, 0x1037e3900
[ 253] get_from_scope    loc21, loc20, Error(@id6), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 112    predicting None
[ 261] mov               loc24, loc21
[ 264] mov               loc25, String (atomic) (identifier): At line , ID: 4(const9)
[ 267] get_from_scope    loc26, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 275] to_primitive      loc26, loc26
[ 278] mov               loc27, String (atomic) (identifier): : Expect line number: , ID: 4(const10)
[ 281] get_from_scope    loc28, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 289] to_primitive      loc28, loc28
[ 292] strcat            loc23, loc25, 4
[ 296] construct         loc21, loc21, 2, 30 status(Could Take Slow Path)    predicting None
[ 305] throw             loc21
[ 307] resolve_scope     loc20, loc3, RegExp(@id7), <GlobalProperty>, 5, 0x1037e3900
[ 314] get_from_scope    loc21, loc20, RegExp(@id7), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 104    predicting None
[ 322] get_by_id         loc22, loc21, lastMatch(@id8)    predicting None
[ 331] to_number         loc23, loc22
[ 334] put_to_scope      loc19, userLineNumber(@id9), loc23, 4<ThrowIfNotFound|LocalClosureVar|Initialization>, <structure>, 0
[ 341] resolve_scope     loc20, loc3, RegExp(@id7), <GlobalProperty>, 5, 0x1037e3900
[ 348] get_from_scope    loc21, loc20, RegExp(@id7), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 104    predicting None
[ 356] get_by_id         loc22, loc21, rightContext(@id10)    predicting None
[ 365] put_to_scope      loc7, line(@id4), loc22, 2052<ThrowIfNotFound|LocalClosureVar|NotInitialization>, <structure>, 0
[ 372] new_object        loc20, 4
[ 376] put_by_id         loc20, kind(@id11), String (atomic) (identifier): userLineNumber, ID: 4(const11), IsDirect|Bottom
[ 385] resolve_scope     loc21, loc3, RegExp(@id7), <GlobalProperty>, 5, 0x1037e3900
[ 392] get_from_scope    loc22, loc21, RegExp(@id7), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 104    predicting None
[ 400] get_by_id         loc23, loc22, lastMatch(@id8)    predicting None
[ 409] put_by_id         loc20, string(@id1), loc23, IsDirect|Bottom
[ 418] get_from_scope    loc21, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 426] put_by_id         loc20, sourceLineNumber(@id0), loc21, IsDirect|Bottom
[ 435] get_from_scope    loc21, loc19, userLineNumber(@id9), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 443] put_by_id         loc20, userLineNumber(@id9), loc21, IsDirect|Bottom
[ 452] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 1(const12), Bottom
[ 461] save              arg1, ---1--11-1-111111111------------(@live0), 9(->470)
[ 465] ret               loc20
[ 467] resume            arg1, ---1--11-1-111111111------------(@live0)
[ 470] stricteq          loc21, arg4, Int32: 0(const3)
[ 474] jtrue             loc21, 71(->545)
[ 477] stricteq          loc21, arg4, Int32: 2(const4)
[ 481] jtrue             loc21, 62(->543)
[ 484] mov               loc22, arg3
[ 487] get_parent_scope  loc23, loc3
[ 490] mov               loc3, loc23
[ 493] get_by_id         loc23, loc9, return(@id13)    predicting None
[ 502] is_undefined      loc24, loc23
[ 505] jtrue             loc24, 24(->529)
[ 508] mov               loc26, loc9
[ 511] call              loc24, loc23, 1, 32 status(Could Take Slow Path)    Original; predicting None
[ 520] is_object         loc27, loc24
[ 523] jtrue             loc27, 6(->529)
[ 526] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[ 529] get_parent_scope  loc23, loc3
[ 532] mov               loc3, loc23
[ 535] get_parent_scope  loc23, loc3
[ 538] mov               loc3, loc23
[ 541] ret               loc22
[ 543] throw             arg3
[ 545] mov               loc20, loc16
[ 548] mov               loc22, Undefined(const0)
[ 551] call              loc20, loc20, 1, 28 status(Could Take Slow Path)    Original; predicting None
[ 560] get_from_scope    loc20, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 568] get_by_id         loc21, loc20, length(@id14)    predicting None
[ 577] jfalse            loc21, 1143(->1720)
[ 580] loop_hint         
[ 581] mov               loc24, loc11
[ 584] get_by_id         loc20, loc24, test(@id5)    predicting None
[ 593] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 601] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 610] jfalse            loc20, 116(->726)
[ 613] mov               loc20, loc13
[ 616] mov               loc24, Undefined(const0)
[ 619] mov               loc23, String (atomic) (identifier): keyword, ID: 4(const14)
[ 622] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 631] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 2(const4), Bottom
[ 640] save              arg1, ---1--11-1-111111111------------(@live1), 9(->649)
[ 644] ret               loc20
[ 646] resume            arg1, ---1--11-1-111111111------------(@live1)
[ 649] stricteq          loc21, arg4, Int32: 0(const3)
[ 653] jtrue             loc21, 71(->724)
[ 656] stricteq          loc21, arg4, Int32: 2(const4)
[ 660] jtrue             loc21, 62(->722)
[ 663] mov               loc22, arg3
[ 666] get_parent_scope  loc23, loc3
[ 669] mov               loc3, loc23
[ 672] get_by_id         loc23, loc9, return(@id13)    predicting None
[ 681] is_undefined      loc24, loc23
[ 684] jtrue             loc24, 24(->708)
[ 687] mov               loc26, loc9
[ 690] call              loc24, loc23, 1, 32 status(Could Take Slow Path)    Original; predicting None
[ 699] is_object         loc27, loc24
[ 702] jtrue             loc27, 6(->708)
[ 705] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[ 708] get_parent_scope  loc23, loc3
[ 711] mov               loc3, loc23
[ 714] get_parent_scope  loc23, loc3
[ 717] mov               loc3, loc23
[ 720] ret               loc22
[ 722] throw             arg3
[ 724] jmp               961(->1685)
[ 726] mov               loc24, loc18
[ 729] get_by_id         loc20, loc24, test(@id5)    predicting None
[ 738] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 746] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 755] jfalse            loc20, 116(->871)
[ 758] mov               loc20, loc13
[ 761] mov               loc24, Undefined(const0)
[ 764] mov               loc23, String (atomic) (identifier): identifier, ID: 4(const15)
[ 767] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 776] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 3(const16), Bottom
[ 785] save              arg1, ---1--11-1-111111111------------(@live2), 9(->794)
[ 789] ret               loc20
[ 791] resume            arg1, ---1--11-1-111111111------------(@live2)
[ 794] stricteq          loc21, arg4, Int32: 0(const3)
[ 798] jtrue             loc21, 71(->869)
[ 801] stricteq          loc21, arg4, Int32: 2(const4)
[ 805] jtrue             loc21, 62(->867)
[ 808] mov               loc22, arg3
[ 811] get_parent_scope  loc23, loc3
[ 814] mov               loc3, loc23
[ 817] get_by_id         loc23, loc9, return(@id13)    predicting None
[ 826] is_undefined      loc24, loc23
[ 829] jtrue             loc24, 24(->853)
[ 832] mov               loc26, loc9
[ 835] call              loc24, loc23, 1, 32 status(Could Take Slow Path)    Original; predicting None
[ 844] is_object         loc27, loc24
[ 847] jtrue             loc27, 6(->853)
[ 850] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[ 853] get_parent_scope  loc23, loc3
[ 856] mov               loc3, loc23
[ 859] get_parent_scope  loc23, loc3
[ 862] mov               loc3, loc23
[ 865] ret               loc22
[ 867] throw             arg3
[ 869] jmp               816(->1685)
[ 871] mov               loc24, loc17
[ 874] get_by_id         loc20, loc24, test(@id5)    predicting None
[ 883] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[ 891] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 900] jfalse            loc20, 146(->1046)
[ 903] mov               loc20, <JSValue()>(const2)
[ 906] mov               loc21, loc13
[ 909] mov               loc24, Undefined(const0)
[ 912] mov               loc23, String (atomic) (identifier): number, ID: 4(const17)
[ 915] call              loc20, loc21, 2, 30 status(Could Take Slow Path)    Original; predicting None
[ 924] mov               loc21, loc20
[ 927] get_by_id         loc22, loc20, string(@id1)    predicting None
[ 936] to_number         loc23, loc22
[ 939] put_by_id         loc21, value(@id15), loc23, Bottom
[ 948] mov               loc21, loc20
[ 951] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 4(const18), Bottom
[ 960] save              arg1, ---1--11-1-111111111------------(@live3), 9(->969)
[ 964] ret               loc21
[ 966] resume            arg1, ---1--11-1-111111111------------(@live3)
[ 969] stricteq          loc22, arg4, Int32: 0(const3)
[ 973] jtrue             loc22, 71(->1044)
[ 976] stricteq          loc22, arg4, Int32: 2(const4)
[ 980] jtrue             loc22, 62(->1042)
[ 983] mov               loc23, arg3
[ 986] get_parent_scope  loc24, loc3
[ 989] mov               loc3, loc24
[ 992] get_by_id         loc24, loc9, return(@id13)    predicting None
[1001] is_undefined      loc25, loc24
[1004] jtrue             loc25, 24(->1028)
[1007] mov               loc26, loc9
[1010] call              loc25, loc24, 1, 32 status(Could Take Slow Path)    Original; predicting None
[1019] is_object         loc27, loc25
[1022] jtrue             loc27, 6(->1028)
[1025] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[1028] get_parent_scope  loc24, loc3
[1031] mov               loc3, loc24
[1034] get_parent_scope  loc24, loc3
[1037] mov               loc3, loc24
[1040] ret               loc23
[1042] throw             arg3
[1044] jmp               641(->1685)
[1046] mov               loc24, loc14
[1049] get_by_id         loc20, loc24, test(@id5)    predicting None
[1058] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1066] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[1075] jfalse            loc20, 259(->1334)
[1078] mov               loc20, <JSValue()>(const2)
[1081] mov               loc21, loc13
[1084] mov               loc24, Undefined(const0)
[1087] mov               loc23, String (atomic) (identifier): string, ID: 4(const19)
[1090] call              loc20, loc21, 2, 30 status(Could Take Slow Path)    Original; predicting None
[1099] put_by_id         loc20, value(@id15), String (atomic) (identifier): , ID: 4(const20), Bottom
[1108] mov               loc21, <JSValue()>(const2)
[1111] mov               loc21, Int32: 1(const21)
[1114] get_by_id         loc22, loc20, string(@id1)    predicting None
[1123] get_by_id         loc23, loc22, length(@id14)    predicting None
[1132] sub               loc23, loc23, Int32: 1(const21)
[1137] jnless            loc21, loc23, 99(->1236)
[1141] loop_hint         
[1142] mov               loc22, <JSValue()>(const2)
[1145] get_by_id         loc26, loc20, string(@id1)    predicting None
[1154] get_by_id         loc23, loc26, charAt(@id16)    predicting None
[1163] mov               loc25, loc21
[1166] call              loc22, loc23, 2, 32 status(Could Take Slow Path)    Original; predicting None
[1175] eq                loc23, loc22, String (atomic) (identifier): ", ID: 4(const22)
[1179] jfalse            loc23, 5(->1184)
[1182] inc               loc21
[1184] get_by_id         loc23, loc20, value(@id15)    predicting None
[1193] add               loc23, loc23, loc22
[1198] put_by_id         loc20, value(@id15), loc23, Bottom
[1207] inc               loc21
[1209] get_by_id         loc22, loc20, string(@id1)    predicting None
[1218] get_by_id         loc23, loc22, length(@id14)    predicting None
[1227] sub               loc23, loc23, Int32: 1(const21)
[1232] jless             loc21, loc23, -91(->1141)
[1236] mov               loc21, loc20
[1239] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 5(const23), Bottom
[1248] save              arg1, ---1--11-1-111111111------------(@live4), 9(->1257)
[1252] ret               loc21
[1254] resume            arg1, ---1--11-1-111111111------------(@live4)
[1257] stricteq          loc22, arg4, Int32: 0(const3)
[1261] jtrue             loc22, 71(->1332)
[1264] stricteq          loc22, arg4, Int32: 2(const4)
[1268] jtrue             loc22, 62(->1330)
[1271] mov               loc23, arg3
[1274] get_parent_scope  loc24, loc3
[1277] mov               loc3, loc24
[1280] get_by_id         loc24, loc9, return(@id13)    predicting None
[1289] is_undefined      loc25, loc24
[1292] jtrue             loc25, 24(->1316)
[1295] mov               loc26, loc9
[1298] call              loc25, loc24, 1, 32 status(Could Take Slow Path)    Original; predicting None
[1307] is_object         loc27, loc25
[1310] jtrue             loc27, 6(->1316)
[1313] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[1316] get_parent_scope  loc24, loc3
[1319] mov               loc3, loc24
[1322] get_parent_scope  loc24, loc3
[1325] mov               loc3, loc24
[1328] ret               loc23
[1330] throw             arg3
[1332] jmp               353(->1685)
[1334] mov               loc24, loc15
[1337] get_by_id         loc20, loc24, test(@id5)    predicting None
[1346] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1354] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[1363] jfalse            loc20, 116(->1479)
[1366] mov               loc20, loc13
[1369] mov               loc24, Undefined(const0)
[1372] mov               loc23, String (atomic) (identifier): operator, ID: 4(const24)
[1375] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[1384] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 6(const25), Bottom
[1393] save              arg1, ---1--11-1-111111111------------(@live5), 9(->1402)
[1397] ret               loc20
[1399] resume            arg1, ---1--11-1-111111111------------(@live5)
[1402] stricteq          loc21, arg4, Int32: 0(const3)
[1406] jtrue             loc21, 71(->1477)
[1409] stricteq          loc21, arg4, Int32: 2(const4)
[1413] jtrue             loc21, 62(->1475)
[1416] mov               loc22, arg3
[1419] get_parent_scope  loc23, loc3
[1422] mov               loc3, loc23
[1425] get_by_id         loc23, loc9, return(@id13)    predicting None
[1434] is_undefined      loc24, loc23
[1437] jtrue             loc24, 24(->1461)
[1440] mov               loc26, loc9
[1443] call              loc24, loc23, 1, 32 status(Could Take Slow Path)    Original; predicting None
[1452] is_object         loc27, loc24
[1455] jtrue             loc27, 6(->1461)
[1458] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[1461] get_parent_scope  loc23, loc3
[1464] mov               loc3, loc23
[1467] get_parent_scope  loc23, loc3
[1470] mov               loc3, loc23
[1473] ret               loc22
[1475] throw             arg3
[1477] jmp               208(->1685)
[1479] mov               loc24, loc12
[1482] get_by_id         loc20, loc24, test(@id5)    predicting None
[1491] get_from_scope    loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1499] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[1508] jfalse            loc20, 116(->1624)
[1511] mov               loc20, loc13
[1514] mov               loc24, Undefined(const0)
[1517] mov               loc23, String (atomic) (identifier): remark, ID: 4(const26)
[1520] call              loc20, loc20, 2, 30 status(Could Take Slow Path)    Original; predicting None
[1529] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 7(const27), Bottom
[1538] save              arg1, ---1--11-1-111111111------------(@live6), 9(->1547)
[1542] ret               loc20
[1544] resume            arg1, ---1--11-1-111111111------------(@live6)
[1547] stricteq          loc21, arg4, Int32: 0(const3)
[1551] jtrue             loc21, 71(->1622)
[1554] stricteq          loc21, arg4, Int32: 2(const4)
[1558] jtrue             loc21, 62(->1620)
[1561] mov               loc22, arg3
[1564] get_parent_scope  loc23, loc3
[1567] mov               loc3, loc23
[1570] get_by_id         loc23, loc9, return(@id13)    predicting None
[1579] is_undefined      loc24, loc23
[1582] jtrue             loc24, 24(->1606)
[1585] mov               loc26, loc9
[1588] call              loc24, loc23, 1, 32 status(Could Take Slow Path)    Original; predicting None
[1597] is_object         loc27, loc24
[1600] jtrue             loc27, 6(->1606)
[1603] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[1606] get_parent_scope  loc23, loc3
[1609] mov               loc3, loc23
[1612] get_parent_scope  loc23, loc3
[1615] mov               loc3, loc23
[1618] ret               loc22
[1620] throw             arg3
[1622] jmp               63(->1685)
[1624] resolve_scope     loc20, loc3, Error(@id6), <GlobalProperty>, 5, 0x1037e3900
[1631] get_from_scope    loc21, loc20, Error(@id6), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 112    predicting None
[1639] mov               loc24, loc21
[1642] mov               loc25, String (atomic) (identifier): At line , ID: 4(const9)
[1645] get_from_scope    loc26, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1653] to_primitive      loc26, loc26
[1656] mov               loc27, String (atomic) (identifier): : Cannot lex token: , ID: 4(const28)
[1659] get_from_scope    loc28, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1667] to_primitive      loc28, loc28
[1670] strcat            loc23, loc25, 4
[1674] construct         loc21, loc21, 2, 30 status(Could Take Slow Path)    predicting None
[1683] throw             loc21
[1685] mov               loc20, loc16
[1688] mov               loc22, Undefined(const0)
[1691] call              loc20, loc20, 1, 28 status(Could Take Slow Path)    Original; predicting None
[1700] get_from_scope    loc20, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1708] get_by_id         loc21, loc20, length(@id14)    predicting None
[1717] jtrue             loc21, -1137(->580)
[1720] new_object        loc20, 4
[1724] put_by_id         loc20, kind(@id11), String (atomic) (identifier): newLine, ID: 4(const29), IsDirect|Bottom
[1733] put_by_id         loc20, string(@id1), String (atomic) (identifier): 
, ID: 4(const7), IsDirect|Bottom
[1742] get_from_scope    loc21, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1750] put_by_id         loc20, sourceLineNumber(@id0), loc21, IsDirect|Bottom
[1759] get_from_scope    loc21, loc19, userLineNumber(@id9), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1767] put_by_id         loc20, userLineNumber(@id9), loc21, IsDirect|Bottom
[1776] put_by_id         arg1, PrivateSymbol.generatorState(@id12), Int32: 8(const30), Bottom
[1785] save              arg1, ---1--11-1---------1------------(@live7), 9(->1794)
[1789] ret               loc20
[1791] resume            arg1, ---1--11-1---------1------------(@live7)
[1794] stricteq          loc21, arg4, Int32: 0(const3)
[1798] jtrue             loc21, 71(->1869)
[1801] stricteq          loc21, arg4, Int32: 2(const4)
[1805] jtrue             loc21, 62(->1867)
[1808] mov               loc22, arg3
[1811] get_parent_scope  loc23, loc3
[1814] mov               loc3, loc23
[1817] get_by_id         loc23, loc9, return(@id13)    predicting None
[1826] is_undefined      loc24, loc23
[1829] jtrue             loc24, 24(->1853)
[1832] mov               loc26, loc9
[1835] call              loc24, loc23, 1, 32 status(Could Take Slow Path)    Original; predicting None
[1844] is_object         loc27, loc24
[1847] jtrue             loc27, 6(->1853)
[1850] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[1853] get_parent_scope  loc23, loc3
[1856] mov               loc3, loc23
[1859] get_parent_scope  loc23, loc3
[1862] mov               loc3, loc23
[1865] ret               loc22
[1867] throw             arg3
[1869] get_parent_scope  loc20, loc19
[1872] mov               loc3, loc20
[1875] jmp               45(->1920)
[1877] catch             loc11, loc12
[1880] mov               loc3, loc7
[1883] get_by_id         loc13, loc9, return(@id13)    predicting None
[1892] is_undefined      loc14, loc13
[1895] jtrue             loc14, 15(->1910)
[1898] mov               loc14, loc9
[1901] call              loc10, loc13, 1, 20 status(Could Take Slow Path)    Original; predicting None
[1910] throw             loc11
[1912] catch             loc15, loc15
[1915] mov               loc3, loc7
[1918] throw             loc11
[1920] get_from_scope    loc11, loc7, line(@id4), 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, 0    predicting None
[1928] get_parent_scope  loc12, loc7
[1931] mov               loc3, loc12
[1934] create_lexical_environment loc7, loc3, Cell: 0x1037a16c0 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const6), <JSValue()>(const2)
[1939] mov               loc3, loc7
[1942] put_to_scope      loc7, line(@id4), loc11, 1050628<DoNotThrowIfNotFound|LocalClosureVar|NotInitialization>, <structure>, 0
[1949] get_by_id         loc11, loc9, next(@id17)    predicting None
[1958] mov               loc12, loc9
[1961] call              loc10, loc11, 1, 18 status(Could Take Slow Path)    Original; predicting None
[1970] is_object         loc11, loc10
[1973] jtrue             loc11, 6(->1979)
[1976] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[1979] get_by_id         loc11, loc10, done(@id18)    predicting None
[1988] jtrue             loc11, 50(->2038)
[1991] get_by_id         loc10, loc10, value(@id15)    predicting None
[2000] jmp               -1884(->116)
[2002] get_by_id         loc10, loc9, return(@id13)    predicting None
[2011] is_undefined      loc11, loc10
[2014] jtrue             loc11, 24(->2038)
[2017] mov               loc12, loc9
[2020] call              loc11, loc10, 1, 18 status(Could Take Slow Path)    Original; predicting None
[2029] is_object         loc13, loc11
[2032] jtrue             loc13, 6(->2038)
[2035] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false
[2038] get_parent_scope  loc8, loc7
[2041] mov               loc3, loc8
[2044] ret               Undefined(const0)

Identifiers:
  id0 = sourceLineNumber
  id1 = string
  id2 = split
  id3 = Symbol.iterator
  id4 = line
  id5 = test
  id6 = Error
  id7 = RegExp
  id8 = lastMatch
  id9 = userLineNumber
  id10 = rightContext
  id11 = kind
  id12 = PrivateSymbol.generatorState
  id13 = return
  id14 = length
  id15 = value
  id16 = charAt
  id17 = next
  id18 = done

Constants:
   k0 = Undefined
   k1 = Cell: 0x1037a1720 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18
   k2 = <JSValue()>
   k3 = Int32: 0
   k4 = Int32: 2
   k5 = Int32: 0: in source as integer
   k6 = Cell: 0x1037a16c0 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18
   k7 = String (atomic) (identifier): 
, ID: 4
   k8 = Cell: 0x1037a1660 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18
   k9 = String (atomic) (identifier): At line , ID: 4
   k10 = String (atomic) (identifier): : Expect line number: , ID: 4
   k11 = String (atomic) (identifier): userLineNumber, ID: 4
   k12 = Int32: 1
   k13 = String (atomic) (identifier): Iterator result interface is not an object., ID: 4
   k14 = String (atomic) (identifier): keyword, ID: 4
   k15 = String (atomic) (identifier): identifier, ID: 4
   k16 = Int32: 3
   k17 = String (atomic) (identifier): number, ID: 4
   k18 = Int32: 4
   k19 = String (atomic) (identifier): string, ID: 4
   k20 = String (atomic) (identifier): , ID: 4
   k21 = Int32: 1: in source as integer
   k22 = String (atomic) (identifier): ", ID: 4
   k23 = Int32: 5
   k24 = String (atomic) (identifier): operator, ID: 4
   k25 = Int32: 6
   k26 = String (atomic) (identifier): remark, ID: 4
   k27 = Int32: 7
   k28 = String (atomic) (identifier): : Cannot lex token: , ID: 4
   k29 = String (atomic) (identifier): newLine, ID: 4
   k30 = Int32: 8

m_regexps:
  re0 = /^[a-z_]([a-z0-9_]*)/i
  re1 = /^(([0-9]+(\.([0-9]*))?)|(\.[0-9]+)(e([+-]?)([0-9]+))?)/i
  re2 = /^\"([^\"]|(\"\"))*\"/
  re3 = /^((base)|(data)|(def)|(dim)|(end)|(for)|(go)|(gosub)|(goto)|(if)|(input)|(let)|(next)|(on)|(option)|(print)|(randomize)|(read)|(restore)|(return)|(step)|(stop)|(sub)|(then)|(to))/i
  re4 = /^(-|\+|\*|\/|\^|\(|\)|(<[>=]?)|(>=?)|=|,|\$|;)/
  re5 = /^rem\s.*/
  re6 = /^[0-9]+/

Exception Handlers:
	 1: { start: [ 117] end: [ 493] target: [1877] } synthesized finally
	 2: { start: [ 529] end: [ 672] target: [1877] } synthesized finally
	 3: { start: [ 708] end: [ 817] target: [1877] } synthesized finally
	 4: { start: [ 853] end: [ 992] target: [1877] } synthesized finally
	 5: { start: [1028] end: [1280] target: [1877] } synthesized finally
	 6: { start: [1316] end: [1425] target: [1877] } synthesized finally
	 7: { start: [1461] end: [1570] target: [1877] } synthesized finally
	 8: { start: [1606] end: [1817] target: [1877] } synthesized finally
	 9: { start: [1853] end: [1877] target: [1877] } synthesized finally
	 10: { start: [1898] end: [1910] target: [1912] } synthesized finally
Switch Jump Tables:
  0 = {
		   0 => 0004
		   1 => 0461
		   2 => 0640
		   3 => 0785
		   4 => 0960
		   5 => 1248
		   6 => 1393
		   7 => 1538
		   8 => 1785
      }

Live Callee Locals:
  live0 = ---1--11-1-111111111------------
  live1 = ---1--11-1-111111111------------
  live2 = ---1--11-1-111111111------------
  live3 = ---1--11-1-111111111------------
  live4 = ---1--11-1-111111111------------
  live5 = ---1--11-1-111111111------------
  live6 = ---1--11-1-111111111------------
  live7 = ---1--11-1---------1------------


Validation failure.
Comment 1 Filip Pizlo 2016-06-29 15:12:04 PDT 
I'm going to try to fix this.
Comment 2 Filip Pizlo 2016-06-29 16:08:47 PDT 
Looks like this is because the liveness analysis for generators is unsound with respect to try/catch/finally.

I think this is more proof that we should not use a single liveness analysis for both pre-generator-converstion and post-generator-conversion bytecode.  It's too confusing!  

For example, resume must preserve the invariant that it defines everything and only uses its token argument.  But that's not what happens if it's inside a try block.  In order to support try, we assume that any bytecode inside a try uses anything that the catch uses.

I think that the best way to go is:

1) Write a custom liveness analysis just for the generator conversion.  This custom analysis could reuse BytecodeUseDef.h and the basic block analysis, but otherwise it will be a new thing.  This allows it to play games with save/resume.  For example, it allows it to implement these rules easily: (a) the live-in at resume is always just the token argument and nothing else, and (b) whatever was live-out at the resume is used by the corresponding save.

2) Write a transformation that gets rid of save/resume and makes the control and data flow explicit.

3) Remove any "generator" modes or tricks from the bytecode liveness analysis that the rest of the engine uses.

I think that for now, I'll implement a hack that says that resume is exempted from catch liveness.  That's sort of insane and hacky, but I think it will fix this bug for now.
Comment 3 Filip Pizlo 2016-06-29 16:25:50 PDT 
Created attachment 282390 [details]
the patch
Comment 4 Yusuke Suzuki 2016-06-29 16:27:12 PDT 
(In reply to comment #2)
> Looks like this is because the liveness analysis for generators is unsound
> with respect to try/catch/finally.

Oops!

> 
> I think this is more proof that we should not use a single liveness analysis
> for both pre-generator-converstion and post-generator-conversion bytecode. 
> It's too confusing! 

Right.

> 
> For example, resume must preserve the invariant that it defines everything
> and only uses its token argument.  But that's not what happens if it's
> inside a try block.  In order to support try, we assume that any bytecode
> inside a try uses anything that the catch uses.
> 
> I think that the best way to go is:
> 
> 1) Write a custom liveness analysis just for the generator conversion.  This
> custom analysis could reuse BytecodeUseDef.h and the basic block analysis,
> but otherwise it will be a new thing.  This allows it to play games with
> save/resume.  For example, it allows it to implement these rules easily: (a)
> the live-in at resume is always just the token argument and nothing else,
> and (b) whatever was live-out at the resume is used by the corresponding
> save.
> 
> 2) Write a transformation that gets rid of save/resume and makes the control
> and data flow explicit.
> 
> 3) Remove any "generator" modes or tricks from the bytecode liveness
> analysis that the rest of the engine uses.
> 
> I think that for now, I'll implement a hack that says that resume is
> exempted from catch liveness.  That's sort of insane and hacky, but I think
> it will fix this bug for now.

sounds nice. generatorification should remove these resume / save and the usual liveness analysis should not care about them.
after landing isNaN / isFinite patch, go to the generator patch, it is now introducing bytecode analysis.
Comment 5 Yusuke Suzuki 2016-06-29 16:50:03 PDT 
Comment on attachment 282390 [details]
the patch

r+
Comment 6 Yusuke Suzuki 2016-06-29 16:56:43 PDT 
(In reply to comment #4)
> sounds nice. generatorification should remove these resume / save and the
> usual liveness analysis should not care about them.
> after landing isNaN / isFinite patch, go to the generator patch, it is now
> introducing bytecode analysis.

oops, bad syntax. (sorry, now typing from my phone)
After landing the isNaN / isFinite patch, I'll go to the generatorification patch, which should include the separated generatorification analysis from the usual bytecode liveness analysis.
Comment 7 Filip Pizlo 2016-06-30 11:14:18 PDT 
Landed in https://trac.webkit.org/changeset/202689