RESOLVED FIXED Bug 159279
Generators violate bytecode liveness validation 
https://bugs.webkit.org/show_bug.cgi?id=159279
Summary Generators violate bytecode liveness validation
Filip Pizlo
Reported 2016-06-29 15:01:54 PDT
[filip@hodor OpenSource] cd PerformanceTests/ES6SampleBench/Basic/ [filip@hodor Basic] DYLD_FRAMEWORK_PATH=../../../WebKitBuild/Release/ ../../../WebKitBuild/Release/jsc test.js --validateBytecode=true Validation failure in #BxvGBu:[0x103794330->0x1037905d0, NoneFunctionCall, 2046 (StrictMode)]: Variable loc9 is expected to be dead. Result: -------1-1---------------------- #BxvGBu:[0x103794330->0x1037905d0, NoneFunctionCall, 2046 (StrictMode)]: 2046 m_instructions; 16368 bytes; 5 parameter(s); 32 callee register(s); 6 variable(s) [ 0] enter [ 1] get_scope loc3 [ 3] mov loc4, loc3 [ 6] switch_imm 0, 2038(->2044), arg2 [ 10] mov loc5, Undefined(const0) [ 13] create_lexical_environment loc6, loc3, Cell: 0x1037a1720 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const1), <JSValue()>(const2) [ 18] mov loc3, loc6 [ 21] stricteq loc7, arg4, Int32: 0(const3) [ 25] jtrue loc7, 14(->39) [ 28] stricteq loc7, arg4, Int32: 2(const4) [ 32] jtrue loc7, 5(->37) [ 35] ret arg3 [ 37] throw arg3 [ 39] put_to_scope loc6, sourceLineNumber(@id0), Int32: 0(const5), 4<ThrowIfNotFound|LocalClosureVar|Initialization>, <structure>, 0 [ 46] create_lexical_environment loc7, loc3, Cell: 0x1037a16c0 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const6), <JSValue()>(const2) [ 51] mov loc3, loc7 [ 54] resolve_scope loc12, loc3, string(@id1), <ClosureVar>, 2, 0x1037a2560 [ 61] get_from_scope loc12, loc12, string(@id1), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 69] get_by_id loc8, loc12, split(@id2) predicting None [ 78] mov loc11, String (atomic) (identifier): , ID: 4(const7) [ 81] call loc8, loc8, 2, 18 status(Could Take Slow Path) Original; predicting None [ 90] get_by_id loc9, loc8, Symbol.iterator(@id3) predicting None [ 99] mov loc10, loc8 [ 102] call loc9, loc9, 1, 16 status(Could Take Slow Path) Original; predicting None [ 111] mov loc10, Undefined(const0) [ 114] jmp 1806(->1920) [ 116] loop_hint [ 117] put_to_scope loc7, line(@id4), loc10, 4<ThrowIfNotFound|LocalClosureVar|Initialization>, <structure>, 0 [ 124] create_lexical_environment loc19, loc3, Cell: 0x1037a1660 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const8), <JSValue()>(const2) [ 129] mov loc3, loc19 [ 132] mov loc11, <JSValue()>(const2) [ 135] mov loc12, <JSValue()>(const2) [ 138] mov loc14, <JSValue()>(const2) [ 141] mov loc15, <JSValue()>(const2) [ 144] mov loc17, <JSValue()>(const2) [ 147] mov loc18, <JSValue()>(const2) [ 150] new_func_exp loc20, loc3, f0 [ 154] mov loc16, loc20 [ 157] new_func_exp loc20, loc3, f1 [ 161] mov loc13, loc20 [ 164] get_from_scope loc20, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 172] inc loc20 [ 174] put_to_scope loc6, sourceLineNumber(@id0), loc20, 2052<ThrowIfNotFound|LocalClosureVar|NotInitialization>, <structure>, 0 [ 181] new_regexp loc18, bad_regexp(0) [ 184] new_regexp loc17, bad_regexp(1) [ 187] new_regexp loc14, bad_regexp(2) [ 190] new_regexp loc11, bad_regexp(3) [ 193] new_regexp loc15, bad_regexp(4) [ 196] new_regexp loc12, bad_regexp(5) [ 199] mov loc20, loc16 [ 202] mov loc22, Undefined(const0) [ 205] call loc20, loc20, 1, 28 status(Could Take Slow Path) Original; predicting None [ 214] new_regexp loc24, bad_regexp(6) [ 217] get_by_id loc20, loc24, test(@id5) predicting None [ 226] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 234] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [ 243] jtrue loc20, 64(->307) [ 246] resolve_scope loc20, loc3, Error(@id6), <GlobalProperty>, 5, 0x1037e3900 [ 253] get_from_scope loc21, loc20, Error(@id6), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 112 predicting None [ 261] mov loc24, loc21 [ 264] mov loc25, String (atomic) (identifier): At line , ID: 4(const9) [ 267] get_from_scope loc26, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 275] to_primitive loc26, loc26 [ 278] mov loc27, String (atomic) (identifier): : Expect line number: , ID: 4(const10) [ 281] get_from_scope loc28, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 289] to_primitive loc28, loc28 [ 292] strcat loc23, loc25, 4 [ 296] construct loc21, loc21, 2, 30 status(Could Take Slow Path) predicting None [ 305] throw loc21 [ 307] resolve_scope loc20, loc3, RegExp(@id7), <GlobalProperty>, 5, 0x1037e3900 [ 314] get_from_scope loc21, loc20, RegExp(@id7), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 104 predicting None [ 322] get_by_id loc22, loc21, lastMatch(@id8) predicting None [ 331] to_number loc23, loc22 [ 334] put_to_scope loc19, userLineNumber(@id9), loc23, 4<ThrowIfNotFound|LocalClosureVar|Initialization>, <structure>, 0 [ 341] resolve_scope loc20, loc3, RegExp(@id7), <GlobalProperty>, 5, 0x1037e3900 [ 348] get_from_scope loc21, loc20, RegExp(@id7), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 104 predicting None [ 356] get_by_id loc22, loc21, rightContext(@id10) predicting None [ 365] put_to_scope loc7, line(@id4), loc22, 2052<ThrowIfNotFound|LocalClosureVar|NotInitialization>, <structure>, 0 [ 372] new_object loc20, 4 [ 376] put_by_id loc20, kind(@id11), String (atomic) (identifier): userLineNumber, ID: 4(const11), IsDirect|Bottom [ 385] resolve_scope loc21, loc3, RegExp(@id7), <GlobalProperty>, 5, 0x1037e3900 [ 392] get_from_scope loc22, loc21, RegExp(@id7), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 104 predicting None [ 400] get_by_id loc23, loc22, lastMatch(@id8) predicting None [ 409] put_by_id loc20, string(@id1), loc23, IsDirect|Bottom [ 418] get_from_scope loc21, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 426] put_by_id loc20, sourceLineNumber(@id0), loc21, IsDirect|Bottom [ 435] get_from_scope loc21, loc19, userLineNumber(@id9), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 443] put_by_id loc20, userLineNumber(@id9), loc21, IsDirect|Bottom [ 452] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 1(const12), Bottom [ 461] save arg1, ---1--11-1-111111111------------(@live0), 9(->470) [ 465] ret loc20 [ 467] resume arg1, ---1--11-1-111111111------------(@live0) [ 470] stricteq loc21, arg4, Int32: 0(const3) [ 474] jtrue loc21, 71(->545) [ 477] stricteq loc21, arg4, Int32: 2(const4) [ 481] jtrue loc21, 62(->543) [ 484] mov loc22, arg3 [ 487] get_parent_scope loc23, loc3 [ 490] mov loc3, loc23 [ 493] get_by_id loc23, loc9, return(@id13) predicting None [ 502] is_undefined loc24, loc23 [ 505] jtrue loc24, 24(->529) [ 508] mov loc26, loc9 [ 511] call loc24, loc23, 1, 32 status(Could Take Slow Path) Original; predicting None [ 520] is_object loc27, loc24 [ 523] jtrue loc27, 6(->529) [ 526] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [ 529] get_parent_scope loc23, loc3 [ 532] mov loc3, loc23 [ 535] get_parent_scope loc23, loc3 [ 538] mov loc3, loc23 [ 541] ret loc22 [ 543] throw arg3 [ 545] mov loc20, loc16 [ 548] mov loc22, Undefined(const0) [ 551] call loc20, loc20, 1, 28 status(Could Take Slow Path) Original; predicting None [ 560] get_from_scope loc20, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 568] get_by_id loc21, loc20, length(@id14) predicting None [ 577] jfalse loc21, 1143(->1720) [ 580] loop_hint [ 581] mov loc24, loc11 [ 584] get_by_id loc20, loc24, test(@id5) predicting None [ 593] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 601] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [ 610] jfalse loc20, 116(->726) [ 613] mov loc20, loc13 [ 616] mov loc24, Undefined(const0) [ 619] mov loc23, String (atomic) (identifier): keyword, ID: 4(const14) [ 622] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [ 631] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 2(const4), Bottom [ 640] save arg1, ---1--11-1-111111111------------(@live1), 9(->649) [ 644] ret loc20 [ 646] resume arg1, ---1--11-1-111111111------------(@live1) [ 649] stricteq loc21, arg4, Int32: 0(const3) [ 653] jtrue loc21, 71(->724) [ 656] stricteq loc21, arg4, Int32: 2(const4) [ 660] jtrue loc21, 62(->722) [ 663] mov loc22, arg3 [ 666] get_parent_scope loc23, loc3 [ 669] mov loc3, loc23 [ 672] get_by_id loc23, loc9, return(@id13) predicting None [ 681] is_undefined loc24, loc23 [ 684] jtrue loc24, 24(->708) [ 687] mov loc26, loc9 [ 690] call loc24, loc23, 1, 32 status(Could Take Slow Path) Original; predicting None [ 699] is_object loc27, loc24 [ 702] jtrue loc27, 6(->708) [ 705] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [ 708] get_parent_scope loc23, loc3 [ 711] mov loc3, loc23 [ 714] get_parent_scope loc23, loc3 [ 717] mov loc3, loc23 [ 720] ret loc22 [ 722] throw arg3 [ 724] jmp 961(->1685) [ 726] mov loc24, loc18 [ 729] get_by_id loc20, loc24, test(@id5) predicting None [ 738] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 746] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [ 755] jfalse loc20, 116(->871) [ 758] mov loc20, loc13 [ 761] mov loc24, Undefined(const0) [ 764] mov loc23, String (atomic) (identifier): identifier, ID: 4(const15) [ 767] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [ 776] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 3(const16), Bottom [ 785] save arg1, ---1--11-1-111111111------------(@live2), 9(->794) [ 789] ret loc20 [ 791] resume arg1, ---1--11-1-111111111------------(@live2) [ 794] stricteq loc21, arg4, Int32: 0(const3) [ 798] jtrue loc21, 71(->869) [ 801] stricteq loc21, arg4, Int32: 2(const4) [ 805] jtrue loc21, 62(->867) [ 808] mov loc22, arg3 [ 811] get_parent_scope loc23, loc3 [ 814] mov loc3, loc23 [ 817] get_by_id loc23, loc9, return(@id13) predicting None [ 826] is_undefined loc24, loc23 [ 829] jtrue loc24, 24(->853) [ 832] mov loc26, loc9 [ 835] call loc24, loc23, 1, 32 status(Could Take Slow Path) Original; predicting None [ 844] is_object loc27, loc24 [ 847] jtrue loc27, 6(->853) [ 850] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [ 853] get_parent_scope loc23, loc3 [ 856] mov loc3, loc23 [ 859] get_parent_scope loc23, loc3 [ 862] mov loc3, loc23 [ 865] ret loc22 [ 867] throw arg3 [ 869] jmp 816(->1685) [ 871] mov loc24, loc17 [ 874] get_by_id loc20, loc24, test(@id5) predicting None [ 883] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [ 891] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [ 900] jfalse loc20, 146(->1046) [ 903] mov loc20, <JSValue()>(const2) [ 906] mov loc21, loc13 [ 909] mov loc24, Undefined(const0) [ 912] mov loc23, String (atomic) (identifier): number, ID: 4(const17) [ 915] call loc20, loc21, 2, 30 status(Could Take Slow Path) Original; predicting None [ 924] mov loc21, loc20 [ 927] get_by_id loc22, loc20, string(@id1) predicting None [ 936] to_number loc23, loc22 [ 939] put_by_id loc21, value(@id15), loc23, Bottom [ 948] mov loc21, loc20 [ 951] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 4(const18), Bottom [ 960] save arg1, ---1--11-1-111111111------------(@live3), 9(->969) [ 964] ret loc21 [ 966] resume arg1, ---1--11-1-111111111------------(@live3) [ 969] stricteq loc22, arg4, Int32: 0(const3) [ 973] jtrue loc22, 71(->1044) [ 976] stricteq loc22, arg4, Int32: 2(const4) [ 980] jtrue loc22, 62(->1042) [ 983] mov loc23, arg3 [ 986] get_parent_scope loc24, loc3 [ 989] mov loc3, loc24 [ 992] get_by_id loc24, loc9, return(@id13) predicting None [1001] is_undefined loc25, loc24 [1004] jtrue loc25, 24(->1028) [1007] mov loc26, loc9 [1010] call loc25, loc24, 1, 32 status(Could Take Slow Path) Original; predicting None [1019] is_object loc27, loc25 [1022] jtrue loc27, 6(->1028) [1025] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [1028] get_parent_scope loc24, loc3 [1031] mov loc3, loc24 [1034] get_parent_scope loc24, loc3 [1037] mov loc3, loc24 [1040] ret loc23 [1042] throw arg3 [1044] jmp 641(->1685) [1046] mov loc24, loc14 [1049] get_by_id loc20, loc24, test(@id5) predicting None [1058] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1066] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [1075] jfalse loc20, 259(->1334) [1078] mov loc20, <JSValue()>(const2) [1081] mov loc21, loc13 [1084] mov loc24, Undefined(const0) [1087] mov loc23, String (atomic) (identifier): string, ID: 4(const19) [1090] call loc20, loc21, 2, 30 status(Could Take Slow Path) Original; predicting None [1099] put_by_id loc20, value(@id15), String (atomic) (identifier): , ID: 4(const20), Bottom [1108] mov loc21, <JSValue()>(const2) [1111] mov loc21, Int32: 1(const21) [1114] get_by_id loc22, loc20, string(@id1) predicting None [1123] get_by_id loc23, loc22, length(@id14) predicting None [1132] sub loc23, loc23, Int32: 1(const21) [1137] jnless loc21, loc23, 99(->1236) [1141] loop_hint [1142] mov loc22, <JSValue()>(const2) [1145] get_by_id loc26, loc20, string(@id1) predicting None [1154] get_by_id loc23, loc26, charAt(@id16) predicting None [1163] mov loc25, loc21 [1166] call loc22, loc23, 2, 32 status(Could Take Slow Path) Original; predicting None [1175] eq loc23, loc22, String (atomic) (identifier): ", ID: 4(const22) [1179] jfalse loc23, 5(->1184) [1182] inc loc21 [1184] get_by_id loc23, loc20, value(@id15) predicting None [1193] add loc23, loc23, loc22 [1198] put_by_id loc20, value(@id15), loc23, Bottom [1207] inc loc21 [1209] get_by_id loc22, loc20, string(@id1) predicting None [1218] get_by_id loc23, loc22, length(@id14) predicting None [1227] sub loc23, loc23, Int32: 1(const21) [1232] jless loc21, loc23, -91(->1141) [1236] mov loc21, loc20 [1239] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 5(const23), Bottom [1248] save arg1, ---1--11-1-111111111------------(@live4), 9(->1257) [1252] ret loc21 [1254] resume arg1, ---1--11-1-111111111------------(@live4) [1257] stricteq loc22, arg4, Int32: 0(const3) [1261] jtrue loc22, 71(->1332) [1264] stricteq loc22, arg4, Int32: 2(const4) [1268] jtrue loc22, 62(->1330) [1271] mov loc23, arg3 [1274] get_parent_scope loc24, loc3 [1277] mov loc3, loc24 [1280] get_by_id loc24, loc9, return(@id13) predicting None [1289] is_undefined loc25, loc24 [1292] jtrue loc25, 24(->1316) [1295] mov loc26, loc9 [1298] call loc25, loc24, 1, 32 status(Could Take Slow Path) Original; predicting None [1307] is_object loc27, loc25 [1310] jtrue loc27, 6(->1316) [1313] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [1316] get_parent_scope loc24, loc3 [1319] mov loc3, loc24 [1322] get_parent_scope loc24, loc3 [1325] mov loc3, loc24 [1328] ret loc23 [1330] throw arg3 [1332] jmp 353(->1685) [1334] mov loc24, loc15 [1337] get_by_id loc20, loc24, test(@id5) predicting None [1346] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1354] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [1363] jfalse loc20, 116(->1479) [1366] mov loc20, loc13 [1369] mov loc24, Undefined(const0) [1372] mov loc23, String (atomic) (identifier): operator, ID: 4(const24) [1375] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [1384] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 6(const25), Bottom [1393] save arg1, ---1--11-1-111111111------------(@live5), 9(->1402) [1397] ret loc20 [1399] resume arg1, ---1--11-1-111111111------------(@live5) [1402] stricteq loc21, arg4, Int32: 0(const3) [1406] jtrue loc21, 71(->1477) [1409] stricteq loc21, arg4, Int32: 2(const4) [1413] jtrue loc21, 62(->1475) [1416] mov loc22, arg3 [1419] get_parent_scope loc23, loc3 [1422] mov loc3, loc23 [1425] get_by_id loc23, loc9, return(@id13) predicting None [1434] is_undefined loc24, loc23 [1437] jtrue loc24, 24(->1461) [1440] mov loc26, loc9 [1443] call loc24, loc23, 1, 32 status(Could Take Slow Path) Original; predicting None [1452] is_object loc27, loc24 [1455] jtrue loc27, 6(->1461) [1458] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [1461] get_parent_scope loc23, loc3 [1464] mov loc3, loc23 [1467] get_parent_scope loc23, loc3 [1470] mov loc3, loc23 [1473] ret loc22 [1475] throw arg3 [1477] jmp 208(->1685) [1479] mov loc24, loc12 [1482] get_by_id loc20, loc24, test(@id5) predicting None [1491] get_from_scope loc23, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1499] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [1508] jfalse loc20, 116(->1624) [1511] mov loc20, loc13 [1514] mov loc24, Undefined(const0) [1517] mov loc23, String (atomic) (identifier): remark, ID: 4(const26) [1520] call loc20, loc20, 2, 30 status(Could Take Slow Path) Original; predicting None [1529] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 7(const27), Bottom [1538] save arg1, ---1--11-1-111111111------------(@live6), 9(->1547) [1542] ret loc20 [1544] resume arg1, ---1--11-1-111111111------------(@live6) [1547] stricteq loc21, arg4, Int32: 0(const3) [1551] jtrue loc21, 71(->1622) [1554] stricteq loc21, arg4, Int32: 2(const4) [1558] jtrue loc21, 62(->1620) [1561] mov loc22, arg3 [1564] get_parent_scope loc23, loc3 [1567] mov loc3, loc23 [1570] get_by_id loc23, loc9, return(@id13) predicting None [1579] is_undefined loc24, loc23 [1582] jtrue loc24, 24(->1606) [1585] mov loc26, loc9 [1588] call loc24, loc23, 1, 32 status(Could Take Slow Path) Original; predicting None [1597] is_object loc27, loc24 [1600] jtrue loc27, 6(->1606) [1603] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [1606] get_parent_scope loc23, loc3 [1609] mov loc3, loc23 [1612] get_parent_scope loc23, loc3 [1615] mov loc3, loc23 [1618] ret loc22 [1620] throw arg3 [1622] jmp 63(->1685) [1624] resolve_scope loc20, loc3, Error(@id6), <GlobalProperty>, 5, 0x1037e3900 [1631] get_from_scope loc21, loc20, Error(@id6), 2048<ThrowIfNotFound|GlobalProperty|NotInitialization>, 112 predicting None [1639] mov loc24, loc21 [1642] mov loc25, String (atomic) (identifier): At line , ID: 4(const9) [1645] get_from_scope loc26, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1653] to_primitive loc26, loc26 [1656] mov loc27, String (atomic) (identifier): : Cannot lex token: , ID: 4(const28) [1659] get_from_scope loc28, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1667] to_primitive loc28, loc28 [1670] strcat loc23, loc25, 4 [1674] construct loc21, loc21, 2, 30 status(Could Take Slow Path) predicting None [1683] throw loc21 [1685] mov loc20, loc16 [1688] mov loc22, Undefined(const0) [1691] call loc20, loc20, 1, 28 status(Could Take Slow Path) Original; predicting None [1700] get_from_scope loc20, loc7, line(@id4), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1708] get_by_id loc21, loc20, length(@id14) predicting None [1717] jtrue loc21, -1137(->580) [1720] new_object loc20, 4 [1724] put_by_id loc20, kind(@id11), String (atomic) (identifier): newLine, ID: 4(const29), IsDirect|Bottom [1733] put_by_id loc20, string(@id1), String (atomic) (identifier): , ID: 4(const7), IsDirect|Bottom [1742] get_from_scope loc21, loc6, sourceLineNumber(@id0), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1750] put_by_id loc20, sourceLineNumber(@id0), loc21, IsDirect|Bottom [1759] get_from_scope loc21, loc19, userLineNumber(@id9), 2051<ThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1767] put_by_id loc20, userLineNumber(@id9), loc21, IsDirect|Bottom [1776] put_by_id arg1, PrivateSymbol.generatorState(@id12), Int32: 8(const30), Bottom [1785] save arg1, ---1--11-1---------1------------(@live7), 9(->1794) [1789] ret loc20 [1791] resume arg1, ---1--11-1---------1------------(@live7) [1794] stricteq loc21, arg4, Int32: 0(const3) [1798] jtrue loc21, 71(->1869) [1801] stricteq loc21, arg4, Int32: 2(const4) [1805] jtrue loc21, 62(->1867) [1808] mov loc22, arg3 [1811] get_parent_scope loc23, loc3 [1814] mov loc3, loc23 [1817] get_by_id loc23, loc9, return(@id13) predicting None [1826] is_undefined loc24, loc23 [1829] jtrue loc24, 24(->1853) [1832] mov loc26, loc9 [1835] call loc24, loc23, 1, 32 status(Could Take Slow Path) Original; predicting None [1844] is_object loc27, loc24 [1847] jtrue loc27, 6(->1853) [1850] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [1853] get_parent_scope loc23, loc3 [1856] mov loc3, loc23 [1859] get_parent_scope loc23, loc3 [1862] mov loc3, loc23 [1865] ret loc22 [1867] throw arg3 [1869] get_parent_scope loc20, loc19 [1872] mov loc3, loc20 [1875] jmp 45(->1920) [1877] catch loc11, loc12 [1880] mov loc3, loc7 [1883] get_by_id loc13, loc9, return(@id13) predicting None [1892] is_undefined loc14, loc13 [1895] jtrue loc14, 15(->1910) [1898] mov loc14, loc9 [1901] call loc10, loc13, 1, 20 status(Could Take Slow Path) Original; predicting None [1910] throw loc11 [1912] catch loc15, loc15 [1915] mov loc3, loc7 [1918] throw loc11 [1920] get_from_scope loc11, loc7, line(@id4), 1050627<DoNotThrowIfNotFound|ClosureVar|NotInitialization>, 0 predicting None [1928] get_parent_scope loc12, loc7 [1931] mov loc3, loc12 [1934] create_lexical_environment loc7, loc3, Cell: 0x1037a16c0 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18(const6), <JSValue()>(const2) [1939] mov loc3, loc7 [1942] put_to_scope loc7, line(@id4), loc11, 1050628<DoNotThrowIfNotFound|LocalClosureVar|NotInitialization>, <structure>, 0 [1949] get_by_id loc11, loc9, next(@id17) predicting None [1958] mov loc12, loc9 [1961] call loc10, loc11, 1, 18 status(Could Take Slow Path) Original; predicting None [1970] is_object loc11, loc10 [1973] jtrue loc11, 6(->1979) [1976] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [1979] get_by_id loc11, loc10, done(@id18) predicting None [1988] jtrue loc11, 50(->2038) [1991] get_by_id loc10, loc10, value(@id15) predicting None [2000] jmp -1884(->116) [2002] get_by_id loc10, loc9, return(@id13) predicting None [2011] is_undefined loc11, loc10 [2014] jtrue loc11, 24(->2038) [2017] mov loc12, loc9 [2020] call loc11, loc10, 1, 18 status(Could Take Slow Path) Original; predicting None [2029] is_object loc13, loc11 [2032] jtrue loc13, 6(->2038) [2035] throw_static_error String (atomic) (identifier): Iterator result interface is not an object., ID: 4(const13), false [2038] get_parent_scope loc8, loc7 [2041] mov loc3, loc8 [2044] ret Undefined(const0) Identifiers: id0 = sourceLineNumber id1 = string id2 = split id3 = Symbol.iterator id4 = line id5 = test id6 = Error id7 = RegExp id8 = lastMatch id9 = userLineNumber id10 = rightContext id11 = kind id12 = PrivateSymbol.generatorState id13 = return id14 = length id15 = value id16 = charAt id17 = next id18 = done Constants: k0 = Undefined k1 = Cell: 0x1037a1720 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18 k2 = <JSValue()> k3 = Int32: 0 k4 = Int32: 2 k5 = Int32: 0: in source as integer k6 = Cell: 0x1037a16c0 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18 k7 = String (atomic) (identifier): , ID: 4 k8 = Cell: 0x1037a1660 (0x1037ef700:[SymbolTable, {}, NonArray, Leaf]), ID: 18 k9 = String (atomic) (identifier): At line , ID: 4 k10 = String (atomic) (identifier): : Expect line number: , ID: 4 k11 = String (atomic) (identifier): userLineNumber, ID: 4 k12 = Int32: 1 k13 = String (atomic) (identifier): Iterator result interface is not an object., ID: 4 k14 = String (atomic) (identifier): keyword, ID: 4 k15 = String (atomic) (identifier): identifier, ID: 4 k16 = Int32: 3 k17 = String (atomic) (identifier): number, ID: 4 k18 = Int32: 4 k19 = String (atomic) (identifier): string, ID: 4 k20 = String (atomic) (identifier): , ID: 4 k21 = Int32: 1: in source as integer k22 = String (atomic) (identifier): ", ID: 4 k23 = Int32: 5 k24 = String (atomic) (identifier): operator, ID: 4 k25 = Int32: 6 k26 = String (atomic) (identifier): remark, ID: 4 k27 = Int32: 7 k28 = String (atomic) (identifier): : Cannot lex token: , ID: 4 k29 = String (atomic) (identifier): newLine, ID: 4 k30 = Int32: 8 m_regexps: re0 = /^[a-z_]([a-z0-9_]*)/i re1 = /^(([0-9]+(\.([0-9]*))?)|(\.[0-9]+)(e([+-]?)([0-9]+))?)/i re2 = /^\"([^\"]|(\"\"))*\"/ re3 = /^((base)|(data)|(def)|(dim)|(end)|(for)|(go)|(gosub)|(goto)|(if)|(input)|(let)|(next)|(on)|(option)|(print)|(randomize)|(read)|(restore)|(return)|(step)|(stop)|(sub)|(then)|(to))/i re4 = /^(-|\+|\*|\/|\^|\(|\)|(<[>=]?)|(>=?)|=|,|\$|;)/ re5 = /^rem\s.*/ re6 = /^[0-9]+/ Exception Handlers: 1: { start: [ 117] end: [ 493] target: [1877] } synthesized finally 2: { start: [ 529] end: [ 672] target: [1877] } synthesized finally 3: { start: [ 708] end: [ 817] target: [1877] } synthesized finally 4: { start: [ 853] end: [ 992] target: [1877] } synthesized finally 5: { start: [1028] end: [1280] target: [1877] } synthesized finally 6: { start: [1316] end: [1425] target: [1877] } synthesized finally 7: { start: [1461] end: [1570] target: [1877] } synthesized finally 8: { start: [1606] end: [1817] target: [1877] } synthesized finally 9: { start: [1853] end: [1877] target: [1877] } synthesized finally 10: { start: [1898] end: [1910] target: [1912] } synthesized finally Switch Jump Tables: 0 = { 0 => 0004 1 => 0461 2 => 0640 3 => 0785 4 => 0960 5 => 1248 6 => 1393 7 => 1538 8 => 1785 } Live Callee Locals: live0 = ---1--11-1-111111111------------ live1 = ---1--11-1-111111111------------ live2 = ---1--11-1-111111111------------ live3 = ---1--11-1-111111111------------ live4 = ---1--11-1-111111111------------ live5 = ---1--11-1-111111111------------ live6 = ---1--11-1-111111111------------ live7 = ---1--11-1---------1------------ Validation failure.
Attachments
the patch (15.13 KB, patch)
2016-06-29 16:25 PDT, Filip Pizlo 		ysuzuki: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2016-06-29 15:12:04 PDT
I'm going to try to fix this.
Filip Pizlo
Comment 2 2016-06-29 16:08:47 PDT
Looks like this is because the liveness analysis for generators is unsound with respect to try/catch/finally. I think this is more proof that we should not use a single liveness analysis for both pre-generator-converstion and post-generator-conversion bytecode. It's too confusing! For example, resume must preserve the invariant that it defines everything and only uses its token argument. But that's not what happens if it's inside a try block. In order to support try, we assume that any bytecode inside a try uses anything that the catch uses. I think that the best way to go is: 1) Write a custom liveness analysis just for the generator conversion. This custom analysis could reuse BytecodeUseDef.h and the basic block analysis, but otherwise it will be a new thing. This allows it to play games with save/resume. For example, it allows it to implement these rules easily: (a) the live-in at resume is always just the token argument and nothing else, and (b) whatever was live-out at the resume is used by the corresponding save. 2) Write a transformation that gets rid of save/resume and makes the control and data flow explicit. 3) Remove any "generator" modes or tricks from the bytecode liveness analysis that the rest of the engine uses. I think that for now, I'll implement a hack that says that resume is exempted from catch liveness. That's sort of insane and hacky, but I think it will fix this bug for now.
Filip Pizlo
Comment 3 2016-06-29 16:25:50 PDT
Created attachment 282390 [details] the patch
Yusuke Suzuki
Comment 4 2016-06-29 16:27:12 PDT
(In reply to comment #2) > Looks like this is because the liveness analysis for generators is unsound > with respect to try/catch/finally. Oops! > > I think this is more proof that we should not use a single liveness analysis > for both pre-generator-converstion and post-generator-conversion bytecode. > It's too confusing! Right. > > For example, resume must preserve the invariant that it defines everything > and only uses its token argument. But that's not what happens if it's > inside a try block. In order to support try, we assume that any bytecode > inside a try uses anything that the catch uses. > > I think that the best way to go is: > > 1) Write a custom liveness analysis just for the generator conversion. This > custom analysis could reuse BytecodeUseDef.h and the basic block analysis, > but otherwise it will be a new thing. This allows it to play games with > save/resume. For example, it allows it to implement these rules easily: (a) > the live-in at resume is always just the token argument and nothing else, > and (b) whatever was live-out at the resume is used by the corresponding > save. > > 2) Write a transformation that gets rid of save/resume and makes the control > and data flow explicit. > > 3) Remove any "generator" modes or tricks from the bytecode liveness > analysis that the rest of the engine uses. > > I think that for now, I'll implement a hack that says that resume is > exempted from catch liveness. That's sort of insane and hacky, but I think > it will fix this bug for now. sounds nice. generatorification should remove these resume / save and the usual liveness analysis should not care about them. after landing isNaN / isFinite patch, go to the generator patch, it is now introducing bytecode analysis.
Yusuke Suzuki
Comment 5 2016-06-29 16:50:03 PDT
Comment on attachment 282390 [details] the patch r+
Yusuke Suzuki
Comment 6 2016-06-29 16:56:43 PDT
(In reply to comment #4) > sounds nice. generatorification should remove these resume / save and the > usual liveness analysis should not care about them. > after landing isNaN / isFinite patch, go to the generator patch, it is now > introducing bytecode analysis. oops, bad syntax. (sorry, now typing from my phone) After landing the isNaN / isFinite patch, I'll go to the generatorification patch, which should include the separated generatorification analysis from the usual bytecode liveness analysis.
Filip Pizlo
Comment 7 2016-06-30 11:14:18 PDT
Landed in https://trac.webkit.org/changeset/202689
Note You need to log in before you can comment on or make changes to this bug.