178834 – REGRESSION(r223691): Broke Speedometer 2 React-Redux-TodoMVC test case (Requested by rniwa on #webkit).

Bug 178834 - REGRESSION(r223691): Broke Speedometer 2 React-Redux-TodoMVC test case (Requested by rniwa on #webkit).

Summary: REGRESSION(r223691): Broke Speedometer 2 React-Redux-TodoMVC test case (Reque...

Status:	RESOLVED DUPLICATE of bug 176601

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Robin Morisset

URL:
Keywords:

Duplicates (1):	178820 (view as bug list)
Depends on:
Blocks:	176601
	Show dependency tree / graph

Reported:	2017-10-25 15:11 PDT by WebKit Commit Bot
Modified:	2017-11-08 12:14 PST (History)
CC List:	4 users (show)

See Also:	178820

Attachments
ROLLOUT of r223691 (21.92 KB, patch) 2017-10-25 15:11 PDT, WebKit Commit Bot	no flags	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description WebKit Commit Bot 2017-10-25 15:11:47 PDT

https://trac.webkit.org/changeset/223691 broke the build:
Broke Speedometer 2 React-Redux-TodoMVC test case (Requested by rniwa on #webkit).

This is an automatic bug report generated by webkitbot. If this bug
report was created because of a flaky test, please file a bug for the flaky
test (if we don't already have one on file) and dup this bug against that bug
so that we can track how often these flaky tests fail.

Comment 1 WebKit Commit Bot 2017-10-25 15:11:56 PDT

Created attachment 324905 [details]
ROLLOUT of r223691

Any committer can land this patch automatically by marking it commit-queue+.  The commit-queue will build and test the patch before landing to ensure that the rollout will be successful.  This process takes approximately 15 minutes.

If you would like to land the rollout faster, you can use the following command:

  webkit-patch land-attachment ATTACHMENT_ID

where ATTACHMENT_ID is the ID of this attachment.

Comment 2 WebKit Commit Bot 2017-10-25 15:15:43 PDT

Comment on attachment 324905 [details]
ROLLOUT of r223691

Clearing flags on attachment: 324905

Committed r223989: <https://trac.webkit.org/changeset/223989>

Comment 3 WebKit Commit Bot 2017-10-25 15:15:45 PDT

All reviewed patches have been landed.  Closing bug.

Comment 4 Ryosuke Niwa 2017-10-25 15:19:13 PDT

*** Bug 178820 has been marked as a duplicate of this bug. ***

Comment 5 Robin Morisset 2017-11-06 04:37:05 PST

With sbarati and fpizlo, we found the origin of this problem: the bug is actually in DFGByteCodeParser.cpp::flush(InlineStackEntry *) and was only made visible in Speedometer by my optimization.
The bug is in the following two lines:
```
if (!inlineStackEntry->m_inlineCallFrame && m_graph.needsFlushedThis())
            flushDirect(virtualRegisterForArgument(0));
```
It causes 'this' not to be correctly preserved for OSR exit in some corner cases. It is fixed by adding the following just afterwards:
```
else
    phantomLocalDirect(virtualRegisterForArgument(0));
```

I will upload a fix on this bug as soon as I manage to write a minimized test case that triggers without my optimization.

Comment 6 Robin Morisset 2017-11-08 12:14:25 PST

I thought I would do this as a separate patch, but as I could not build a regression test that does not use https://bugs.webkit.org/show_bug.cgi?id=176601, I decided to merge the two bugs together.

*** This bug has been marked as a duplicate of bug 176601 ***