RESOLVED FIXED24447
REGRESSION (r41508): Google Maps does not complete initialization 
https://bugs.webkit.org/show_bug.cgi?id=24447
Summary REGRESSION (r41508): Google Maps does not complete initialization
mitz
Reported 2009-03-07 15:04:36 PST
Google Maps does finish loading and the map cannot be dragged. The Web Inspector console says TypeError: Result of expression '(d.getScript||YY.xFa)' [0] is not a function.
Attachments
Fix dirtying of the register cache at branch targets (4.79 KB, patch)
2009-03-09 06:10 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
mitz
Comment 1 2009-03-07 15:05:04 PST
<rdar://problem/6657774>
mitz
Comment 2 2009-03-07 15:07:46 PST
(In reply to comment #0) > Google Maps does finish loading does not*
Oliver Hunt
Comment 3 2009-03-07 17:17:48 PST
Trying to work out what/why this broke
Oliver Hunt
Comment 4 2009-03-09 06:10:03 PDT
Created attachment 28412 [details] Fix dirtying of the register cache at branch targets From Radar: 3/7/09 8:13 PM Oliver Hunt: (This is an underlying bug exposes by r41508, not caused by it) 3/8/09 6:57 AM Oliver Hunt: Reduced to (print||q.c)() 3/8/09 7:04 AM Oliver Hunt: or (print?1:q.c)() This is very suckful, apparently we aren't checking for an instruction being a branch target -- i'm 90% sure we can get buy only tracking forward branches, although it will suck to do so, it should not be too difficult 3/8/09 4:00 PM Oliver Hunt: The basic cause of the issue is demonstrated thus: [ 1] resolve_global r4, [object global], print(@id0) // cachedResultRegister = r4 [ 7] jfalse r4, 6(->15) // cachedResultRegister = <nothing> [ 10] mov r3, r0 // no change [ 13] jmp 15(->29) // no change [ 15] resolve_global r4, [object global], q(@id1) // cachedResultRegister = r4 [ 21] get_by_id r3, r4, c(@id2) // cachedResultRegister = r3 // At this point we believe r4 is cached in eax, but if we come from [ 29] mov r4, r1 [ 32] call r3, r3, 1, 13 This patch ensures that the jit will correctly clobber the cache register when it hits the target of a forward branch. I have not yet determined whether it is possible to create code that can be hit by a loop that does not clobber the register cache. Currently have not test case written, and haven't been able to get stable perf numbers, so will finish this at work.
Oliver Hunt
Comment 5 2009-03-09 14:42:07 PDT
*** Bug 24466 has been marked as a duplicate of this bug. ***
Oliver Hunt
Comment 6 2009-03-09 18:10:07 PDT
Committing to http://svn.webkit.org/repository/webkit/trunk ... M JavaScriptCore/ChangeLog M JavaScriptCore/assembler/AbstractMacroAssembler.h M JavaScriptCore/assembler/X86Assembler.h M JavaScriptCore/jit/JIT.cpp M LayoutTests/ChangeLog A LayoutTests/fast/js/registerCachingAcrossBranchTargets-expected.txt A LayoutTests/fast/js/registerCachingAcrossBranchTargets.html A LayoutTests/fast/js/resources/registerCachingAcrossBranchTargets.js Committed r41544
Cameron Zwarich (cpst)
Comment 7 2009-03-10 03:52:12 PDT
*** Bug 24471 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.