Title: [202141] trunk/Source/_javascript_Core
- Revision
- 202141
- Author
- [email protected]
- Date
- 2016-06-16 15:18:06 -0700 (Thu, 16 Jun 2016)
Log Message
Kraken/stanford-crypto-pbkdf2.js sometimes crashes with an OSR assertion in FTL
https://bugs.webkit.org/show_bug.cgi?id=158850
Reviewed by Keith Miller.
Bytecode liveness was incorrectly claiming that all tail-deleted locals are live! That's
crazy! We never noticed this because extending OSR liveness is usually not a showstopper and
until recently we didn't have a lot of tail-call test cases to play with. Well, we do now,
thanks to the increasing reliance on tail calls in our builtins.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::localsLiveInBytecode): Fix the bug and add some optional tracing. Also restructure the code so that we don't break to return true, since that's counterintuitive.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): Make this assertion print more useful information.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (202140 => 202141)
--- trunk/Source/_javascript_Core/ChangeLog 2016-06-16 22:06:57 UTC (rev 202140)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-06-16 22:18:06 UTC (rev 202141)
@@ -1,3 +1,20 @@
+2016-06-16 Filip Pizlo <[email protected]>
+
+ Kraken/stanford-crypto-pbkdf2.js sometimes crashes with an OSR assertion in FTL
+ https://bugs.webkit.org/show_bug.cgi?id=158850
+
+ Reviewed by Keith Miller.
+
+ Bytecode liveness was incorrectly claiming that all tail-deleted locals are live! That's
+ crazy! We never noticed this because extending OSR liveness is usually not a showstopper and
+ until recently we didn't have a lot of tail-call test cases to play with. Well, we do now,
+ thanks to the increasing reliance on tail calls in our builtins.
+
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::localsLiveInBytecode): Fix the bug and add some optional tracing. Also restructure the code so that we don't break to return true, since that's counterintuitive.
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::buildExitArguments): Make this assertion print more useful information.
+
2016-06-16 Mark Lam <[email protected]>
Add collecting of LLINT slow path stats.
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (202140 => 202141)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2016-06-16 22:06:57 UTC (rev 202140)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2016-06-16 22:18:06 UTC (rev 202141)
@@ -997,48 +997,72 @@
bool Graph::isLiveInBytecode(VirtualRegister operand, CodeOrigin codeOrigin)
{
+ static const bool verbose = false;
+
+ if (verbose)
+ dataLog("Checking of operand is live: ", operand, "\n");
CodeOrigin* codeOriginPtr = &codeOrigin;
for (;;) {
VirtualRegister reg = VirtualRegister(
operand.offset() - codeOriginPtr->stackOffset());
+ if (verbose)
+ dataLog("reg = ", reg, "\n");
+
if (operand.offset() < codeOriginPtr->stackOffset() + JSStack::CallFrameHeaderSize) {
if (reg.isArgument()) {
RELEASE_ASSERT(reg.offset() < JSStack::CallFrameHeaderSize);
if (codeOriginPtr->inlineCallFrame->isClosureCall
- && reg.offset() == JSStack::Callee)
+ && reg.offset() == JSStack::Callee) {
+ if (verbose)
+ dataLog("Looks like a callee.\n");
return true;
+ }
if (codeOriginPtr->inlineCallFrame->isVarargs()
- && reg.offset() == JSStack::ArgumentCount)
+ && reg.offset() == JSStack::ArgumentCount) {
+ if (verbose)
+ dataLog("Looks like the argument count.\n");
return true;
+ }
return false;
}
-
+
+ if (verbose)
+ dataLog("Asking the bytecode liveness.\n");
return livenessFor(codeOriginPtr->inlineCallFrame).operandIsLive(
reg.offset(), codeOriginPtr->bytecodeIndex);
}
InlineCallFrame* inlineCallFrame = codeOriginPtr->inlineCallFrame;
- if (!inlineCallFrame)
- break;
+ if (!inlineCallFrame) {
+ if (verbose)
+ dataLog("Ran out of stack, returning true.\n");
+ return true;
+ }
// Arguments are always live. This would be redundant if it wasn't for our
// op_call_varargs inlining.
if (reg.isArgument()
- && static_cast<size_t>(reg.toArgument()) < inlineCallFrame->arguments.size())
+ && static_cast<size_t>(reg.toArgument()) < inlineCallFrame->arguments.size()) {
+ if (verbose)
+ dataLog("Argument is live.\n");
return true;
+ }
codeOriginPtr = inlineCallFrame->getCallerSkippingTailCalls();
// The first inline call frame could be an inline tail call
- if (!codeOriginPtr)
- break;
+ if (!codeOriginPtr) {
+ if (verbose)
+ dataLog("Dead because of tail inlining.\n");
+ return false;
+ }
}
- return true;
+ RELEASE_ASSERT_NOT_REACHED();
}
BitVector Graph::localsLiveInBytecode(CodeOrigin codeOrigin)
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (202140 => 202141)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-06-16 22:06:57 UTC (rev 202140)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-06-16 22:18:06 UTC (rev 202141)
@@ -10810,10 +10810,11 @@
Availability availability = availabilityMap.m_locals[i];
- if (Options::validateFTLOSRExitLiveness()) {
- DFG_ASSERT(
- m_graph, m_node,
- (!(availability.isDead() && m_graph.isLiveInBytecode(VirtualRegister(operand), exitOrigin))) || m_graph.m_plan.mode == FTLForOSREntryMode);
+ if (Options::validateFTLOSRExitLiveness()
+ && m_graph.m_plan.mode != FTLForOSREntryMode) {
+
+ if (availability.isDead() && m_graph.isLiveInBytecode(VirtualRegister(operand), exitOrigin))
+ DFG_CRASH(m_graph, m_node, toCString("Live bytecode local not available: operand = ", VirtualRegister(operand), ", availability = ", availability, ", origin = ", exitOrigin).data());
}
ExitValue exitValue = exitValueForAvailability(arguments, map, availability);
if (exitValue.hasIndexInStackmapLocations())
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes