Bug 122418

Summary: ASSERTION FAILED: bitwise_cast<WriteBarrier<Unknown>*>(callFrame) == m_registers in jsc-layout-tests.yaml/js/script-tests/dfg-inline-arguments-capture-throw-exception.js.layout-dfg-eager-no-cjit
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 120696    
Bug Blocks:    
Attachments:
Description Flags
the patch
oliver: review+
more correcter patch
none
the patch
none
the patch
none
the patch oliver: review+

Filip Pizlo
Reported 2013-10-06 11:50:45 PDT
...
Attachments
the patch (10.50 KB, patch)
2013-10-06 13:21 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
more correcter patch (13.30 KB, patch)
2013-10-06 13:51 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (14.55 KB, patch)
2013-10-06 19:22 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (14.41 KB, patch)
2013-10-06 19:23 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (16.38 KB, patch)
2013-10-06 20:43 PDT, Filip Pizlo 		oliver: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-10-06 13:14:10 PDT
This is pretty awesome. With stack compression, Arguments created in the DFG will point their m_registers pointers into a different slab of stack than they would have in byte code. Hence OSR exit must repoint any Arguments objects' m_registers pointers. It neglects to do so.
Filip Pizlo
Comment 2 2013-10-06 13:21:14 PDT
Created attachment 213524 [details] the patch
Geoffrey Garen
Comment 3 2013-10-06 13:35:06 PDT
Comment on attachment 213524 [details] the patch If DFG function A calls non-DFG function B, and B throws, what prevents B from unwinding A's stack frame. and tearing off the arguments object incorrectly?
Filip Pizlo
Comment 4 2013-10-06 13:42:45 PDT
(In reply to comment #3) > (From update of attachment 213524 [details]) > If DFG function A calls non-DFG function B, and B throws, what prevents B from unwinding A's stack frame. and tearing off the arguments object incorrectly? The code in Interpreter.cpp handles this directly and this has nothing to do with this bug. See unwindCallFrame(). It calls StackVisitor::existingArguments(). This gets the right Arguments object. It then tears off the Arguments correctly depending on the kind of Arguments that we have. Note that there is no such thing as non-DFG function B doing unwinding any differently than it would have, if function B was a DFG function. Everyone calls into the same unwinding machinery and that machinery decides what to do on a per-call-frame basis and it takes into account inlining. Also it just so happens that for non-inlined code, DFG Arguments look the same as non-DFG Arguments. That could change and if it did, we would edit the code in unwindCallFrame().
Filip Pizlo
Comment 5 2013-10-06 13:51:06 PDT
Created attachment 213526 [details] more correcter patch
Filip Pizlo
Comment 6 2013-10-06 19:22:43 PDT
Created attachment 213551 [details] the patch Fixed some more bugs - this needs rereview.
Filip Pizlo
Comment 7 2013-10-06 19:23:56 PDT
Created attachment 213552 [details] the patch Fix changelog.
Filip Pizlo
Comment 8 2013-10-06 20:26:40 PDT
*** Bug 122436 has been marked as a duplicate of this bug. ***
Filip Pizlo
Comment 9 2013-10-06 20:43:28 PDT
Created attachment 213559 [details] the patch Rebased. Now unskipping more tests than ever!
Filip Pizlo
Comment 10 2013-10-07 07:35:42 PDT
Landed in http://trac.webkit.org/changeset/157035
Note You need to log in before you can comment on or make changes to this bug.