asm.js app hanging on startup in Chrome Canary v52 |
||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2735.0 Safari/537.36 Steps to reproduce the problem: 1. on OSX 10.11, in Chrome Canary v52, go here: http://floooh.github.io/virtualkc/, then try the same in stable Chrome (v50); this is an asm.js app compiled with emscripten 2. note how the emulator doesn't start in Canary, without any indication on the console or dev tools what's going wrong 3. sometimes the entire browser hangs, and needs to be quit with "Force Quit" What is the expected behavior? What went wrong? The demo silently hangs on startup. Did this work before? Yes I think the regression is not older than 1 or 2 weeks Chrome version: 52.0.2735.0 Channel: canary OS Version: OS X 10.11.5 Flash Version: Shockwave Flash 22.0 r0 The C++ code of the emulator has pretty big Z80 opcode decoder function made of a giant nested switch-case statement, which is the only difference to my other asm.js demos. The app also causes problems on iOS Safari, where it causes the tab to reload after a few seconds, but I haven't noticed any problems in any other browsers yet.
,
May 18 2016
Since the problem doesn't show up in other browsers (including current Chrome stable) I suspect that it is not the asm.js code. I remembered that I reported a similar problem in 2013, which was related to the JS engine's register allocator: https://bugs.chromium.org/p/chromium/issues/detail?id=177883 Might or might not be related :)
,
May 18 2016
Able to reproduce the issue on mac 10.11 chrome version 52.0.2740.0 - The demo silently hangs on startup and page becomes unresponsive after sometime This issue can be seen in win and linux as well This is a regression in M52 and below is the bisect info Manual Bisect Info: Good Build: 52.0.2730.0 Bad Build: 52.0.2733.0 Bisect Tool info: You are probably looking for a change made after 392626 (known good), but no later than 392634 (first known bad). CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/4f8e71034d840043dcf49bb51e8f911ec284f709..ddbb47c14321d71cfc60d6a6684ae5db4b558ffc Possible suspect : https://codereview.chromium.org/1958163002 Please reassign if this is not related to your change.
,
May 18 2016
I fail to see how the linked suspect patch could've introduced the regression, reassigning. Also, I anticipate slow response from my side during this week due to personal leave.
,
May 18 2016
I haven't had a chance to look at this yet, but it's probably a asm.js/TurboFan bug. Hopefully I will have time to investigate this tomorrow.
,
May 19 2016
Some new info: - the hang also occurs when compiled in debug mode (this is different from the register allocator bug 2013 ) - when built as WebAssembly, everything works - also it looks like the program starts executing the very early init phase, but then hangs when the interesting stuff happens (I can't provide the exact place, but using a different HTML shell page I can see the first 2 console outputs from the program) I cannot guarantee that the WebAssembly version is created from the exact same LLVM bitcode as the asm.js version, but since the debug asm.js version also hangs, the problem doesn't seem to depend on subtle code changes. I'm not sure how much the WebAssembly backend is different from the asm.js backend, as far as I know it already has switched completely to AOT instead of JIT.
,
May 19 2016
Looking deeper now. Definitely an asm.js TurboFan issue. Manifests as a hang with --turbo-asm and works fine without --turbo-asm. Last function compiled is function Of() in the asm module. Looking deeper now.
,
May 19 2016
,
May 19 2016
If it helps I can upload a debug-compiled version in the evening (about 5 hrs from now) which doesn't have minimified function names.
,
May 19 2016
Here's a non-minified debug version (also triggers the problem, may be easier to debug): http://floooh.github.io/oryol-sticky-tests/yakc_asmjs/yakc.html And here's the WASM version which works fine (don't forget to turn on WASM support, only works in Canary): http://floooh.github.io/oryol-sticky-tests/yakc_wasm/yakc.html Please ignore all the 404's, these are non-essential data files :)
,
May 20 2016
+epertoso I found the culprit CL: https://codereview.chromium.org/1968453002 Reverting that patch on ToT fixes the demo. That CL will have to be reverted and the revert backmerged, since we just branched for 52.
,
May 20 2016
\O/
,
May 20 2016
,
May 20 2016
,
May 20 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/767c34dfae4b0e523c38b0f44e1db70b603d41bf commit 767c34dfae4b0e523c38b0f44e1db70b603d41bf Author: titzer <titzer@chromium.org> Date: Fri May 20 14:07:45 2016 Revert of [turbofan] Take the immediate size in account when narrowing ia32/x64 word comparison operators. (patchset #1 id:1 of https://codereview.chromium.org/1968453002/ ) Reason for revert: Breaks a KCS demo: BUG= chromium:611976 Original issue's description: > [turbofan] Take the immediate size in account when narrowing ia32/x64 word comparison operators. > > Trying to re-land http://crrev.com/1948453002 after fixing assembler-x64.cc in http://crrev.com/1962563003. > > Before this patch, we would emit a cmp or test with a memory operand only if both of the operands in the IR were loads. Now if either of them is a load and the other one is an immediate, we can use a memory operand if the load representation machine size is wide enough to represent the latter. > > Committed: https://crrev.com/2da70f853d7f680d491c37c72d5ef04a85497ba9 > Cr-Commit-Position: refs/heads/master@{#36136} TBR=bmeurer@chromium.org,epertoso@chromium.org # Not skipping CQ checks because original CL landed more than 1 days ago. Review-Url: https://codereview.chromium.org/1995303003 Cr-Commit-Position: refs/heads/master@{#36413} [modify] https://crrev.com/767c34dfae4b0e523c38b0f44e1db70b603d41bf/src/compiler/ia32/instruction-selector-ia32.cc [modify] https://crrev.com/767c34dfae4b0e523c38b0f44e1db70b603d41bf/src/compiler/x64/instruction-selector-x64.cc [modify] https://crrev.com/767c34dfae4b0e523c38b0f44e1db70b603d41bf/test/cctest/compiler/test-run-load-store.cc
,
May 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/35e0f01fb9e9d191663e2993031829db38e706b5 commit 35e0f01fb9e9d191663e2993031829db38e706b5 Author: zhengxing.li <zhengxing.li@intel.com> Date: Tue May 24 04:16:32 2016 X87: Revert of [turbofan] Take the immediate size in account when narrowing ia32/x64 word comparison operators. (patchset #1 id:1 of https://codereview.chromium.org/1968453002/ ). port 767c34dfae4b0e523c38b0f44e1db70b603d41bf (r36413) original commit message: Reason for revert: Breaks a KCS demo: BUG= chromium:611976 Original issue's description: > [turbofan] Take the immediate size in account when narrowing ia32/x64 word comparison operators. > > Trying to re-land http://crrev.com/1948453002 after fixing assembler-x64.cc in http://crrev.com/1962563003. > > Before this patch, we would emit a cmp or test with a memory operand only if both of the operands in the IR were loads. Now if either of them is a load and the other one is an immediate, we can use > > Committed: https://crrev.com/2da70f853d7f680d491c37c72d5ef04a85497ba9 > Cr-Commit-Position: refs/heads/master@{#36136} Review-Url: https://codereview.chromium.org/2003273002 Cr-Commit-Position: refs/heads/master@{#36456} [modify] https://crrev.com/35e0f01fb9e9d191663e2993031829db38e706b5/src/compiler/x87/instruction-selector-x87.cc
,
May 24 2016
The latest Chrome Canary seems to be working again thanks! I'll keep an eye out for the real fix :)
,
May 24 2016
,
May 24 2016
This issue is working fine now on Mac 10.11.5,Win 7 and Ubuntu 14.04 using 53.0.2747.0.Hence added respective labels for the same.
,
May 24 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/0d22e7e46a73bebb1e92768a8443a7b7b101051b commit 0d22e7e46a73bebb1e92768a8443a7b7b101051b Author: epertoso <epertoso@chromium.org> Date: Tue May 24 16:10:24 2016 [x64/ia32] Deal with the non-transitivity of InstructionSelector::CanCover() when folding loads into branches. Sequences like: 1: Load[kRepWord32|kTypeInt32](<address>, ...) 2: Word32And(1, <constant>) 3: Word32Equal(2, <another constant>) 4: Store[(kRepWord32 : NoWriteBarrier)](<address>, <value>) 5: Branch[None](3, ...) -> B1, B2 where #1 and #4 refer to the same memory location, are problematic because in VisitBranch we assume that 'InstructionSelector::CanCover()' is transitive. What happens is that CanCover(5, 3) is true (3 is a pure op), and so are CanCover(3, 2), CanCover(2, 1), but the effect level of 5 and 3 never gets checked because 3 is a pure op. Upon VisitBranch, we ended up materializing: mov [address], <value> test [address], <another constant> With this patch, it becomes: mov reg, [address] mov [address], <value> test reg, <another constant> BUG= chromium:611976 Review-Url: https://codereview.chromium.org/2008493002 Cr-Commit-Position: refs/heads/master@{#36482} [modify] https://crrev.com/0d22e7e46a73bebb1e92768a8443a7b7b101051b/src/compiler/ia32/instruction-selector-ia32.cc [modify] https://crrev.com/0d22e7e46a73bebb1e92768a8443a7b7b101051b/src/compiler/instruction-selector.cc [modify] https://crrev.com/0d22e7e46a73bebb1e92768a8443a7b7b101051b/src/compiler/x64/instruction-selector-x64.cc [modify] https://crrev.com/0d22e7e46a73bebb1e92768a8443a7b7b101051b/test/cctest/compiler/test-branch-combine.cc
,
Jun 7 2016
,
Jun 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/eb61ff62fdf86158032b9df8a332ae12b0674383 commit eb61ff62fdf86158032b9df8a332ae12b0674383 Author: epertoso <epertoso@chromium.org> Date: Tue Jun 07 13:12:32 2016 Version 5.2.361.17 (cherry-pick) Merged 767c34dfae4b0e523c38b0f44e1db70b603d41bf Merged 0d22e7e46a73bebb1e92768a8443a7b7b101051b Revert of [turbofan] Take the immediate size in account when narrowing ia32/x64 word comparison operators. (patchset #1 id:1 of https://codereview.chromium.org/1968453002/ ) [x64/ia32] Deal with the non-transitivity of InstructionSelector::CanCover() when folding loads into branches. BUG= chromium:611976 , chromium:611976 LOG=N R=hablich@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2042263002 Cr-Commit-Position: refs/branch-heads/5.2@{#22} Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1} Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332} [modify] https://crrev.com/eb61ff62fdf86158032b9df8a332ae12b0674383/include/v8-version.h [modify] https://crrev.com/eb61ff62fdf86158032b9df8a332ae12b0674383/src/compiler/ia32/instruction-selector-ia32.cc [modify] https://crrev.com/eb61ff62fdf86158032b9df8a332ae12b0674383/src/compiler/instruction-selector.cc [modify] https://crrev.com/eb61ff62fdf86158032b9df8a332ae12b0674383/src/compiler/x64/instruction-selector-x64.cc [modify] https://crrev.com/eb61ff62fdf86158032b9df8a332ae12b0674383/test/cctest/compiler/test-branch-combine.cc [modify] https://crrev.com/eb61ff62fdf86158032b9df8a332ae12b0674383/test/cctest/compiler/test-run-load-store.cc
,
Jun 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/11c4b77bf3163abf10b75e2dad9c9d4d96649649 commit 11c4b77bf3163abf10b75e2dad9c9d4d96649649 Author: epertoso <epertoso@chromium.org> Date: Tue Jun 07 13:47:27 2016 Version 5.1.281.61 (cherry-pick) Merged 0d22e7e46a73bebb1e92768a8443a7b7b101051b [x64/ia32] Deal with the non-transitivity of InstructionSelector::CanCover() when folding loads into branches. BUG= chromium:611976 LOG=N R=hablich@chromium.org NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2046963002 Cr-Commit-Position: refs/branch-heads/5.1@{#72} Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1} Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282} [modify] https://crrev.com/11c4b77bf3163abf10b75e2dad9c9d4d96649649/include/v8-version.h [modify] https://crrev.com/11c4b77bf3163abf10b75e2dad9c9d4d96649649/src/compiler/ia32/instruction-selector-ia32.cc [modify] https://crrev.com/11c4b77bf3163abf10b75e2dad9c9d4d96649649/src/compiler/instruction-selector.cc [modify] https://crrev.com/11c4b77bf3163abf10b75e2dad9c9d4d96649649/src/compiler/x64/instruction-selector-x64.cc [modify] https://crrev.com/11c4b77bf3163abf10b75e2dad9c9d4d96649649/test/cctest/compiler/test-branch-combine.cc
,
Jun 8 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/023fa41cc16bd76aa79c59ea6912424e39e15546 commit 023fa41cc16bd76aa79c59ea6912424e39e15546 Author: zhengxing.li <zhengxing.li@intel.com> Date: Wed Jun 08 08:49:08 2016 Version 5.2.361.18 (cherry-pick) Merged 35e0f01fb9e9d191663e2993031829db38e706b5 Merged 4d9149e1befb9fa56bc498bd2467134173be85b3 X87: Revert of [turbofan] Take the immediate size in account when narrowing ia32/x64 word comparison operators. (patchset #1 id:1 of https://codereview.chromium.org/1968453002/ ). X87: [x64/ia32] Deal with the non-transitivity of InstructionSelector::CanCover() when folding loads into branches. BUG= chromium:611976 R=hablich@chromium.org LOG=N NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2049643002 Cr-Commit-Position: refs/branch-heads/5.2@{#24} Cr-Branched-From: 2cd36d6d0439ddfbe84cd90e112dced85084ec95-refs/heads/5.2.361@{#1} Cr-Branched-From: 3fef34e02388e07d46067c516320f1ff12304c8e-refs/heads/master@{#36332} [modify] https://crrev.com/023fa41cc16bd76aa79c59ea6912424e39e15546/src/compiler/x87/instruction-selector-x87.cc
,
Jun 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/v8/v8.git/+/bf43bf91279ca63d07d41a4b1211c934e9383ec0 commit bf43bf91279ca63d07d41a4b1211c934e9383ec0 Author: zhengxing.li <zhengxing.li@intel.com> Date: Thu Jun 09 02:09:25 2016 Version 5.1.281.62 (cherry-pick) Merged 4d9149e1befb9fa56bc498bd2467134173be85b3 X87: [x64/ia32] Deal with the non-transitivity of InstructionSelector::CanCover() when folding loads into branches. BUG= chromium:611976 R=hablich@chromium.org LOG=N NOTRY=true NOPRESUBMIT=true Review-Url: https://codereview.chromium.org/2043313002 Cr-Commit-Position: refs/branch-heads/5.1@{#73} Cr-Branched-From: 167dc63b4c9a1d0f0fe1b19af93644ac9a561e83-refs/heads/5.1.281@{#1} Cr-Branched-From: 03953f52bd4a184983a551927c406be6489ef89b-refs/heads/master@{#35282} [modify] https://crrev.com/bf43bf91279ca63d07d41a4b1211c934e9383ec0/include/v8-version.h [modify] https://crrev.com/bf43bf91279ca63d07d41a4b1211c934e9383ec0/src/compiler/x87/instruction-selector-x87.cc
,
Jun 10 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 14 2016
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jun 15 2016
,
Aug 12 2016
,
Aug 15 2016
Btw: in the meantime a new, possibly related bug has shown up in the same demo: https://bugs.chromium.org/p/chromium/issues/detail?id=633497
,
Sep 28 2016
|
||||||||||||||||
►
Sign in to add a comment |
||||||||||||||||
Comment 1 by dmu...@chromium.org
, May 17 2016Components: -Blink Blink>JavaScript>WebAssembly