Dartium - Aw Snap in unchecked mode

[DartBot]

This issue was originally filed by @bp74

---

What steps will reproduce the problem?

I had a similar bug a few month ago (see issue #11815). Back then a newer release of Dartium fixed the problem. Unfortunately it seems the same problem is back.

I have attached a test application which runs fine if Dartium/DartVM runs in checked mode. If i deactivate the checked mode and start the application from Dart Editor again the browser crashes.

What is the expected output? What do you see instead?

The application runs a loop of 100 blur filters. A blur filter reads and writes the pixels of ImageData (CanvasRenderingContext2D getImageData/putImageData). Probably the crash is related to this.

The test application is only a few lines of code, but it uses a much bigger package. The sample application from issue #11815 works fine.

What version of the product are you using? On what operating system?

Dart Editor version 0.1.2_r29785
Dart SDK version 0.1.2.0_r29782

Windows 7/64 bit.

Please provide any additional information below.

---

Attachment:
filterTest.zip (246.32 KB)

[dgrove]

cc @vsmenon.
cc @a-siva.
Added Area-Dartium, Triaged labels.

[a-siva]

My observations so far:

• crashes in unchecked mode with optimization turned on
• seems to hang in unchecked mode with the optimizer turned off
• works in checked mode with and without the optimizer

Couple of stack traces when it seems to hang with the optimizer turned off:

#­0 BitmapFilter._premultiplyAlpha (package:stagexl/src/filters/BitmapFilter.dart:30:33)
#­1 BlurFilter.apply (package:stagexl/src/filters/BlurFilter.dart:57:22)
#­2 BitmapData.applyFilter (package:stagexl/src/display/BitmapData.dart:234:17)
#­3 main.<anonymous closure> (http://localhost:8000/web/filtertest.dart:23:35)
#­4 _Future._propagateToListeners.<anonymous closure> (dart:async/future_impl.dart:453)
#­5 _rootRun (dart:async/zone.dart:683)
#­6 _RootZone.run (dart:async/zone.dart:823)
#­7 _Future._propagateToListeners (dart:async/future_impl.dart:445)
#­8 _Future._complete (dart:async/future_impl.dart:303)
#­9 _Future._asyncComplete.<anonymous closure> (dart:async/future_impl.dart:354)
#­10 _asyncRunCallback (dart:async/schedule_microtask.dart:18)
#­11 _handleMutation (file:///workspace/asiva/dartium-dev/src/dart/tools/dom/src/native_DOMImplementation.dart:612)

#­0 int.> (dart:core-patch/integers.dart:75)
#­1 int.< (dart:core-patch/integers.dart:72)
#­2 _toClampedUint8 (dart:typed_data-patch/typed_data.dart:3286)
#­3 Uint8ClampedList.[]= (dart:typed_data-patch/typed_data.dart:1520)
#­4 BitmapFilter._premultiplyAlpha (package:stagexl/src/filters/BitmapFilter.dart:31:13)
#­5 BlurFilter.apply (package:stagexl/src/filters/BlurFilter.dart:57:22)
#­6 BitmapData.applyFilter (package:stagexl/src/display/BitmapData.dart:234:17)
#­7 main.<anonymous closure> (http://localhost:8000/web/filtertest.dart:23:35)
#­8 _Future._propagateToListeners.<anonymous closure> (dart:async/future_impl.dart:453)
#­9 _rootRun (dart:async/zone.dart:683)
#­10 _RootZone.run (dart:async/zone.dart:823)
#­11 _Future._propagateToListeners (dart:async/future_impl.dart:445)
#­12 _Future._complete (dart:async/future_impl.dart:303)
#­13 _Future._asyncComplete.<anonymous closure> (dart:async/future_impl.dart:354)
#­14 _asyncRunCallback (dart:async/schedule_microtask.dart:18)
#­15 _handleMutation (file:///workspace/asiva/dartium-dev/src/dart/tools/dom/src/native_DOMImplementation.dart:612)

In optimized mode the crash appears to be in
#­6 0x00007fffceef64e1 in package:stagexl/stagexl.dart_BlurFilter_apply_entry ()
#­7 0x00007fffce308021 in ?? ()
#­8 0x0000000000000000 in ?? ()

---

Set owner to @sgmitrovic.
Added Accepted label.

[ghost]

Crashes with -optimization-filter=dart_BlurFilter_apply. Works fine with --no-use-inlining

[ghost]

Inlining of dart:html_ImageData_get__data seems to cause the crash:

class ImageData extends NativeFieldWrapperClass2 {
  List<int> __data;

  List<int> get data {
    if (__data == null) {
      __data = _data;
    }
    return __data;
  }
....

For yet unknown reasons, __data is computed to be non-nullable and the check against null is eliminated in ConstantPropagator::VisitStrictCompare.

 38: v295 <- LoadField:56(v12 T{not-null, ImageData, ?}, 16 {__data@0x3918afae} [non-nullable _ExternalUint8ClampedArray@0x6006a0b], immutable=0) T{not-null, _ExternalUint8ClampedArray@0x6006a0b, Type: class '_ExternalUint8ClampedArray@0x6006a0b'}
 40: Branch if StrictCompare:14(===, v295, v0) goto (72, 73)

---

cc @mraleph.
cc @fsc8000.
cc @kmillikin.

[ghost]

Dartium allocates objects without calling their constructor, i.e., the compiler never has a chance to initialize the field's nullability. Changing Dart_Allocate to always mark the fields as nullable.

---

Added Started label.

[vsmenon]

Some context: these are wrapper objects that are only allocated from native code. We use Dart_Allocate to avoid declaring a public constructor.

E.g., AudioProcessingEvent is defined in dart:web_audio and extends Event in dart:html. Neither type has a generative constructor. If we had to add generative constructors, we'd need to make at least some of them public (so AudioProcessingEvent's could call Event's), and we'd need insert a runtime check to ensure it doesn't get called from Dart code (only the native bindings C++ code can create an Event).

[a-siva]

Added Fixed label.