Bug 142862

Summary: ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
Product: WebKit Reporter: Joseph Pecoraro <joepeck>
Component: JavaScriptCoreAssignee: Ryosuke Niwa <rniwa>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, joepeck, rniwa, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 140491    
Attachments:
Description Flags
[TEST] Reduction
none
Adds a test
none
Removed the workaround in Web Inspector benjamin: review+

Joseph Pecoraro
Reported 2015-03-19 00:10:49 PDT
* SUMMARY Runtime error in JIT'd class calling super() with arguments and superclass has default constructor. Doesn't happen if just called a few times. * TEST <script> var A = class A { }; var B = class B extends A { }; var C = class C extends B { constructor() { super(); } }; (function() { var x; for (var i = 0; i < 1e5; ++i) x = new C(false); // NOTE: argument is important console.log(x); })(); </script> * ACTUAL [Error] TypeError: undefined is not a constructor (evaluating 'super(...arguments)') * EXPECTED => no exceptions. * NOTES - adding a "constructor() { super(); }" to class B this works. - if the inspector is open this works, so the inspector likely prevents reaching a certain JIT tier
Attachments
[TEST] Reduction (271 bytes, text/html)
2015-03-19 00:11 PDT, Joseph Pecoraro 		no flags
Details
Adds a test (1.37 KB, patch)
2015-03-27 19:39 PDT, Ryosuke Niwa 		no flags
DetailsFormatted DiffDiff
Removed the workaround in Web Inspector (4.93 KB, patch)
2015-03-27 19:42 PDT, Ryosuke Niwa 		benjamin: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2015-03-19 00:11:28 PDT
Created attachment 249021 [details] [TEST] Reduction Insect the test page. If you see an error, something incorrect happened!
Joseph Pecoraro
Comment 2 2015-03-19 00:15:31 PDT
(In reply to comment #1) > Created attachment 249021 [details] > [TEST] Reduction > > Inspect the test page. If you see an error, something incorrect happened! Of course this means to reproduce the error you have to close the inspector, reload the page, then open the inspector.
Ryosuke Niwa
Comment 3 2015-03-19 00:45:15 PDT
(In reply to comment #2) > (In reply to comment #1) > > Created attachment 249021 [details] > > [TEST] Reduction > > > > Inspect the test page. If you see an error, something incorrect happened! > > Of course this means to reproduce the error you have to close the inspector, > reload the page, then open the inspector. It looks like this is a bug in DFG. Disabling DFG JIT also fixes the bug.
Ryosuke Niwa
Comment 4 2015-03-19 15:39:20 PDT
var A = class A { }; var B = class B extends A { super(...arguments) }; var C = class C extends B { constructor() { super(); } }; will also fail but forcing B to be not inlined will fix the bug so it looks like we're not inlining B in DFG correctly.
Radar WebKit Bug Importer
Comment 5 2015-03-19 15:39:37 PDT
<rdar://problem/20231235>
Ryosuke Niwa
Comment 6 2015-03-27 19:35:17 PDT
Looks like this has been fixed by Phil's mega patch for arguments.
Ryosuke Niwa
Comment 7 2015-03-27 19:39:18 PDT
Created attachment 249639 [details] Adds a test
Ryosuke Niwa
Comment 8 2015-03-27 19:42:19 PDT
Created attachment 249641 [details] Removed the workaround in Web Inspector
Ryosuke Niwa
Comment 9 2015-03-27 20:00:53 PDT
Will land the patch one more test per Ben's in-person comment.
Ryosuke Niwa
Comment 10 2015-03-27 20:10:03 PDT
Committed r182100: <http://trac.webkit.org/changeset/182100>
Note You need to log in before you can comment on or make changes to this bug.