Bug 144856

Summary: Creating a new blank document in icloud pages causes an AI error: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble.
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, basile_clement, benjamin, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 144877    
Bug Blocks:    
Attachments:
Description Flags
the pagch benjamin: review+

Filip Pizlo
Reported 2015-05-10 21:20:14 PDT
Patch forthcoming.
Attachments
the pagch (9.48 KB, patch)
2015-05-13 16:37 PDT, Filip Pizlo 		benjamin: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2015-05-13 14:55:12 PDT
It appears that we're converting a GetByVal on a double array to a GetMyArgumentByVal. I'm going to try to construct a reduced test case. We probably have two options: 1) Disable sinking on ClonedArguments. Maybe just disable it if there was some kind of type inference that we can't handle. 2) Make sure that when we convert GetByVal to GetMyArgumentByVal, we respect whatever representation rules there are.
Filip Pizlo
Comment 2 2015-05-13 16:00:47 PDT
And it looks like the culprit is Node::convertToIdentityOn(). It tries to insert conversion nodes, but it fails to apply the right type checks.
Filip Pizlo
Comment 3 2015-05-13 16:30:04 PDT
Reduced case: function foo() { "use strict"; return arguments[0] + 1.5; } noInline(foo); for (var i = 0; i < 10000; ++i) { var result = foo(4.2); if (result != 5.7) throw "Error: bad result: " + result; }
Filip Pizlo
Comment 4 2015-05-13 16:37:01 PDT
Created attachment 253073 [details] the pagch
Filip Pizlo
Comment 5 2015-05-13 16:59:34 PDT
Landed in http://trac.webkit.org/changeset/184318
Note You need to log in before you can comment on or make changes to this bug.