| Summary: | Creating a new blank document in icloud pages causes an AI error: Abstract value (CellBytecodedoubleBoolOther, TOP, TOP) for double node has type outside SpecFullDouble. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||
| Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | barraclough, basile_clement, benjamin, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam | ||||
| Priority: | P2 | ||||||
| Version: | 528+ (Nightly build) | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Bug Depends on: | 144877 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Filip Pizlo
2015-05-10 21:20:14 PDT
It appears that we're converting a GetByVal on a double array to a GetMyArgumentByVal. I'm going to try to construct a reduced test case. We probably have two options: 1) Disable sinking on ClonedArguments. Maybe just disable it if there was some kind of type inference that we can't handle. 2) Make sure that when we convert GetByVal to GetMyArgumentByVal, we respect whatever representation rules there are. And it looks like the culprit is Node::convertToIdentityOn(). It tries to insert conversion nodes, but it fails to apply the right type checks. Reduced case:
function foo() {
"use strict";
return arguments[0] + 1.5;
}
noInline(foo);
for (var i = 0; i < 10000; ++i) {
var result = foo(4.2);
if (result != 5.7)
throw "Error: bad result: " + result;
}
Created attachment 253073 [details]
the pagch
Landed in http://trac.webkit.org/changeset/184318 |