Bug 183310

Summary:

[DFG] AI should convert CreateThis to NewObject if the prototype object is proved

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

New Bugs

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

commit-queue, ews-watchlist, fpizlo, jfbastien, jlewis3, keith_miller, lforschler, mark.lam, msaboff, ryanhaddad, saam, sam, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none

Yusuke Suzuki

Reported 2018-03-03 01:26:38 PST

[DFG] AI should convert CreateThis to NewObject if the prototype object is proved

Attachments
Patch (4.05 KB, patch) 2018-03-03 01:27 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (5.90 KB, patch) 2018-03-03 08:31 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (6.23 KB, patch) 2018-03-03 08:36 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (8.07 KB, patch) 2018-03-09 04:57 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (8.04 KB, patch) 2018-03-09 10:10 PST, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2018-03-03 01:27:12 PST

Created attachment 334951 [details] Patch

Yusuke Suzuki

Comment 2 2018-03-03 08:31:13 PST

Created attachment 334958 [details] Patch

Yusuke Suzuki

Comment 3 2018-03-03 08:36:22 PST

Created attachment 334959 [details] Patch

Yusuke Suzuki

Comment 4 2018-03-09 04:57:01 PST

Created attachment 335422 [details] Patch

Yusuke Suzuki

Comment 5 2018-03-09 10:10:22 PST

Created attachment 335435 [details] Patch

Yusuke Suzuki

Comment 6 2018-03-09 13:02:20 PST

Ping review?

Yusuke Suzuki

Comment 7 2018-03-11 19:59:49 PDT

Comment on attachment 335435 [details] Patch Thank you!

WebKit Commit Bot

Comment 8 2018-03-11 20:25:44 PDT

Comment on attachment 335435 [details] Patch Clearing flags on attachment: 335435 Committed r229520: <https://trac.webkit.org/changeset/229520>

WebKit Commit Bot

Comment 9 2018-03-11 20:25:45 PDT

All reviewed patches have been landed. Closing bug.

Yusuke Suzuki

Comment 10 2018-03-11 23:21:44 PDT

https://arewefastyet.com/#machine=29&view=single&suite=octane&subtest=RayTrace 10.1% win in Octane/Raytrace.

Ryan Haddad

Comment 11 2018-03-12 09:00:49 PDT

It looks like this change caused assertion failures on the debug bot: https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/739 stress/dfg-rare-data.js.default: ASSERTION FAILED: m_op == CallObjectConstructor stress/dfg-rare-data.js.default: ./dfg/DFGNode.h(729) : void JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) stress/dfg-rare-data.js.default: 1 0x10d15708d WTFCrash stress/dfg-rare-data.js.default: 2 0x10c276ad5 JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) stress/dfg-rare-data.js.default: 3 0x10c273b47 JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) stress/dfg-rare-data.js.default: 4 0x10c270c1a JSC::DFG::ConstantFoldingPhase::run() stress/dfg-rare-data.js.default: 5 0x10c270a0e bool JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::ConstantFoldingPhase&) stress/dfg-rare-data.js.default: 6 0x10c26817e bool JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) stress/dfg-rare-data.js.default: 7 0x10c268145 JSC::DFG::performConstantFolding(JSC::DFG::Graph&) stress/dfg-rare-data.js.default: 8 0x10c3b629d JSC::DFG::Plan::compileInThreadImpl() stress/dfg-rare-data.js.default: 9 0x10c3b47c2 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) stress/dfg-rare-data.js.default: 10 0x10c68f16c JSC::DFG::Worklist::ThreadBody::work() stress/dfg-rare-data.js.default: 11 0x10d165667 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const stress/dfg-rare-data.js.default: 12 0x10d1652f9 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() stress/dfg-rare-data.js.default: 13 0x10d17306b WTF::Function<void ()>::operator()() const stress/dfg-rare-data.js.default: 14 0x10d1e356f WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) stress/dfg-rare-data.js.default: 15 0x10d1e8cf5 WTF::wtfThreadEntryPoint(void*) stress/dfg-rare-data.js.default: 16 0x7fff689ce6c1 _pthread_body stress/dfg-rare-data.js.default: 17 0x7fff689ce56d _pthread_body stress/dfg-rare-data.js.default: 18 0x7fff689cdc5d thread_start stress/dfg-rare-data.js.default: test_script_7453: line 2: 59221 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true dfg-rare-data.js ) stress/dfg-rare-data.js.default: ERROR: Unexpected exit code: 139

Radar WebKit Bug Importer

Comment 12 2018-03-12 17:25:10 PDT

<rdar://problem/38397885>

Yusuke Suzuki

Comment 13 2018-03-12 20:02:14 PDT

(In reply to Ryan Haddad from comment #11) > It looks like this change caused assertion failures on the debug bot: > https://build.webkit.org/builders/ > Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/739 > > stress/dfg-rare-data.js.default: ASSERTION FAILED: m_op == > CallObjectConstructor > stress/dfg-rare-data.js.default: ./dfg/DFGNode.h(729) : void > JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) > stress/dfg-rare-data.js.default: 1 0x10d15708d WTFCrash > stress/dfg-rare-data.js.default: 2 0x10c276ad5 > JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) > stress/dfg-rare-data.js.default: 3 0x10c273b47 > JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) > stress/dfg-rare-data.js.default: 4 0x10c270c1a > JSC::DFG::ConstantFoldingPhase::run() > stress/dfg-rare-data.js.default: 5 0x10c270a0e bool > JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase>(JSC::DFG:: > ConstantFoldingPhase&) > stress/dfg-rare-data.js.default: 6 0x10c26817e bool > JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) > stress/dfg-rare-data.js.default: 7 0x10c268145 > JSC::DFG::performConstantFolding(JSC::DFG::Graph&) > stress/dfg-rare-data.js.default: 8 0x10c3b629d > JSC::DFG::Plan::compileInThreadImpl() > stress/dfg-rare-data.js.default: 9 0x10c3b47c2 > JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) > stress/dfg-rare-data.js.default: 10 0x10c68f16c > JSC::DFG::Worklist::ThreadBody::work() > stress/dfg-rare-data.js.default: 11 0x10d165667 > WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() > const > stress/dfg-rare-data.js.default: 12 0x10d1652f9 WTF::Function<void > ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker > const&)::$_0>::call() > stress/dfg-rare-data.js.default: 13 0x10d17306b WTF::Function<void > ()>::operator()() const > stress/dfg-rare-data.js.default: 14 0x10d1e356f > WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) > stress/dfg-rare-data.js.default: 15 0x10d1e8cf5 > WTF::wtfThreadEntryPoint(void*) > stress/dfg-rare-data.js.default: 16 0x7fff689ce6c1 _pthread_body > stress/dfg-rare-data.js.default: 17 0x7fff689ce56d _pthread_body > stress/dfg-rare-data.js.default: 18 0x7fff689cdc5d thread_start > stress/dfg-rare-data.js.default: test_script_7453: line 2: 59221 > Segmentation fault: 11 ( "$@" > ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false > --useFunctionDotArguments\=true --validateExceptionChecks\=true > --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true > dfg-rare-data.js ) > stress/dfg-rare-data.js.default: ERROR: Unexpected exit code: 139 Thanks, this is simply ASSERT becomes obsolete. I'll fix it soon

Yusuke Suzuki

Comment 14 2018-03-12 20:04:30 PDT

Committed r229570: <https://trac.webkit.org/changeset/229570>

Note You need to log in before you can comment on or make changes to this bug.