Bug 186460

Summary: [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
saam: review+, ews-watchlist: commit-queue-
Archive of layout-test-results from ews202 for win-future none

Yusuke Suzuki
Reported 2018-06-09 03:00:50 PDT
Spread for phantom nodes generates JSFixedArray. So previously, our PhantomNewArrayBuffer returns a fixed array stored in this node. But now, it holds JSImmutableButterfly, but FTL lowering phase mixes JSFixedArray and JSImmutableButterfly. I think we can generate JSImmutableButterfly instead of JSFixedArray in Spread.
Attachments
Patch (6.24 KB, patch)
2018-06-15 04:00 PDT, Yusuke Suzuki 		saam: review+
ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews202 for win-future (12.84 MB, application/zip)
2018-06-15 11:52 PDT, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2018-06-15 04:00:55 PDT
Created attachment 342801 [details] Patch
Saam Barati
Comment 2 2018-06-15 09:42:06 PDT
Comment on attachment 342801 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review r=me > Source/JavaScriptCore/ChangeLog:8 > + Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong. Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)? > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718 > + ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length()))); IntPtr > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722 > + LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray); IntPtr
EWS Watchlist
Comment 3 2018-06-15 11:52:24 PDT
Comment on attachment 342801 [details] Patch Attachment 342801 [details] did not pass win-ews (win): Output: http://webkit-queues.webkit.org/results/8200408 New failing tests: http/tests/preload/onload_event.html
EWS Watchlist
Comment 4 2018-06-15 11:52:35 PDT
Created attachment 342834 [details] Archive of layout-test-results from ews202 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews202 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Yusuke Suzuki
Comment 5 2018-06-16 04:12:11 PDT
Comment on attachment 342801 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review >> Source/JavaScriptCore/ChangeLog:8 >> + Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong. > > Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)? Yeah, PhantomNewArrayBuffer generates an array from JSImmutableButterfly. And PhantomSread generates JSFixedArray from JSArray. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718 >> + ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length()))); > > IntPtr Fixed. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722 >> + LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray); > > IntPtr Fixed.
Yusuke Suzuki
Comment 6 2018-06-16 04:18:10 PDT
Committed r232902: <https://trac.webkit.org/changeset/232902>
Radar WebKit Bug Importer
Comment 7 2018-06-16 04:20:30 PDT
<rdar://problem/41186005>
Note You need to log in before you can comment on or make changes to this bug.