Bug 232753

Summary: in_by_val should not constant fold to in_by_id when the property is a property index
Product: WebKit Reporter: Lukas Bernhard <lukas.bernhard>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, lukas.bernhard, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: PC   
OS: Linux   
Attachments:
Description Flags
patch none

Lukas Bernhard
Reported 2021-11-05 05:08:49 PDT
During differential testing of webkit I found a sample triggering a miscomputation in FTL related to evaluating the "in" statement in an async context. The sample is invoked as: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js function main() { let v249; let v205 = "abc".repeat(18) + "\n" + `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaabbbbbbbbbbbbbbbaaaaa aa setFloat64(v190,v191,aa92) a bbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaanaaaaaaaaaaaaaa baaaaabbbaaaaanaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1` for (const v223 of v205) { const v232 = {}; v232[v223] = "n"; async function v244() { v249 = "1" in v232; } const v252 = v244(); } print(v249); // prints true in FTL (an spidermonkey), false in baseline } main();
Attachments
patch (5.87 KB, patch)
2021-11-09 16:21 PST, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2021-11-08 09:40:54 PST
I can't reproduce this on a release build of r285408. Can you still reproduce it?
Saam Barati
Comment 2 2021-11-08 16:18:32 PST
(In reply to Saam Barati from comment #1) > I can't reproduce this on a release build of r285408. Can you still > reproduce it? I might have been running this incorrectly. Will check again shortly.
Saam Barati
Comment 3 2021-11-08 17:26:07 PST
(In reply to Saam Barati from comment #2) > (In reply to Saam Barati from comment #1) > > I can't reproduce this on a release build of r285408. Can you still > > reproduce it? > > I might have been running this incorrectly. Will check again shortly. Ok, I really can't reproduce this one.
Lukas Bernhard
Comment 4 2021-11-09 00:19:59 PST
The minimized sample I posted earlier indeed does not reproduce; however the original finding still reproduces and I created another reproducer: JSC on git commit: 016f88c15b9bf0ebae0090babdad6a34e783d1b5 Build options: ./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-ENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt -fuse-ld=lld'" Command line: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js sha256sum of sample.js: c849be88c2824d47b51ef1f2283ed4ab034dd3789b7a184bff1e008f73d1ae1c sample.js: ``` function main() { let v249; const v178 = []; v179 = class V179 { constructor(v181,v182,v183) { } }; const v195 = [v178,v179,1]; const v203 = {}; const v204 = [v179,v195]; const v205 = v204.toLocaleString(); for (const v223 of v205) { const v232 = {}; v232[v223] = "number"; async function v244() { v249 = "1" in v232; const v250 = 0; } const v252 = v244(); } print(v249); } main(); ```
Saam Barati
Comment 5 2021-11-09 16:21:17 PST
Created attachment 443751 [details] patch
Yusuke Suzuki
Comment 6 2021-11-09 16:22:13 PST
Comment on attachment 443751 [details] patch r=me
EWS
Comment 7 2021-11-10 10:55:07 PST
Committed r285592 (244100@main): <https://commits.webkit.org/244100@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 443751 [details].
Radar WebKit Bug Importer
Comment 8 2021-11-10 10:56:34 PST
<rdar://problem/85261534>
Note You need to log in before you can comment on or make changes to this bug.