| Summary: | in_by_val should not constant fold to in_by_id when the property is a property index | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Lukas Bernhard <lukas.bernhard> | ||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, lukas.bernhard, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Local Build | ||||||
| Hardware: | PC | ||||||
| OS: | Linux | ||||||
| Attachments: |
|
||||||
I can't reproduce this on a release build of r285408. Can you still reproduce it? (In reply to Saam Barati from comment #1) > I can't reproduce this on a release build of r285408. Can you still > reproduce it? I might have been running this incorrectly. Will check again shortly. (In reply to Saam Barati from comment #2) > (In reply to Saam Barati from comment #1) > > I can't reproduce this on a release build of r285408. Can you still > > reproduce it? > > I might have been running this incorrectly. Will check again shortly. Ok, I really can't reproduce this one. The minimized sample I posted earlier indeed does not reproduce; however the original finding still reproduces and I created another reproducer:
JSC on git commit: 016f88c15b9bf0ebae0090babdad6a34e783d1b5
Build options: ./Tools/Scripts/build-jsc --jsc-only --release --cmakeargs="-ENABLE_STATIC_JSC=ON -DCMAKE_C_COMPILER='/usr/bin/clang-12' -DCMAKE_CXX_COMPILER='/usr/bin/clang++-12' -DCMAKE_CXX_FLAGS='-fsanitize-coverage=trace-pc-guard -O3 -lrt -fuse-ld=lld'"
Command line: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js
sha256sum of sample.js: c849be88c2824d47b51ef1f2283ed4ab034dd3789b7a184bff1e008f73d1ae1c
sample.js:
```
function main() {
let v249;
const v178 = [];
v179 = class V179 {
constructor(v181,v182,v183) {
}
};
const v195 = [v178,v179,1];
const v203 = {};
const v204 = [v179,v195];
const v205 = v204.toLocaleString();
for (const v223 of v205) {
const v232 = {};
v232[v223] = "number";
async function v244() {
v249 = "1" in v232;
const v250 = 0;
}
const v252 = v244();
}
print(v249);
}
main();
```
Created attachment 443751 [details]
patch
Comment on attachment 443751 [details]
patch
r=me
Committed r285592 (244100@main): <https://commits.webkit.org/244100@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 443751 [details]. |
During differential testing of webkit I found a sample triggering a miscomputation in FTL related to evaluating the "in" statement in an async context. The sample is invoked as: WebKitBuild/Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true sample.js function main() { let v249; let v205 = "abc".repeat(18) + "\n" + `aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaabbbbbbbbbbbbbbbaaaaa aa setFloat64(v190,v191,aa92) a bbbbaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaanaaaaaaaaaaaaaa baaaaabbbaaaaanaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa1` for (const v223 of v205) { const v232 = {}; v232[v223] = "n"; async function v244() { v249 = "1" in v232; } const v252 = v244(); } print(v249); // prints true in FTL (an spidermonkey), false in baseline } main();