Summary: | FTL's implementation of HasIndexedProperty for InBounds accesses checks the inverse of what it should be checking when exiting by seeing a hole | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Lukas Bernhard <lukas.bernhard> | ||||||
Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | Normal | CC: | ews-watchlist, keith_miller, lukas.bernhard, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer, ysuzuki | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | WebKit Local Build | ||||||||
Hardware: | PC | ||||||||
OS: | Linux | ||||||||
Attachments: |
|
Description
Lukas Bernhard
2021-11-21 06:24:53 PST
I have a fix. Created attachment 445343 [details]
patch
Comment on attachment 445343 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=445343&action=review r=me with fix. > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:13398 > m_out.notZero64(m_out.load64(baseIndex(m_heaps.ArrayStorage_vector, storage, index, m_graph.varArgChild(m_node, 1)))); Shouldn't this be `isZero64` instead? Comment on attachment 445343 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=445343&action=review >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:13398 >> m_out.notZero64(m_out.load64(baseIndex(m_heaps.ArrayStorage_vector, storage, index, m_graph.varArgChild(m_node, 1)))); > > Shouldn't this be `isZero64` instead? Yes. Now I need to figure out why my test started passing. Created attachment 445353 [details]
patch for landing
Committed r286278 (244639@main): <https://commits.webkit.org/244639@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 445353 [details]. |