Bug 279570

Summary:	[JSC] ObjectAllocationSinking should not omit phi insertion when pointer follows to the same value
Product:	WebKit	Reporter:	Jarred Sumner <jarred>
Component:	JavaScriptCore	Assignee:	Yusuke Suzuki <ysuzuki>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer, ysuzuki
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Jarred Sumner

Reported 2024-09-11 19:39:16 PDT

Code: ``` class Queue { _head; _tail; _length; constructor(items) { this._head = null; this._tail = null; this._length = 0; if (items) { for (const item of items) { this.enqueue(item); } } } enqueue(item) { const entry = { next: null, value: item, }; if (this._tail) { this._tail.next = entry; this._tail = entry; } else { this._head = entry; this._tail = entry; } this._length++; } dequeue() { const entry = this._head; if (entry) { this._head = entry.next; this._length--; if (this._head === null) { this._tail = null; } return entry.value; } else { return null; } } } for (let i = 0; i < 1e5; i++) { const queue = new Queue(new Set(["foo", "bar", "baz"])); if (queue.dequeue() !== "foo") { throw new Error("Expected foo"); } if (queue.dequeue() !== "bar") { throw new Error("Expected bar"); } if (queue.dequeue() !== "baz") { throw new Error("Expected baz"); } } ``` - When the iteration count is changed from `1e5` to `1e3`, it doesn't throw. - When the JIT is disabled, it doesn't throw - It doesn't throw in Node - It throws in `jsc` and `bun`

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-09-11 22:40:08 PDT

<rdar://problem/135851156>

Radar WebKit Bug Importer

Comment 2 2024-09-11 22:41:50 PDT

<rdar://problem/135851268>

Yusuke Suzuki

Comment 3 2024-09-11 22:54:08 PDT

Pull request: https://github.com/WebKit/WebKit/pull/33527

EWS

Comment 4 2024-09-12 09:33:57 PDT

Committed 283558@main (ba44420c913e): <https://commits.webkit.org/283558@main> Reviewed commits have been landed. Closing PR #33527 and removing active labels.

EWS

Comment 5 2024-09-16 13:11:51 PDT

Committed 280938.337@safari-7619-branch (1648dc502217): <https://commits.webkit.org/280938.337@safari-7619-branch> Reviewed commits have been landed. Closing PR #1779 and removing active labels.

EWS

Comment 6 2024-09-16 19:57:40 PDT

Committed 283286.49@safari-7620-branch (792fea9504e7): <https://commits.webkit.org/283286.49@safari-7620-branch> Reviewed commits have been landed. Closing PR #1770 and removing active labels.

Note You need to log in before you can comment on or make changes to this bug.