RESOLVED FIXED Bug 141183
arguments[-1] should have well-defined behavior 
https://bugs.webkit.org/show_bug.cgi?id=141183
Summary arguments[-1] should have well-defined behavior
Filip Pizlo
Reported 2015-02-02 17:03:33 PST
Currently it returns "this" or garbage. That's bad.
Attachments
work in progress (12.09 KB, patch)
2015-02-02 18:23 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (20.20 KB, patch)
2015-02-02 18:48 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (20.18 KB, patch)
2015-02-02 18:53 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (25.57 KB, patch)
2015-02-02 19:52 PST, Filip Pizlo 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2015-02-02 18:23:01 PST
Created attachment 245916 [details] work in progress This fixes all of the 64-bit paths. Still need to do 32-bit DFG.
Filip Pizlo
Comment 2 2015-02-02 18:48:40 PST
Created attachment 245917 [details] the patch
WebKit Commit Bot
Comment 3 2015-02-02 18:51:28 PST
Attachment 245917 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp:2007: Weird number of spaces at line-start. Are you using a 4-space indent? [whitespace/indent] [3] Total errors found: 1 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
Filip Pizlo
Comment 4 2015-02-02 18:53:07 PST
Created attachment 245918 [details] the patch Fix style and the wording of the ChangeLog
Mark Lam
Comment 5 2015-02-02 19:31:55 PST
Comment on attachment 245918 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=245918&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4356 > Imm32(node->origin.semantic.inlineCallFrame->arguments.size()))); I think you need to -1 from arguments.size() here. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4400 > + m_jit.offsetOfArgumentsIncludingThis(node->origin.semantic) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) + sizeof(EncodedJSValue)), Per our offline discussion, change offsetOfArgumentsIncludingThis() into offsetOfArguments() and hence, no need for the "+ sizeof(EncodedJSValue))" thereafter. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4432 > Imm32(node->origin.semantic.inlineCallFrame->arguments.size()))); Ditto. Need to -1 from arguments.size() here. > Source/JavaScriptCore/jit/JITOpcodes32_64.cpp:1053 > + loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.payload) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)) + sizeof(Register)), regT0); > + loadPtr(BaseIndex(callFrameRegister, regT2, TimesEight, OBJECT_OFFSETOF(JSValue, u.asBits.tag) + CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)) + sizeof(Register)), regT1); Instead of CallFrame::thisArgumentOffset(), you can use CallFrame::argumentOffset(0) here, and do away with the "+ sizeof(Register)" adjustments. > Source/JavaScriptCore/jit/JITOpcodes.cpp:928 > + load64(BaseIndex(callFrameRegister, regT1, TimesEight, CallFrame::thisArgumentOffset() * static_cast<int>(sizeof(Register)) + sizeof(Register)), regT0); Ditto. Use CallFrame::argumentOffset(0) and remove adjustment. > Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:1621 > + loadi ThisArgumentOffset + 8 + TagOffset[cfr, t2, 8], t0 > + loadi ThisArgumentOffset + 8 + PayloadOffset[cfr, t2, 8], t1 I think it'll be clearer if you define a FirstArgumentOffset in LowLevelInterpreter.asm, and use that here instead of using ThisArgumentOffset + 8. > Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:1480 > + loadq ThisArgumentOffset + 8[cfr, t2, 8], t0 Ditto. Use FirstArgumentOffset.
Filip Pizlo
Comment 6 2015-02-02 19:52:48 PST
Created attachment 245920 [details] the patch Address Mark's comments
Benjamin Poulain
Comment 7 2015-02-02 20:25:01 PST
Comment on attachment 245920 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=245920&action=review > Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:1617 > + subi 1, t2 Shouldn't this be t1?
Filip Pizlo
Comment 8 2015-02-02 20:30:35 PST
Comment on attachment 245920 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=245920&action=review >> Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:1617 >> + subi 1, t2 > > Shouldn't this be t1? Yes. :-) I just fixed that locally. Magically, tests started passing.
Mark Lam
Comment 9 2015-02-02 20:32:31 PST
Comment on attachment 245920 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=245920&action=review r=me with remaining issues addressed. > Source/JavaScriptCore/jit/AssemblyHelpers.h:609 > + return CallFrame::argumentOffsetIncludingThis(1) * sizeof(Register); You can make this CallFrame::argumentOffset(0) instead of CallFrame::argumentOffsetIncludingThis(1).
Filip Pizlo
Comment 10 2015-02-02 20:36:01 PST
(In reply to comment #9) > Comment on attachment 245920 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=245920&action=review > > r=me with remaining issues addressed. > > > Source/JavaScriptCore/jit/AssemblyHelpers.h:609 > > + return CallFrame::argumentOffsetIncludingThis(1) * sizeof(Register); > > You can make this CallFrame::argumentOffset(0) instead of > CallFrame::argumentOffsetIncludingThis(1). Thanks for the feedback, I just made this change locally.
Filip Pizlo
Comment 11 2015-02-02 21:21:23 PST
Landed in http://trac.webkit.org/changeset/179538
Note You need to log in before you can comment on or make changes to this bug.