Bug 155153 - How we load new.target in arrow functions is broken
Summary: How we load new.target in arrow functions is broken
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: GSkachkov
URL:
Keywords:
Depends on:
Blocks: 140855
  Show dependency treegraph
 
Reported: 2016-03-07 19:00 PST by Saam Barati
Modified: 2016-03-10 07:44 PST (History)
7 users (show)

See Also:


Attachments
Patch (10.72 KB, patch)
2016-03-08 12:52 PST, GSkachkov
no flags Details | Formatted Diff | Diff
Patch (10.70 KB, patch)
2016-03-08 13:04 PST, GSkachkov
no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews103 for mac-yosemite (857.10 KB, application/zip)
2016-03-08 13:51 PST, Build Bot
no flags Details
Archive of layout-test-results from ews107 for mac-yosemite-wk2 (820.11 KB, application/zip)
2016-03-08 13:56 PST, Build Bot
no flags Details
Archive of layout-test-results from ews114 for mac-yosemite (879.13 KB, application/zip)
2016-03-08 14:00 PST, Build Bot
no flags Details
Patch (10.67 KB, patch)
2016-03-08 23:27 PST, GSkachkov
sbarati: review+
gskachkov: commit-queue?
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2016-03-07 19:00:29 PST
function foo() {
    let arr = () => {
        if (false) {
            print(new.target);
        } else {
            print(new.target);
        }
    };
    arr();
}
new foo();

This prints undefined. It shouldn't.
The reason is that we make a classic mistake
where we emit code to load new.target once.
Even if that code is behind a branch in byte code,
we assume all uses can use that already loaded value.
That's wrong. We either need to always emit the load from
the scope for each new.target, or we need to emit the load
at the function prologue before any uses of new.target.

I think loading it from the scope is probably cleaner because
the alternative punishes programs that never use new.target.
That said, always loading it from the scope will punish programs
that do the load in a loop.
Comment 1 GSkachkov 2016-03-08 12:52:59 PST
Created attachment 273320 [details]
Patch

Patch
Comment 2 GSkachkov 2016-03-08 13:04:49 PST
Created attachment 273321 [details]
Patch

Fix merge issue
Comment 3 Build Bot 2016-03-08 13:51:46 PST
Comment on attachment 273321 [details]
Patch

Attachment 273321 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/943397

Number of test failures exceeded the failure limit.
Comment 4 Build Bot 2016-03-08 13:51:49 PST
Created attachment 273333 [details]
Archive of layout-test-results from ews103 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 5 Build Bot 2016-03-08 13:56:13 PST
Comment on attachment 273321 [details]
Patch

Attachment 273321 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/943414

Number of test failures exceeded the failure limit.
Comment 6 Build Bot 2016-03-08 13:56:15 PST
Created attachment 273337 [details]
Archive of layout-test-results from ews107 for mac-yosemite-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-yosemite-wk2  Platform: Mac OS X 10.10.5
Comment 7 Build Bot 2016-03-08 14:00:23 PST
Comment on attachment 273321 [details]
Patch

Attachment 273321 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/943409

Number of test failures exceeded the failure limit.
Comment 8 Build Bot 2016-03-08 14:00:25 PST
Created attachment 273338 [details]
Archive of layout-test-results from ews114 for mac-yosemite

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-yosemite  Platform: Mac OS X 10.10.5
Comment 9 GSkachkov 2016-03-08 23:27:03 PST
Created attachment 273400 [details]
Patch

Fix tests
Comment 10 Saam Barati 2016-03-09 10:30:41 PST
Comment on attachment 273400 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=273400&action=review

> Source/JavaScriptCore/ChangeLog:8
> +        Fixed not correct approach of caching new target. In current path was added code feature

I think you mean "patch" instead of path

> Source/JavaScriptCore/ChangeLog:9
> +        flag that shows that current function is using new.target, so in initing of arrow function

"so in initing of arrow function" => "when generating byte code for an arrow function"
Comment 11 GSkachkov 2016-03-10 07:44:15 PST
Committed 197928: <http://trac.webkit.org/changeset/197928>
Comment 12 GSkachkov 2016-03-10 07:44:45 PST
All reviewed patches have been landed.  Closing bug.