158438 – EXITs when using spread operator with mixed type array

Bug 158438 - EXITs when using spread operator with mixed type array

Summary: EXITs when using spread operator with mixed type array

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-06-06 15:31 PDT by Joseph Pecoraro
Modified:	2016-06-06 15:31 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
[TEST] Test case (452 bytes, application/x-javascript) 2016-06-06 15:31 PDT, Joseph Pecoraro	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Joseph Pecoraro 2016-06-06 15:31:29 PDT

Created attachment 280637 [details]
[TEST] Test case

* SUMMARY
EXITs when using spread operator with mixed type array.

* TEST
(function() {
    function myLog() {
        var args = Array.from(arguments);
        print(args.join(" "));
    }
    function myAssert(condition, ...args) {
        "use strict";
        if (!condition)
            myLog(...args);
    }

    noInline(myLog);
    noInline(myAssert);

    for (var i = 0; i < 1e6; ++i)
        myAssert((i % 1e4), "Expected Failure", i);
})();

* STEPS TO REPRODUCE
1. jsc test.js -p profile
  => Profile shows "Bad Type" errors when handling the spread operator

* PROFILE
Lots more Baseline/DFG runs then expected due to exists.
> l myAssert
Compilation myAssert#CCcDJe-1-Baseline:
    Total count: 240941  Max count: 20064
Compilation myAssert#CCcDJe-2-DFG:
    Total count: 701430  Max count: 58445
    EXIT: at bc#190 due to BadType, 5 times
Compilation myAssert#CCcDJe-3-FTL:
    Total count: 11061788  Max count: 921463

Exits are when spreading the array via inlined array iterator code
> b myAssert
...
    [ 169] get_by_id         loc17, loc16, done(@id4)    predicting None
    [ 178] jtrue             loc17, 50(->228)
    [ 181] get_by_id         loc16, loc16, value(@id5)    predicting None
    [ 190] jmp               -104(->86)
    !!!!!                    EXIT: in myAssert#CCcDJe-2-DFG due to BadType, 5 times
...

Looks like it was predicting Boolint32, but the spreaded array (the rest param) should always have [String ("Expected Failure"), int32 (i)]. So that prediction seems unexpected.
> d myAssert
...
9/5/184/0                      185:< 3:loc14>	GetByOffset(KnownCell:@182, KnownCell:@182, JS|UseAsOther, Boolint32, id5{value}, 1, inferredType = Top, R:NamedProperties(5), Exits, bc#181)  predicting Boolint32
9/5/184/0                           0x3baa19e02d1a: mov 0x18(%rax), %rsi
9/5/184/0                      186:<!0:->	MovHint(Untyped:@185, MustGen, loc16, W:SideState, ClobbersExit, bc#181)
9/5/184/0                      187:<!0:->	Check(Check:Int32:@185, MustGen, Exits, bc#181, exit: bc#190)
9/5/184/0                           0x3baa19e02d1e: cmp %r14, %rsi
9/5/184/0                           0x3baa19e02d21: jb 0x3baa19e0335f
  !!!!!                                           EXIT: due to BadType, 5 times
...