Bug 180190 - [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
Summary: [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks: 180192
  Show dependency treegraph
 
Reported: 2017-11-30 05:15 PST by Yusuke Suzuki
Modified: 2017-11-30 12:49 PST (History)
11 users (show)

See Also:

Attachments
Patch (10.36 KB, patch)
2017-11-30 05:27 PST, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Patch (15.90 KB, patch)
2017-11-30 06:05 PST, Yusuke Suzuki 		mark.lam: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2017-11-30 05:15:08 PST 
Reported by @azu_re. https://twitter.com/azu_re/status/936187554235170816

var k = -1;  // k >= 0 is no problem, k < 0 is problem
var o = {};
o[k] = true;

function f() {
    // `(k + "") in o` is no problem
    if (k in o) {
        return;
    }
    // `k in o` must be true, but Safari 11 reach here
    throw new Error("Never reach");
}
noInline(f);

var i = 0;
try {
    for (i = 0; i < 100000; i++) {
        f();
    }
} catch (e) {
    // Reach here is problem
    // Safari on iOS 11.1.2
    // i: 5000~20000
    // Safari 11.0.1 (12604.3.5.1.1) on mac sierra
    // i: 1000~5000
    print(e.message + " : " + JSON.stringify({
        "i": i,
        "k in o": (k in o),
        "(''+k) in o": (('' + k) in o),
        "o.hasOwnProperty(k)": o.hasOwnProperty(k)
    }, null, 2));
}

print("Done");
Comment 1 Yusuke Suzuki 2017-11-30 05:27:20 PST 
Created attachment 327969 [details]
Patch

WIP: add more tests
Comment 2 Yusuke Suzuki 2017-11-30 06:05:29 PST 
Created attachment 327972 [details]
Patch
Comment 3 Mark Lam 2017-11-30 12:31:26 PST 
Comment on attachment 327972 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=327972&action=review

r=me.  Is it possible to defer landing this until after https://bugs.webkit.org/show_bug.cgi?id=180192 is fixed?

> Source/JavaScriptCore/dfg/DFGOperations.cpp:1817
> +        // Go the slowest way possible becase negative indices don't use indexed storage.

typo: /becase/because/
Comment 4 Yusuke Suzuki 2017-11-30 12:42:12 PST 
Comment on attachment 327972 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=327972&action=review

> Source/JavaScriptCore/ChangeLog:22
> +        While fixing this bug, we found that our op_in does not record OutOfBound feedback.
> +        This causes repeated OSR exit and significantly regresses the performance. We opened
> +        a bug to track this issue[1].
> +
> +        [1]: https://bugs.webkit.org/show_bug.cgi?id=180192

Oops, sorry for my misleading comment. This patch does not introduce the above performance regression.
Our ToT already has the above performance issue.

Why I noted the above thing is that I found this issue when adding a test in this patch.
The test in this patch shows the above inefficient behavior.

So, I think landing this patch is OK since this patch's issue is not related to the above perf issue.
And this patch itself does not cause/fix the above performance issue. This patch's intent is just fixing negative int case.

>> Source/JavaScriptCore/dfg/DFGOperations.cpp:1817
>> +        // Go the slowest way possible becase negative indices don't use indexed storage.
> 
> typo: /becase/because/

Thanks, fixed.
Comment 5 Yusuke Suzuki 2017-11-30 12:48:58 PST 
Committed r225342: <https://trac.webkit.org/changeset/225342>
Comment 6 Radar WebKit Bug Importer 2017-11-30 12:49:21 PST 
<rdar://problem/35779895>