Bug 182982 - ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
Summary: ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-02-20 12:22 PST by Saam Barati
Modified: 2018-02-23 10:37 PST (History)
13 users (show)

See Also:

Attachments
patch (2.36 KB, patch)
2018-02-22 18:24 PST, Saam Barati 		ysuzuki: review+
Details | Formatted Diff | Diff
patch for landing (2.36 KB, patch)
2018-02-22 18:44 PST, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2018-02-20 12:22:59 PST 
The code is this:

```

                case GetByOffset: {
                    Node* candidate = node->child2().node();
                    if (!isEliminatedAllocation(candidate))
                        break;

                    if (node->child2()->op() != PhantomClonedArguments)
                        break;
                    ...
```

But, if it's an elimination candidate, the only child node GetByOffset handles is ClonedArguments. This should totally be an assert. We're clearly doing something wrong if we don't transform this node when its child is an eliminated allocation.
Comment 1 Saam Barati 2018-02-22 18:24:29 PST 
Created attachment 334491 [details]
patch
Comment 2 Yusuke Suzuki 2018-02-22 18:37:32 PST 
Comment on attachment 334491 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=334491&action=review

r=me

> Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:711
> +                    ASSERT(node->child2()->op() == PhantomClonedArguments);

Let's use `ASSERT(candidate->op() == PhantomClonedArguments)`.
Comment 3 Saam Barati 2018-02-22 18:44:09 PST 
Created attachment 334495 [details]
patch for landing
Comment 4 WebKit Commit Bot 2018-02-23 10:36:01 PST 
Comment on attachment 334495 [details]
patch for landing

Clearing flags on attachment: 334495

Committed r228952: <https://trac.webkit.org/changeset/228952>
Comment 5 WebKit Commit Bot 2018-02-23 10:36:02 PST 
All reviewed patches have been landed.  Closing bug.
Comment 6 Radar WebKit Bug Importer 2018-02-23 10:37:26 PST 
<rdar://problem/37830816>