RESOLVED FIXED 183310
[DFG] AI should convert CreateThis to NewObject if the prototype object is proved 
https://bugs.webkit.org/show_bug.cgi?id=183310
Summary [DFG] AI should convert CreateThis to NewObject if the prototype object is pr...
Yusuke Suzuki
Reported 2018-03-03 01:26:38 PST
[DFG] AI should convert CreateThis to NewObject if the prototype object is proved
Attachments
Patch (4.05 KB, patch)
2018-03-03 01:27 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (5.90 KB, patch)
2018-03-03 08:31 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (6.23 KB, patch)
2018-03-03 08:36 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (8.07 KB, patch)
2018-03-09 04:57 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (8.04 KB, patch)
2018-03-09 10:10 PST, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2018-03-03 01:27:12 PST
Created attachment 334951 [details] Patch
Yusuke Suzuki
Comment 2 2018-03-03 08:31:13 PST
Created attachment 334958 [details] Patch
Yusuke Suzuki
Comment 3 2018-03-03 08:36:22 PST
Created attachment 334959 [details] Patch
Yusuke Suzuki
Comment 4 2018-03-09 04:57:01 PST
Created attachment 335422 [details] Patch
Yusuke Suzuki
Comment 5 2018-03-09 10:10:22 PST
Created attachment 335435 [details] Patch
Yusuke Suzuki
Comment 6 2018-03-09 13:02:20 PST
Ping review?
Yusuke Suzuki
Comment 7 2018-03-11 19:59:49 PDT
Comment on attachment 335435 [details] Patch Thank you!
WebKit Commit Bot
Comment 8 2018-03-11 20:25:44 PDT
Comment on attachment 335435 [details] Patch Clearing flags on attachment: 335435 Committed r229520: <https://trac.webkit.org/changeset/229520>
WebKit Commit Bot
Comment 9 2018-03-11 20:25:45 PDT
All reviewed patches have been landed. Closing bug.
Yusuke Suzuki
Comment 10 2018-03-11 23:21:44 PDT
https://arewefastyet.com/#machine=29&view=single&suite=octane&subtest=RayTrace 10.1% win in Octane/Raytrace.
Ryan Haddad
Comment 11 2018-03-12 09:00:49 PDT
It looks like this change caused assertion failures on the debug bot: https://build.webkit.org/builders/Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/739 stress/dfg-rare-data.js.default: ASSERTION FAILED: m_op == CallObjectConstructor stress/dfg-rare-data.js.default: ./dfg/DFGNode.h(729) : void JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) stress/dfg-rare-data.js.default: 1 0x10d15708d WTFCrash stress/dfg-rare-data.js.default: 2 0x10c276ad5 JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) stress/dfg-rare-data.js.default: 3 0x10c273b47 JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) stress/dfg-rare-data.js.default: 4 0x10c270c1a JSC::DFG::ConstantFoldingPhase::run() stress/dfg-rare-data.js.default: 5 0x10c270a0e bool JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::ConstantFoldingPhase&) stress/dfg-rare-data.js.default: 6 0x10c26817e bool JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) stress/dfg-rare-data.js.default: 7 0x10c268145 JSC::DFG::performConstantFolding(JSC::DFG::Graph&) stress/dfg-rare-data.js.default: 8 0x10c3b629d JSC::DFG::Plan::compileInThreadImpl() stress/dfg-rare-data.js.default: 9 0x10c3b47c2 JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) stress/dfg-rare-data.js.default: 10 0x10c68f16c JSC::DFG::Worklist::ThreadBody::work() stress/dfg-rare-data.js.default: 11 0x10d165667 WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const stress/dfg-rare-data.js.default: 12 0x10d1652f9 WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() stress/dfg-rare-data.js.default: 13 0x10d17306b WTF::Function<void ()>::operator()() const stress/dfg-rare-data.js.default: 14 0x10d1e356f WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) stress/dfg-rare-data.js.default: 15 0x10d1e8cf5 WTF::wtfThreadEntryPoint(void*) stress/dfg-rare-data.js.default: 16 0x7fff689ce6c1 _pthread_body stress/dfg-rare-data.js.default: 17 0x7fff689ce56d _pthread_body stress/dfg-rare-data.js.default: 18 0x7fff689cdc5d thread_start stress/dfg-rare-data.js.default: test_script_7453: line 2: 59221 Segmentation fault: 11 ( "$@" ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false --useFunctionDotArguments\=true --validateExceptionChecks\=true --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true dfg-rare-data.js ) stress/dfg-rare-data.js.default: ERROR: Unexpected exit code: 139
Radar WebKit Bug Importer
Comment 12 2018-03-12 17:25:10 PDT
<rdar://problem/38397885>
Yusuke Suzuki
Comment 13 2018-03-12 20:02:14 PDT
(In reply to Ryan Haddad from comment #11) > It looks like this change caused assertion failures on the debug bot: > https://build.webkit.org/builders/ > Apple%20High%20Sierra%20Debug%20JSC%20%28Tests%29/builds/739 > > stress/dfg-rare-data.js.default: ASSERTION FAILED: m_op == > CallObjectConstructor > stress/dfg-rare-data.js.default: ./dfg/DFGNode.h(729) : void > JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) > stress/dfg-rare-data.js.default: 1 0x10d15708d WTFCrash > stress/dfg-rare-data.js.default: 2 0x10c276ad5 > JSC::DFG::Node::convertToNewObject(JSC::DFG::RegisteredStructure) > stress/dfg-rare-data.js.default: 3 0x10c273b47 > JSC::DFG::ConstantFoldingPhase::foldConstants(JSC::DFG::BasicBlock*) > stress/dfg-rare-data.js.default: 4 0x10c270c1a > JSC::DFG::ConstantFoldingPhase::run() > stress/dfg-rare-data.js.default: 5 0x10c270a0e bool > JSC::DFG::runAndLog<JSC::DFG::ConstantFoldingPhase>(JSC::DFG:: > ConstantFoldingPhase&) > stress/dfg-rare-data.js.default: 6 0x10c26817e bool > JSC::DFG::runPhase<JSC::DFG::ConstantFoldingPhase>(JSC::DFG::Graph&) > stress/dfg-rare-data.js.default: 7 0x10c268145 > JSC::DFG::performConstantFolding(JSC::DFG::Graph&) > stress/dfg-rare-data.js.default: 8 0x10c3b629d > JSC::DFG::Plan::compileInThreadImpl() > stress/dfg-rare-data.js.default: 9 0x10c3b47c2 > JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) > stress/dfg-rare-data.js.default: 10 0x10c68f16c > JSC::DFG::Worklist::ThreadBody::work() > stress/dfg-rare-data.js.default: 11 0x10d165667 > WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() > const > stress/dfg-rare-data.js.default: 12 0x10d1652f9 WTF::Function<void > ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker > const&)::$_0>::call() > stress/dfg-rare-data.js.default: 13 0x10d17306b WTF::Function<void > ()>::operator()() const > stress/dfg-rare-data.js.default: 14 0x10d1e356f > WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) > stress/dfg-rare-data.js.default: 15 0x10d1e8cf5 > WTF::wtfThreadEntryPoint(void*) > stress/dfg-rare-data.js.default: 16 0x7fff689ce6c1 _pthread_body > stress/dfg-rare-data.js.default: 17 0x7fff689ce56d _pthread_body > stress/dfg-rare-data.js.default: 18 0x7fff689cdc5d thread_start > stress/dfg-rare-data.js.default: test_script_7453: line 2: 59221 > Segmentation fault: 11 ( "$@" > ../../.vm/JavaScriptCore.framework/Resources/jsc --useFTLJIT\=false > --useFunctionDotArguments\=true --validateExceptionChecks\=true > --useDollarVM\=true --maxPerThreadStackUsage\=1572864 --useFTLJIT\=true > dfg-rare-data.js ) > stress/dfg-rare-data.js.default: ERROR: Unexpected exit code: 139 Thanks, this is simply ASSERT becomes obsolete. I'll fix it soon
Yusuke Suzuki
Comment 14 2018-03-12 20:04:30 PDT
Committed r229570: <https://trac.webkit.org/changeset/229570>
Note You need to log in before you can comment on or make changes to this bug.