Bug 186460 - [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned
Summary: [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmu...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2018-06-09 03:00 PDT by Yusuke Suzuki
Modified: 2018-06-16 04:20 PDT (History)
7 users (show)

See Also:

Attachments
Patch (6.24 KB, patch)
2018-06-15 04:00 PDT, Yusuke Suzuki 		saam: review+
ews-watchlist: commit-queue-
Details | Formatted Diff | Diff
Archive of layout-test-results from ews202 for win-future (12.84 MB, application/zip)
2018-06-15 11:52 PDT, EWS Watchlist 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2018-06-09 03:00:50 PDT 
Spread for phantom nodes generates JSFixedArray. So previously, our PhantomNewArrayBuffer returns a fixed array stored in this node. But now, it holds JSImmutableButterfly, but FTL lowering phase mixes JSFixedArray and JSImmutableButterfly.

I think we can generate JSImmutableButterfly instead of JSFixedArray in Spread.
Comment 1 Yusuke Suzuki 2018-06-15 04:00:55 PDT 
Created attachment 342801 [details]
Patch
Comment 2 Saam Barati 2018-06-15 09:42:06 PDT 
Comment on attachment 342801 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review

r=me

> Source/JavaScriptCore/ChangeLog:8
> +        Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.

Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)?

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718
> +            ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length())));

IntPtr

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722
> +            LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray);

IntPtr
Comment 3 EWS Watchlist 2018-06-15 11:52:24 PDT 
Comment on attachment 342801 [details]
Patch

Attachment 342801 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/8200408

New failing tests:
http/tests/preload/onload_event.html
Comment 4 EWS Watchlist 2018-06-15 11:52:35 PDT 
Created attachment 342834 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Comment 5 Yusuke Suzuki 2018-06-16 04:12:11 PDT 
Comment on attachment 342801 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review

>> Source/JavaScriptCore/ChangeLog:8
>> +        Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
> 
> Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)?

Yeah, PhantomNewArrayBuffer generates an array from JSImmutableButterfly. And PhantomSread generates JSFixedArray from JSArray.

>> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718
>> +            ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length())));
> 
> IntPtr

Fixed.

>> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722
>> +            LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray);
> 
> IntPtr

Fixed.
Comment 6 Yusuke Suzuki 2018-06-16 04:18:10 PDT 
Committed r232902: <https://trac.webkit.org/changeset/232902>
Comment 7 Radar WebKit Bug Importer 2018-06-16 04:20:30 PDT 
<rdar://problem/41186005>