RESOLVED FIXED 186460
[DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned 
https://bugs.webkit.org/show_bug.cgi?id=186460
Summary [DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmu...
Yusuke Suzuki
Reported 2018-06-09 03:00:50 PDT
Spread for phantom nodes generates JSFixedArray. So previously, our PhantomNewArrayBuffer returns a fixed array stored in this node. But now, it holds JSImmutableButterfly, but FTL lowering phase mixes JSFixedArray and JSImmutableButterfly. I think we can generate JSImmutableButterfly instead of JSFixedArray in Spread.
Attachments
Patch (6.24 KB, patch)
2018-06-15 04:00 PDT, Yusuke Suzuki 		saam: review+
ews-watchlist: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews202 for win-future (12.84 MB, application/zip)
2018-06-15 11:52 PDT, EWS Watchlist 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2018-06-15 04:00:55 PDT
Created attachment 342801 [details] Patch
Saam Barati
Comment 2 2018-06-15 09:42:06 PDT
Comment on attachment 342801 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review r=me > Source/JavaScriptCore/ChangeLog:8 > + Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong. Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)? > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718 > + ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length()))); IntPtr > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722 > + LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray); IntPtr
EWS Watchlist
Comment 3 2018-06-15 11:52:24 PDT
Comment on attachment 342801 [details] Patch Attachment 342801 [details] did not pass win-ews (win): Output: http://webkit-queues.webkit.org/results/8200408 New failing tests: http/tests/preload/onload_event.html
EWS Watchlist
Comment 4 2018-06-15 11:52:35 PDT
Created attachment 342834 [details] Archive of layout-test-results from ews202 for win-future The attached test failures were seen while running run-webkit-tests on the win-ews. Bot: ews202 Port: win-future Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit
Yusuke Suzuki
Comment 5 2018-06-16 04:12:11 PDT
Comment on attachment 342801 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review >> Source/JavaScriptCore/ChangeLog:8 >> + Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong. > > Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)? Yeah, PhantomNewArrayBuffer generates an array from JSImmutableButterfly. And PhantomSread generates JSFixedArray from JSArray. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718 >> + ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length()))); > > IntPtr Fixed. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722 >> + LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray); > > IntPtr Fixed.
Yusuke Suzuki
Comment 6 2018-06-16 04:18:10 PDT
Committed r232902: <https://trac.webkit.org/changeset/232902>
Radar WebKit Bug Importer
Comment 7 2018-06-16 04:20:30 PDT
<rdar://problem/41186005>
Note You need to log in before you can comment on or make changes to this bug.