RESOLVED FIXED 208764
Remove bad assertion in FTLLowerDFGToB3's compileDelBy(). 
https://bugs.webkit.org/show_bug.cgi?id=208764
Summary Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
Mark Lam
Reported 2020-03-07 09:56:32 PST
The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal JS to pass in the same value as the base and subscript. <rdar://problem/59940095>
Attachments
proposed patch. (3.16 KB, patch)
2020-03-07 10:02 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
proposed patch. (3.15 KB, patch)
2020-03-07 10:08 PST, Mark Lam 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2020-03-07 10:02:44 PST
Created attachment 392864 [details] proposed patch.
Mark Lam
Comment 2 2020-03-07 10:05:38 PST
Comment on attachment 392864 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=392864&action=review > JSTests/stress/delete-by-val-with-base-and-subscript-using-same-cell.js:6 > +for (let i = 0; i < 1000000; i++) I'll reduce this count to 20000 before landing. That should be sufficient. > JSTests/stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js:6 > +for (let i = 0; i < 1000000; i++) Ditto.
Mark Lam
Comment 3 2020-03-07 10:08:13 PST
Created attachment 392865 [details] proposed patch.
Keith Miller
Comment 4 2020-03-07 12:33:17 PST
Comment on attachment 392865 [details] proposed patch. r=me
Mark Lam
Comment 5 2020-03-07 13:12:51 PST
Comment on attachment 392865 [details] proposed patch. Thanks for the review.
WebKit Commit Bot
Comment 6 2020-03-07 13:56:49 PST
Comment on attachment 392865 [details] proposed patch. Clearing flags on attachment: 392865 Committed r258078: <https://trac.webkit.org/changeset/258078>
WebKit Commit Bot
Comment 7 2020-03-07 13:56:51 PST
All reviewed patches have been landed. Closing bug.
Saam Barati
Comment 8 2020-03-08 10:10:25 PDT
Comment on attachment 392865 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=392865&action=review > Source/JavaScriptCore/ChangeLog:10 > + JS to pass in the same value as the base and subscript. The runtime will handle But does the inline cache handle it properly?
Mark Lam
Comment 9 2020-03-08 13:38:33 PDT
(In reply to Saam Barati from comment #8) > Comment on attachment 392865 [details] > proposed patch. > > View in context: > https://bugs.webkit.org/attachment.cgi?id=392865&action=review > > > Source/JavaScriptCore/ChangeLog:10 > > + JS to pass in the same value as the base and subscript. The runtime will handle > > But does the inline cache handle it properly? Yes. When I said “runtime”, I meant the inline cache as well.
Note You need to log in before you can comment on or make changes to this bug.