RESOLVED FIXED209777
Delete IC incorrectly caches for proxies 
https://bugs.webkit.org/show_bug.cgi?id=209777
Summary Delete IC incorrectly caches for proxies
Mark Lam
Reported 2020-03-30 14:49:20 PDT
We're seeing a ASSERTION FAILED: m_cases[i - 1] < m_cases[I] due to DeleteIC. Here's the test case: function foo() { let j = 0; while (j++ < 2) delete this.x; Object.defineProperty(this, "x", {}); } for (let i = 0; i < 5; i++) foo(); Run with --jitPolicyScale=0 --useDFGJIT=0 --useConcurrentJIT=0. The duplicate cases are: DeleteMiss:(Committed, ident = 'uid:(x)', structure = 0x10c4faee0:[0xf4c5, JSProxy, {}, NonArray, Proto:0x106dfa368, Leaf]) DeleteNonConfigurable:(Committed, ident = 'uid:(x)', structure = 0x10c4faee0:[0xf4c5, JSProxy, {}, NonArray, Proto:0x106dfa368, Leaf]) <rdar://problem/61051902>
Attachments
Patch (3.25 KB, patch)
2020-03-31 10:16 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (3.75 KB, patch)
2020-03-31 11:00 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Patch (3.73 KB, patch)
2020-03-31 11:20 PDT, Justin Michaud 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Justin Michaud
Comment 1 2020-03-31 10:16:38 PDT
Created attachment 395061 [details] Patch
Mark Lam
Comment 2 2020-03-31 10:21:42 PDT
Comment on attachment 395061 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395061&action=review r=me > JSTests/ChangeLog:8 > + * stress/delete-property-ic-compatable.js: Added. Can you also add variants of this test for the other proxy types? > JSTests/stress/delete-property-ic-compatable.js:1 > +//@ requireOptions("--jitPolicyScale=0", "--useDFGJIT=0", "--useConcurrentJIT=0") I think you can drop the "--useConcurrentJIT=0". There will be a test configuration that handles that already.
Justin Michaud
Comment 3 2020-03-31 11:00:15 PDT
Created attachment 395069 [details] Patch
Mark Lam
Comment 4 2020-03-31 11:07:33 PDT
Comment on attachment 395069 [details] Patch Please fix test name /compatable/compatible/. Please also update the bug title in the ChangeLog since it has changed in bugzilla. r=me
Justin Michaud
Comment 5 2020-03-31 11:20:30 PDT
Created attachment 395074 [details] Patch
Saam Barati
Comment 6 2020-03-31 15:12:04 PDT
Comment on attachment 395074 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=395074&action=review > Source/JavaScriptCore/ChangeLog:9 > + Proxy's do not change their structure ID when properties are added, so we cannot cache deletes > + for them. why can't we cache delete on their target though (I mean w.r.t proxy like window, not like Proxy object in ES6)?
Justin Michaud
Comment 7 2020-04-01 12:00:22 PDT
(In reply to Saam Barati from comment #6) > Comment on attachment 395074 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=395074&action=review > > > Source/JavaScriptCore/ChangeLog:9 > > + Proxy's do not change their structure ID when properties are added, so we cannot cache deletes > > + for them. > > why can't we cache delete on their target though (I mean w.r.t proxy like > window, not like Proxy object in ES6)? Filed a bug and related it to this bug.
EWS
Comment 8 2020-04-01 12:10:25 PDT
Committed r259357: <https://trac.webkit.org/changeset/259357> All reviewed patches have been landed. Closing bug and clearing flags on attachment 395074 [details].
Note You need to log in before you can comment on or make changes to this bug.