210839 – [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results

RESOLVED FIXED 210839

[JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results

https://bugs.webkit.org/show_bug.cgi?id=210839

Summary [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtim...

Yusuke Suzuki

Reported 2020-04-21 19:16:30 PDT

...

Attachments
Patch (610.08 KB, patch) 2020-04-21 22:52 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (610.98 KB, patch) 2020-04-21 23:16 PDT, Yusuke Suzuki	saam: review+	Details Formatted Diff Diff
Patch for landing (610.35 KB, patch) 2020-04-21 23:36 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2020-04-21 22:18:03 PDT

AI says it is BigInt32, but at runtime, we are returning HeapBigInt!

Yusuke Suzuki

Comment 2 2020-04-21 22:52:48 PDT

Created attachment 397169 [details] Patch

Yusuke Suzuki

Comment 3 2020-04-21 23:16:09 PDT

Created attachment 397170 [details] Patch

Saam Barati

Comment 4 2020-04-21 23:21:19 PDT

Comment on attachment 397170 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=397170&action=review > Source/JavaScriptCore/ChangeLog:12 > + And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too. You should say what the test for this was. A JSValue number might have any lower bits set. > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:546 > + // FIXME: We should have inlined implementation that always returns BigInt32. link to a bug > Source/JavaScriptCore/jit/JITOperations.cpp:3152 > +void JIT_OPERATION operationDataLog(EncodedJSValue value) > +{ > + dataLogLn(JSValue::decode(value)); > +} why? Let's remove IMO

Yusuke Suzuki

Comment 5 2020-04-21 23:25:55 PDT

Comment on attachment 397170 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=397170&action=review >> Source/JavaScriptCore/ChangeLog:12 >> + And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too. > > You should say what the test for this was. A JSValue number might have any lower bits set. Yes, I'm hitting this bug with JSTests/stress/v8-bigint32-sar.js's CompareStrictEq. >> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:546 >> + // FIXME: We should have inlined implementation that always returns BigInt32. > > link to a bug Fixed. >> Source/JavaScriptCore/jit/JITOperations.cpp:3152 >> +} > > why? Let's remove IMO Removed.

Yusuke Suzuki

Comment 6 2020-04-21 23:36:52 PDT

Created attachment 397172 [details] Patch for landing

Yusuke Suzuki

Comment 7 2020-04-22 08:40:15 PDT

Committed r260512: <https://trac.webkit.org/changeset/260512>

Radar WebKit Bug Importer

Comment 8 2020-04-22 08:41:16 PDT

<rdar://problem/62187118>

Yusuke Suzuki

Comment 9 2020-04-22 08:56:41 PDT

https://bugs.webkit.org/show_bug.cgi?id=210860

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Yusuke Suzuki

Reported

2020-04-21 19:16 PDT

Modified

2020-04-22 08:56 PDT History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks