RESOLVED FIXED 214721
[JSC] DFG::AbstractValue::filterByValue should re-filter configured m_value via m_type 
https://bugs.webkit.org/show_bug.cgi?id=214721
Summary [JSC] DFG::AbstractValue::filterByValue should re-filter configured m_value v...
Yusuke Suzuki
Reported 2020-07-23 20:51:45 PDT
[JSC] DFG::AbstractValue::filterByValue should re-filter configured m_value via m_type
Attachments
Patch (8.93 KB, patch)
2020-07-23 20:58 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (9.72 KB, patch)
2020-07-23 21:02 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (9.76 KB, patch)
2020-07-23 21:55 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (9.57 KB, patch)
2020-07-23 21:57 PDT, Yusuke Suzuki 		mark.lam: review+
DetailsFormatted DiffDiff
Patch for landing (8.78 KB, patch)
2020-07-24 08:34 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2020-07-23 20:58:27 PDT
Created attachment 405124 [details] Patch
Yusuke Suzuki
Comment 2 2020-07-23 20:58:29 PDT
<rdar://problem/65882837>
Yusuke Suzuki
Comment 3 2020-07-23 21:02:21 PDT
Created attachment 405126 [details] Patch
Yusuke Suzuki
Comment 4 2020-07-23 21:55:38 PDT
Created attachment 405127 [details] Patch
Yusuke Suzuki
Comment 5 2020-07-23 21:55:44 PDT
Fixed the typo.
Yusuke Suzuki
Comment 6 2020-07-23 21:57:28 PDT
Created attachment 405128 [details] Patch
Mark Lam
Comment 7 2020-07-23 22:32:51 PDT
Comment on attachment 405126 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405126&action=review > Source/JavaScriptCore/ChangeLog:12 > + 2. We have CheckIsConstant with StringPrototype (which is StringObjectOther | SpecStringObject in the current SpeculatedType). Please fix typo: StringObjectOther => SpecObjectOther. > Source/JavaScriptCore/bytecode/SpeculatedType.cpp:547 > + // We do not want to accept String.prototype in StringObjectUse, so that we do not include it as SpecStringObject. I suggest /so that we/so we/ because I think you mean to say "because of A, we do B" (A leads to B), not "we want A because we do B" (B leads to A). > Source/JavaScriptCore/dfg/DFGAbstractValue.cpp:327 > + // It is possible that SpeculatedType from value is broader than original m_type. The filter operation keeps m_type as is, > + // and as a result, SpeculatedType from m_value becomes broader than m_type. This breaks invariant. I suggest the this change: "The filter operation keeps m_type as is, and as a result, SpeculatedType from m_value becomes broader than m_type. This breaks invariant" => "The filter operation can only keep m_type as is or make it narrower. As a result, the SpeculatedType from m_value can become broader than m_type. This breaks an invariant." Can you also apply this comment below.
Mark Lam
Comment 8 2020-07-23 22:34:07 PDT
Comment on attachment 405128 [details] Patch r=me
Yusuke Suzuki
Comment 9 2020-07-23 23:04:24 PDT
Comment on attachment 405126 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405126&action=review Thanks!! >> Source/JavaScriptCore/ChangeLog:12 >> + 2. We have CheckIsConstant with StringPrototype (which is StringObjectOther | SpecStringObject in the current SpeculatedType). > > Please fix typo: StringObjectOther => SpecObjectOther. Fixed. >> Source/JavaScriptCore/bytecode/SpeculatedType.cpp:547 >> + // We do not want to accept String.prototype in StringObjectUse, so that we do not include it as SpecStringObject. > > I suggest /so that we/so we/ because I think you mean to say "because of A, we do B" (A leads to B), not "we want A because we do B" (B leads to A). Fixed. >> Source/JavaScriptCore/dfg/DFGAbstractValue.cpp:327 >> + // and as a result, SpeculatedType from m_value becomes broader than m_type. This breaks invariant. > > I suggest the this change: "The filter operation keeps m_type as is, and as a result, SpeculatedType from m_value becomes broader than m_type. This breaks invariant" => "The filter operation can only keep m_type as is or make it narrower. As a result, the SpeculatedType from m_value can become broader than m_type. This breaks an invariant." > > Can you also apply this comment below. Fixed.
Yusuke Suzuki
Comment 10 2020-07-24 00:14:16 PDT
Looks like JSTests/stress/get-array-length-node-should-be-blessed-in-fixup.js failure is real. Looking.
Yusuke Suzuki
Comment 11 2020-07-24 00:31:06 PDT
iterator protocol is enabled for ArrayPrototype too. I don't think this is required.
Yusuke Suzuki
Comment 12 2020-07-24 08:29:50 PDT
Comment on attachment 405128 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=405128&action=review > Source/JavaScriptCore/bytecode/SpeculatedType.cpp:507 > > if (classInfo->isSubClassOf(JSFunction::info())) { > if (classInfo == JSBoundFunction::info()) I'll remove these changes in speculationFromClassInfoInheritance to make it conservative. This is required by AbstractValue::filterByClassInfo > Source/JavaScriptCore/bytecode/SpeculatedType.cpp:550 > + default: On the other hand, this is OK.
Yusuke Suzuki
Comment 13 2020-07-24 08:34:14 PDT
Created attachment 405143 [details] Patch for landing
EWS
Comment 14 2020-07-24 14:29:44 PDT
Committed r264857: <https://trac.webkit.org/changeset/264857> All reviewed patches have been landed. Closing bug and clearing flags on attachment 405143 [details].
Note You need to log in before you can comment on or make changes to this bug.