215894 – GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined

RESOLVED FIXED 215894

GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined

https://bugs.webkit.org/show_bug.cgi?id=215894

Summary GetByVal constant folding over a Double OutOfBoundsSaneChain array with no By...

Saam Barati

Reported 2020-08-27 10:42:07 PDT

...

Attachments
patch (3.51 KB, patch) 2020-08-27 10:52 PDT, Saam Barati	msaboff: review+	Details Formatted Diff Diff
patch for landing (3.53 KB, patch) 2020-08-27 11:09 PDT, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2020-08-27 10:43:16 PDT

<rdar://problem/67669696>

Saam Barati

Comment 2 2020-08-27 10:52:15 PDT

Created attachment 407418 [details] patch

Michael Saboff

Comment 3 2020-08-27 10:54:33 PDT

Comment on attachment 407418 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review r=me > Source/JavaScriptCore/ChangeLog:10 > + BytecodeUsesAsOther return PNaN for holds and OOB accesses, not jsUndefined(). Did you mean *holes*?

Keith Miller

Comment 4 2020-08-27 10:56:55 PDT

Comment on attachment 407418 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review r=me. > Source/JavaScriptCore/ChangeLog:10 > + BytecodeUsesAsOther return PNaN for holds and OOB accesses, not jsUndefined(). typo: holds => holes. > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2241 > + if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther)) Seems like we could have an inline function for !(node->flags() & NodeBytecodeUsesAsOther) that's more meaningful than that expression... But we can do that another day.

Saam Barati

Comment 5 2020-08-27 11:06:49 PDT

Comment on attachment 407418 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review >> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2241 >> + if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther)) > > Seems like we could have an inline function for !(node->flags() & NodeBytecodeUsesAsOther) that's more meaningful than that expression... But we can do that another day. Agreed, and also agree let's save it for another day. Probably want a name like: resultDistinguishesNaNFromUndefined

Saam Barati

Comment 6 2020-08-27 11:09:53 PDT

Created attachment 407419 [details] patch for landing

Saam Barati

Comment 7 2020-08-27 11:15:04 PDT

*** Bug 215841 has been marked as a duplicate of this bug. ***

EWS

Comment 8 2020-08-27 14:16:06 PDT

Committed r266254: <https://trac.webkit.org/changeset/266254> All reviewed patches have been landed. Closing bug and clearing flags on attachment 407419 [details].

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Saam Barati

Reported

2020-08-27 10:42 PDT

Modified

2020-08-27 14:16 PDT History

CC List

16 users Show

URL

Keywords InRadar

Duplicates (1)

215841 View as bug list

Depends on

Blocks