Bug 215894 - GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
Summary: GetByVal constant folding over a Double OutOfBoundsSaneChain array with no By...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
: 215841 (view as bug list)
Depends on:
Blocks:
 
Reported: 2020-08-27 10:42 PDT by Saam Barati
Modified: 2020-08-27 14:16 PDT (History)
16 users (show)

See Also:

Attachments
patch (3.51 KB, patch)
2020-08-27 10:52 PDT, Saam Barati 		msaboff: review+
Details | Formatted Diff | Diff
patch for landing (3.53 KB, patch)
2020-08-27 11:09 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Saam Barati 2020-08-27 10:42:07 PDT 
...
Comment 1 Saam Barati 2020-08-27 10:43:16 PDT 
<rdar://problem/67669696>
Comment 2 Saam Barati 2020-08-27 10:52:15 PDT 
Created attachment 407418 [details]
patch
Comment 3 Michael Saboff 2020-08-27 10:54:33 PDT 
Comment on attachment 407418 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review

r=me

> Source/JavaScriptCore/ChangeLog:10
> +        BytecodeUsesAsOther return PNaN for holds and OOB accesses, not jsUndefined().

Did you mean *holes*?
Comment 4 Keith Miller 2020-08-27 10:56:55 PDT 
Comment on attachment 407418 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review

r=me.

> Source/JavaScriptCore/ChangeLog:10
> +        BytecodeUsesAsOther return PNaN for holds and OOB accesses, not jsUndefined().

typo: holds => holes.

> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2241
> +                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))

Seems like we could have an inline function for !(node->flags() & NodeBytecodeUsesAsOther) that's more meaningful than that expression... But we can do that another day.
Comment 5 Saam Barati 2020-08-27 11:06:49 PDT 
Comment on attachment 407418 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review

>> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2241
>> +                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))
> 
> Seems like we could have an inline function for !(node->flags() & NodeBytecodeUsesAsOther) that's more meaningful than that expression... But we can do that another day.

Agreed, and also agree let's save it for another day. Probably want a name like:
resultDistinguishesNaNFromUndefined
Comment 6 Saam Barati 2020-08-27 11:09:53 PDT 
Created attachment 407419 [details]
patch for landing
Comment 7 Saam Barati 2020-08-27 11:15:04 PDT 
*** Bug 215841 has been marked as a duplicate of this bug. ***
Comment 8 EWS 2020-08-27 14:16:06 PDT 
Committed r266254: <https://trac.webkit.org/changeset/266254>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 407419 [details].