Bug 230804 - The DFG/FTL need to be aware that Proxy's can produce "function" for typeof and might be callable
Summary: The DFG/FTL need to be aware that Proxy's can produce "function" for typeof a...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: PC Linux
: P2 Normal
Assignee: Saam Barati
URL:
Keywords: InRadar
: 231002 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-09-26 02:05 PDT by Lukas Bernhard
Modified: 2021-09-30 13:38 PDT (History)
10 users (show)

See Also:

Attachments
patch (8.22 KB, patch)
2021-09-29 18:17 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
patch (8.62 KB, patch)
2021-09-29 18:25 PDT, Saam Barati 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Lukas Bernhard 2021-09-26 02:05:29 PDT 
Differential testing identifies the following samples to trigger a miscomputation in FTL.
Tested on 29c8d02c3b11c096cc67d89e5cfe8c16be42b3b7 (Fri Sep 24 09:39:18 2021 +0000)

./Release/bin/jsc --validateOptions=true --useConcurrentJIT=false --useConcurrentGC=false --thresholdForJITSoon=10 --thresholdForJITAfterWarmUp=10 --thresholdForOptimizeAfterWarmUp=100 --thresholdForOptimizeAfterLongWarmUp=100 --thresholdForOptimizeSoon=100 --thresholdForFTLOptimizeAfterWarmUp=1000 --thresholdForFTLOptimizeSoon=1000 --validateBCE=true --useFTLJIT=true diff.js

function main() {
    let v162;
    const v25 = {__proto__:"name"};
    
    for (let v113 = 0; v113 < 255; v113++) {
        const v141 = new Proxy(Object,v25);
        const v145 = v141["bind"]();
        // when running with FTL, the previous line raises a JS exception:
        // TypeError: |this| is not a function inside Function.prototype.bind
        // without FTL or in v8 this doesn't throw.

    }   
}
main();
Comment 1 Radar WebKit Bug Importer 2021-09-26 02:05:40 PDT 
<rdar://problem/83543951>
Comment 2 Saam Barati 2021-09-29 17:58:48 PDT 
*** Bug 231002 has been marked as a duplicate of this bug. ***
Comment 3 Saam Barati 2021-09-29 18:17:57 PDT 
Created attachment 439687 [details]
patch
Comment 4 Saam Barati 2021-09-29 18:25:38 PDT 
Created attachment 439689 [details]
patch
Comment 5 Yusuke Suzuki 2021-09-29 21:36:31 PDT 
Comment on attachment 439689 [details]
patch

r=me
Comment 6 EWS 2021-09-30 13:38:04 PDT 
Committed r283332 (242353@main): <https://commits.webkit.org/242353@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 439689 [details].