Bug 186460

Summary:

[DFG][FTL] Spread onto PhantomNewArrayBuffer assumes JSFixedArray, but JSImmutableButterfly is returned

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

JavaScriptCore

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer, ysuzuki

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	saam: review+, ews-watchlist: commit-queue-
Archive of layout-test-results from ews202 for win-future	none

Description Yusuke Suzuki 2018-06-09 03:00:50 PDT

Spread for phantom nodes generates JSFixedArray. So previously, our PhantomNewArrayBuffer returns a fixed array stored in this node. But now, it holds JSImmutableButterfly, but FTL lowering phase mixes JSFixedArray and JSImmutableButterfly.

I think we can generate JSImmutableButterfly instead of JSFixedArray in Spread.

Comment 1 Yusuke Suzuki 2018-06-15 04:00:55 PDT

Created attachment 342801 [details]
Patch

Comment 2 Saam Barati 2018-06-15 09:42:06 PDT

Comment on attachment 342801 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review

r=me

> Source/JavaScriptCore/ChangeLog:8
> +        Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.

Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)?

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718
> +            ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length())));

IntPtr

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722
> +            LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray);

IntPtr

Comment 3 EWS Watchlist 2018-06-15 11:52:24 PDT

Comment on attachment 342801 [details]
Patch

Attachment 342801 [details] did not pass win-ews (win):
Output: http://webkit-queues.webkit.org/results/8200408

New failing tests:
http/tests/preload/onload_event.html

Comment 4 EWS Watchlist 2018-06-15 11:52:35 PDT

Created attachment 342834 [details]
Archive of layout-test-results from ews202 for win-future

The attached test failures were seen while running run-webkit-tests on the win-ews.
Bot: ews202  Port: win-future  Platform: CYGWIN_NT-6.1-2.9.0-0.318-5-3-x86_64-64bit

Comment 5 Yusuke Suzuki 2018-06-16 04:12:11 PDT

Comment on attachment 342801 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=342801&action=review

>> Source/JavaScriptCore/ChangeLog:8
>> +        Spread(PhantomNewArrayBuffer) returns JSImmutableButterfly. But it is wrong.
> 
> Do we do the right thing when we exit for PhantomSpread(PhantomNewArrayBuffer)?

Yeah, PhantomNewArrayBuffer generates an array from JSImmutableButterfly. And PhantomSread generates JSFixedArray from JSArray.

>> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5718
>> +            ValueFromBlock slowFixedArray = m_out.anchor(vmCall(Int64, m_out.operation(operationCreateFixedArray), m_callFrame, m_out.constInt32(immutableButterfly->length())));
> 
> IntPtr

Fixed.

>> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:5722
>> +            LValue fixedArray = m_out.phi(Int64, fastFixedArray, slowFixedArray);
> 
> IntPtr

Fixed.

Comment 6 Yusuke Suzuki 2018-06-16 04:18:10 PDT

Committed r232902: <https://trac.webkit.org/changeset/232902>

Comment 7 Radar WebKit Bug Importer 2018-06-16 04:20:30 PDT

<rdar://problem/41186005>