[Webkit-unassigned] [Bug 158438] New: EXITs when using spread operator with mixed type array
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jun 6 15:31:29 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=158438
Bug ID: 158438
Summary: EXITs when using spread operator with mixed type array
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: joepeck at webkit.org
CC: fpizlo at apple.com, keith_miller at apple.com,
mark.lam at apple.com, sbarati at apple.com
Created attachment 280637
--> https://bugs.webkit.org/attachment.cgi?id=280637&action=review
[TEST] Test case
* SUMMARY
EXITs when using spread operator with mixed type array.
* TEST
(function() {
function myLog() {
var args = Array.from(arguments);
print(args.join(" "));
}
function myAssert(condition, ...args) {
"use strict";
if (!condition)
myLog(...args);
}
noInline(myLog);
noInline(myAssert);
for (var i = 0; i < 1e6; ++i)
myAssert((i % 1e4), "Expected Failure", i);
})();
* STEPS TO REPRODUCE
1. jsc test.js -p profile
=> Profile shows "Bad Type" errors when handling the spread operator
* PROFILE
Lots more Baseline/DFG runs then expected due to exists.
> l myAssert
Compilation myAssert#CCcDJe-1-Baseline:
Total count: 240941 Max count: 20064
Compilation myAssert#CCcDJe-2-DFG:
Total count: 701430 Max count: 58445
EXIT: at bc#190 due to BadType, 5 times
Compilation myAssert#CCcDJe-3-FTL:
Total count: 11061788 Max count: 921463
Exits are when spreading the array via inlined array iterator code
> b myAssert
...
[ 169] get_by_id loc17, loc16, done(@id4) predicting None
[ 178] jtrue loc17, 50(->228)
[ 181] get_by_id loc16, loc16, value(@id5) predicting None
[ 190] jmp -104(->86)
!!!!! EXIT: in myAssert#CCcDJe-2-DFG due to BadType, 5 times
...
Looks like it was predicting Boolint32, but the spreaded array (the rest param) should always have [String ("Expected Failure"), int32 (i)]. So that prediction seems unexpected.
> d myAssert
...
9/5/184/0 185:< 3:loc14> GetByOffset(KnownCell:@182, KnownCell:@182, JS|UseAsOther, Boolint32, id5{value}, 1, inferredType = Top, R:NamedProperties(5), Exits, bc#181) predicting Boolint32
9/5/184/0 0x3baa19e02d1a: mov 0x18(%rax), %rsi
9/5/184/0 186:<!0:-> MovHint(Untyped:@185, MustGen, loc16, W:SideState, ClobbersExit, bc#181)
9/5/184/0 187:<!0:-> Check(Check:Int32:@185, MustGen, Exits, bc#181, exit: bc#190)
9/5/184/0 0x3baa19e02d1e: cmp %r14, %rsi
9/5/184/0 0x3baa19e02d21: jb 0x3baa19e0335f
!!!!! EXIT: due to BadType, 5 times
...
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160606/985b8640/attachment.html>
More information about the webkit-unassigned
mailing list