<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - EXITs when using spread operator with mixed type array"
href="https://bugs.webkit.org/show_bug.cgi?id=158438">158438</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>EXITs when using spread operator with mixed type array
</td>
</tr>
<tr>
<th>Classification</th>
<td>Unclassified
</td>
</tr>
<tr>
<th>Product</th>
<td>WebKit
</td>
</tr>
<tr>
<th>Version</th>
<td>WebKit Nightly Build
</td>
</tr>
<tr>
<th>Hardware</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>OS</th>
<td>Unspecified
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>Normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P2
</td>
</tr>
<tr>
<th>Component</th>
<td>JavaScriptCore
</td>
</tr>
<tr>
<th>Assignee</th>
<td>webkit-unassigned@lists.webkit.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>joepeck@webkit.org
</td>
</tr>
<tr>
<th>CC</th>
<td>fpizlo@apple.com, keith_miller@apple.com, mark.lam@apple.com, sbarati@apple.com
</td>
</tr></table>
<p>
<div>
<pre>Created <span class=""><a href="attachment.cgi?id=280637" name="attach_280637" title="[TEST] Test case">attachment 280637</a> <a href="attachment.cgi?id=280637&action=edit" title="[TEST] Test case">[details]</a></span>
[TEST] Test case
* SUMMARY
EXITs when using spread operator with mixed type array.
* TEST
(function() {
function myLog() {
var args = Array.from(arguments);
print(args.join(" "));
}
function myAssert(condition, ...args) {
"use strict";
if (!condition)
myLog(...args);
}
noInline(myLog);
noInline(myAssert);
for (var i = 0; i < 1e6; ++i)
myAssert((i % 1e4), "Expected Failure", i);
})();
* STEPS TO REPRODUCE
1. jsc test.js -p profile
=> Profile shows "Bad Type" errors when handling the spread operator
* PROFILE
Lots more Baseline/DFG runs then expected due to exists.
<span class="quote">> l myAssert</span >
Compilation myAssert#CCcDJe-1-Baseline:
Total count: 240941 Max count: 20064
Compilation myAssert#CCcDJe-2-DFG:
Total count: 701430 Max count: 58445
EXIT: at bc#190 due to BadType, 5 times
Compilation myAssert#CCcDJe-3-FTL:
Total count: 11061788 Max count: 921463
Exits are when spreading the array via inlined array iterator code
<span class="quote">> b myAssert</span >
...
[ 169] get_by_id loc17, loc16, done(@id4) predicting None
[ 178] jtrue loc17, 50(->228)
[ 181] get_by_id loc16, loc16, value(@id5) predicting None
[ 190] jmp -104(->86)
!!!!! EXIT: in myAssert#CCcDJe-2-DFG due to BadType, 5 times
...
Looks like it was predicting Boolint32, but the spreaded array (the rest param) should always have [String ("Expected Failure"), int32 (i)]. So that prediction seems unexpected.
<span class="quote">> d myAssert</span >
...
9/5/184/0 185:< 3:loc14> GetByOffset(KnownCell:@182, KnownCell:@182, JS|UseAsOther, Boolint32, id5{value}, 1, inferredType = Top, R:NamedProperties(5), Exits, bc#181) predicting Boolint32
9/5/184/0 0x3baa19e02d1a: mov 0x18(%rax), %rsi
9/5/184/0 186:<!0:-> MovHint(Untyped:@185, MustGen, loc16, W:SideState, ClobbersExit, bc#181)
9/5/184/0 187:<!0:-> Check(Check:Int32:@185, MustGen, Exits, bc#181, exit: bc#190)
9/5/184/0 0x3baa19e02d1e: cmp %r14, %rsi
9/5/184/0 0x3baa19e02d21: jb 0x3baa19e0335f
!!!!! EXIT: due to BadType, 5 times
...</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>