Bug 210839

Summary: [JSC] AI results of BigInt32 Bitwise shift operation does not match to runtime results
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
saam: review+
Patch for landing none

Description Yusuke Suzuki 2020-04-21 19:16:30 PDT 
...
Comment 1 Yusuke Suzuki 2020-04-21 22:18:03 PDT 
AI says it is BigInt32, but at runtime, we are returning HeapBigInt!
Comment 2 Yusuke Suzuki 2020-04-21 22:52:48 PDT 
Created attachment 397169 [details]
Patch
Comment 3 Yusuke Suzuki 2020-04-21 23:16:09 PDT 
Created attachment 397170 [details]
Patch
Comment 4 Saam Barati 2020-04-21 23:21:19 PDT 
Comment on attachment 397170 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=397170&action=review

> Source/JavaScriptCore/ChangeLog:12
> +        And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too.

You should say what the test for this was. A JSValue number might have any lower bits set.

> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:546
> +            // FIXME: We should have inlined implementation that always returns BigInt32.

link to a bug

> Source/JavaScriptCore/jit/JITOperations.cpp:3152
> +void JIT_OPERATION operationDataLog(EncodedJSValue value)
> +{
> +    dataLogLn(JSValue::decode(value));
> +}

why? Let's remove IMO
Comment 5 Yusuke Suzuki 2020-04-21 23:25:55 PDT 
Comment on attachment 397170 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=397170&action=review

>> Source/JavaScriptCore/ChangeLog:12
>> +        And we found that FTL BigInt32 predicate is not correctly checking state. This patch fixes it too.
> 
> You should say what the test for this was. A JSValue number might have any lower bits set.

Yes, I'm hitting this bug with JSTests/stress/v8-bigint32-sar.js's CompareStrictEq.

>> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:546
>> +            // FIXME: We should have inlined implementation that always returns BigInt32.
> 
> link to a bug

Fixed.

>> Source/JavaScriptCore/jit/JITOperations.cpp:3152
>> +}
> 
> why? Let's remove IMO

Removed.
Comment 6 Yusuke Suzuki 2020-04-21 23:36:52 PDT 
Created attachment 397172 [details]
Patch for landing
Comment 7 Yusuke Suzuki 2020-04-22 08:40:15 PDT 
Committed r260512: <https://trac.webkit.org/changeset/260512>
Comment 8 Radar WebKit Bug Importer 2020-04-22 08:41:16 PDT 
<rdar://problem/62187118>
Comment 9 Yusuke Suzuki 2020-04-22 08:56:41 PDT 
https://bugs.webkit.org/show_bug.cgi?id=210860