Bug 215894

Summary: GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, gskachkov, guijemont, jsc32, keith_miller, mark.lam, msaboff, rmorisset, ross.kirsling, ticaiolima, tzagallo, webkit-bug-importer, ysuzuki, zhunkibatu
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
msaboff: review+
patch for landing none

Description Saam Barati 2020-08-27 10:42:07 PDT 
...
Comment 1 Saam Barati 2020-08-27 10:43:16 PDT 
<rdar://problem/67669696>
Comment 2 Saam Barati 2020-08-27 10:52:15 PDT 
Created attachment 407418 [details]
patch
Comment 3 Michael Saboff 2020-08-27 10:54:33 PDT 
Comment on attachment 407418 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review

r=me

> Source/JavaScriptCore/ChangeLog:10
> +        BytecodeUsesAsOther return PNaN for holds and OOB accesses, not jsUndefined().

Did you mean *holes*?
Comment 4 Keith Miller 2020-08-27 10:56:55 PDT 
Comment on attachment 407418 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review

r=me.

> Source/JavaScriptCore/ChangeLog:10
> +        BytecodeUsesAsOther return PNaN for holds and OOB accesses, not jsUndefined().

typo: holds => holes.

> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2241
> +                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))

Seems like we could have an inline function for !(node->flags() & NodeBytecodeUsesAsOther) that's more meaningful than that expression... But we can do that another day.
Comment 5 Saam Barati 2020-08-27 11:06:49 PDT 
Comment on attachment 407418 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=407418&action=review

>> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:2241
>> +                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))
> 
> Seems like we could have an inline function for !(node->flags() & NodeBytecodeUsesAsOther) that's more meaningful than that expression... But we can do that another day.

Agreed, and also agree let's save it for another day. Probably want a name like:
resultDistinguishesNaNFromUndefined
Comment 6 Saam Barati 2020-08-27 11:09:53 PDT 
Created attachment 407419 [details]
patch for landing
Comment 7 Saam Barati 2020-08-27 11:15:04 PDT 
*** Bug 215841 has been marked as a duplicate of this bug. ***
Comment 8 EWS 2020-08-27 14:16:06 PDT 
Committed r266254: <https://trac.webkit.org/changeset/266254>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 407419 [details].