Bug 208764 - Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
Summary: Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Mark Lam
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-03-07 09:56 PST by Mark Lam
Modified: 2020-03-08 13:38 PDT (History)
7 users (show)

See Also:

Attachments
proposed patch. (3.16 KB, patch)
2020-03-07 10:02 PST, Mark Lam 		no flags Details | Formatted Diff | Diff
proposed patch. (3.15 KB, patch)
2020-03-07 10:08 PST, Mark Lam 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2020-03-07 09:56:32 PST 
The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal JS to pass in the same value as the base and subscript.

<rdar://problem/59940095>
Comment 1 Mark Lam 2020-03-07 10:02:44 PST 
Created attachment 392864 [details]
proposed patch.
Comment 2 Mark Lam 2020-03-07 10:05:38 PST 
Comment on attachment 392864 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=392864&action=review

> JSTests/stress/delete-by-val-with-base-and-subscript-using-same-cell.js:6
> +for (let i = 0; i < 1000000; i++)

I'll reduce this count to 20000 before landing.  That should be sufficient.

> JSTests/stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js:6
> +for (let i = 0; i < 1000000; i++)

Ditto.
Comment 3 Mark Lam 2020-03-07 10:08:13 PST 
Created attachment 392865 [details]
proposed patch.
Comment 4 Keith Miller 2020-03-07 12:33:17 PST 
Comment on attachment 392865 [details]
proposed patch.

r=me
Comment 5 Mark Lam 2020-03-07 13:12:51 PST 
Comment on attachment 392865 [details]
proposed patch.

Thanks for the review.
Comment 6 WebKit Commit Bot 2020-03-07 13:56:49 PST 
Comment on attachment 392865 [details]
proposed patch.

Clearing flags on attachment: 392865

Committed r258078: <https://trac.webkit.org/changeset/258078>
Comment 7 WebKit Commit Bot 2020-03-07 13:56:51 PST 
All reviewed patches have been landed.  Closing bug.
Comment 8 Saam Barati 2020-03-08 10:10:25 PDT 
Comment on attachment 392865 [details]
proposed patch.

View in context: https://bugs.webkit.org/attachment.cgi?id=392865&action=review

> Source/JavaScriptCore/ChangeLog:10
> +        JS to pass in the same value as the base and subscript.  The runtime will handle

But does the inline cache handle it properly?
Comment 9 Mark Lam 2020-03-08 13:38:33 PDT 
(In reply to Saam Barati from comment #8)
> Comment on attachment 392865 [details]
> proposed patch.
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=392865&action=review
> 
> > Source/JavaScriptCore/ChangeLog:10
> > +        JS to pass in the same value as the base and subscript.  The runtime will handle
> 
> But does the inline cache handle it properly?

Yes.  When I said “runtime”, I meant the inline cache as well.