Bug 209777 - Delete IC incorrectly caches for proxies
Summary: Delete IC incorrectly caches for proxies
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Justin Michaud
URL:
Keywords: InRadar
Depends on:
Blocks: 209870
  Show dependency treegraph
 
Reported: 2020-03-30 14:49 PDT by Mark Lam
Modified: 2020-04-01 12:10 PDT (History)
9 users (show)

See Also:

Attachments
Patch (3.25 KB, patch)
2020-03-31 10:16 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (3.75 KB, patch)
2020-03-31 11:00 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Patch (3.73 KB, patch)
2020-03-31 11:20 PDT, Justin Michaud 		no flags Details | Formatted Diff | Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Lam 2020-03-30 14:49:20 PDT 
We're seeing a ASSERTION FAILED: m_cases[i - 1] < m_cases[I] due to DeleteIC.  Here's the test case:

    function foo() {
        let j = 0;
        while (j++ < 2)
            delete this.x;
        Object.defineProperty(this, "x", {});
    }

    for (let i = 0; i < 5; i++)
        foo();

Run with --jitPolicyScale=0 --useDFGJIT=0 --useConcurrentJIT=0.

The duplicate cases are:
DeleteMiss:(Committed, ident = 'uid:(x)', structure = 0x10c4faee0:[0xf4c5, JSProxy, {}, NonArray, Proto:0x106dfa368, Leaf])
DeleteNonConfigurable:(Committed, ident = 'uid:(x)', structure = 0x10c4faee0:[0xf4c5, JSProxy, {}, NonArray, Proto:0x106dfa368, Leaf])

<rdar://problem/61051902>
Comment 1 Justin Michaud 2020-03-31 10:16:38 PDT 
Created attachment 395061 [details]
Patch
Comment 2 Mark Lam 2020-03-31 10:21:42 PDT 
Comment on attachment 395061 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=395061&action=review

r=me

> JSTests/ChangeLog:8
> +        * stress/delete-property-ic-compatable.js: Added.

Can you also add variants of this test for the other proxy types?

> JSTests/stress/delete-property-ic-compatable.js:1
> +//@ requireOptions("--jitPolicyScale=0", "--useDFGJIT=0", "--useConcurrentJIT=0")

I think you can drop the "--useConcurrentJIT=0".  There will be a test configuration that handles that already.
Comment 3 Justin Michaud 2020-03-31 11:00:15 PDT 
Created attachment 395069 [details]
Patch
Comment 4 Mark Lam 2020-03-31 11:07:33 PDT 
Comment on attachment 395069 [details]
Patch

Please fix test name /compatable/compatible/.  Please also update the bug title in the ChangeLog since it has changed in bugzilla.  r=me
Comment 5 Justin Michaud 2020-03-31 11:20:30 PDT 
Created attachment 395074 [details]
Patch
Comment 6 Saam Barati 2020-03-31 15:12:04 PDT 
Comment on attachment 395074 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=395074&action=review

> Source/JavaScriptCore/ChangeLog:9
> +        Proxy's do not change their structure ID when properties are added, so we cannot cache deletes
> +        for them.

why can't we cache delete on their target though (I mean w.r.t proxy like window, not like Proxy object in ES6)?
Comment 7 Justin Michaud 2020-04-01 12:00:22 PDT 
(In reply to Saam Barati from comment #6)
> Comment on attachment 395074 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=395074&action=review
> 
> > Source/JavaScriptCore/ChangeLog:9
> > +        Proxy's do not change their structure ID when properties are added, so we cannot cache deletes
> > +        for them.
> 
> why can't we cache delete on their target though (I mean w.r.t proxy like
> window, not like Proxy object in ES6)?

Filed a bug and related it to this bug.
Comment 8 EWS 2020-04-01 12:10:25 PDT 
Committed r259357: <https://trac.webkit.org/changeset/259357>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 395074 [details].