258552 – iterator_next becomes undefined in baselineJIT after bailout from DFG

Bug 258552 - iterator_next becomes undefined in baselineJIT after bailout from DFG

Summary: iterator_next becomes undefined in baselineJIT after bailout from DFG

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	PC Linux

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-06-27 02:28 PDT by ChristineWillice
Modified:	2023-07-04 02:28 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ChristineWillice 2023-06-27 02:28:02 PDT

I found a bug which may be related to bailout.

```test.js```

for (let v0 = 0; v0 < 100; v0++) {
    try {
      const v5 = new Int8Array(v0);
      function f6(a7, a8) {}
      let v13 = 0;
      do {
        v13++;
      } while (v13 < 6);
      let [, v17] = v5;
      const v18 = v5[v0];
      try {
        f6(Int8Array, Function, ...v5);
      } catch (e20) {}
      print(v0)
    } catch (e29) {print(e29)}
}

`````````````
JSC commit id: 269f0e8b5e51910decd0f6d55a87bac7f5ec4eb8

Run args: ./jsc -f test.js --useConcurrentJIT=0  --jitPolicyScale=0 --useFTLJIT=0

JSC should print 0-99, but in baselineJIT after bailout, JSC throw TypeError: undefined is not a function (near '...[, v17]...')

I debug JSC, and located in JITCall.cpp `JIT::emit_op_iterator_next`.

`JIT::emit_op_iterator_next` will invoke `compileOpCall<OpIteratorNext>(instruction, m_callLinkInfoIndex++)`, and in compileOpCall, JSC will get `callee` from Stack(VirtualRegister -14). I found `callee` is 0xa (undefined) after bailout from DFG.

Comment 1 Radar WebKit Bug Importer 2023-07-04 02:28:15 PDT

<rdar://problem/111731439>