Bug 263520 - AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inlined
Summary: AbstractInterpreter handles GetMyArgumentByVal incorrectly when callee is inl...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-10-23 05:45 PDT by EntryHi
Modified: 2023-10-30 05:46 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description EntryHi 2023-10-23 05:45:16 PDT 
Hello, I found a bug related to Abstract Interpreter in JSC.

=================test.js================
function f0() {
    const v6 = arguments[-6];
    print(v6)
}

for (let v11 = 0; v11 < 99; v11++) {
  f0(1);
  for (let v13 = 0; v13 < 100; v13++) {
    for (let v14 = 0; v14 < 101 ; v14++) {}
  }
}
=========================================

Run args: ./jsc -f test.js --useConcurrentJIT=0  --jitPolicyScale=0.1

JSC should print 99 "undefined", but it prints 2 "undefined" and 97 "1"(arguments[0]) actually.

I found the problem is in DFGAbstractInterpreterInlines.h when AI handles GetMyArgumentsByVal node.
AI ignores the situation where the index is negative when callee is inlined and computes wrong result for GetMyArgumentsByVal.
Comment 1 Radar WebKit Bug Importer 2023-10-30 05:46:12 PDT 
<rdar://problem/117682102>