Bug 263881 - BitURShift is eliminated when toString has an effect
Summary: BitURShift is eliminated when toString has an effect
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: PC Linux
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2023-10-30 05:10 PDT by EntryHi
Modified: 2023-11-06 04:11 PST (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description EntryHi 2023-10-30 05:10:16 PDT 
==================test.js=====================
function f1(o, value) {
    function f2()
    {
        o.x=value
        return 2
    }
    let y={}
    y.toString = f2
    y >>> 1;
  }
  
  noInline(f1)
  let obj={}
  for (let v25 = 0; v25 < 100; v25++) {
    f1(obj, v25);
    
  }
 print(obj.x)
==============================================

Run args: ./jsc -f test.js --useConcurrentJIT=0  --jitPolicyScale=0

obj.x should be 99, but JSC prints 1.

This bug may be related to DCE and DFGMovHintRemovalPhase. I noticed JSC added a new phase named DFGMovHintRemoval, is this phase too radical for the JavaScript semantics?
Comment 1 Radar WebKit Bug Importer 2023-11-06 04:11:14 PST 
<rdar://problem/117993267>