Conditional writes are incorrectly handled in Array allocation sinking

kmiller68 · kmiller68 · commit 934b1e28a87a · 2025-10-02T10:44:28.000-07:00
https://bugs.webkit.org/show_bug.cgi?id=299956 rdar://161681941 Reviewed by Yusuke Suzuki and Yijia Huang. The current bottom value in ObjectAllocationSinking is incorrect for arrays. Unlike with objects, which track conditional stores by passing the active structure through SSA, arrays can't do this. Instead we should set default value to the appropriate hole value for the given IndexingShape. To make this work I had to fix some Phi/Upsilon ResultFormat bugs since they previously assumed everything would be a JSValue. Also, add ASSERT to FTL lowering that the Phi/Upsilon formats match. I spent 1/2 a day trying to understand why I was getting zero, when the issue was those values disagreed and I was getting the default zero value. Tests: JSTests/stress/array-allocation-sink-conditional-write-osr.js JSTests/stress/array-sink-materialize-conditional-write-argument-value.js JSTests/stress/array-sink-materialize-conditional-write.js Canonical link: https://commits.webkit.org/300888@main
diff --git a/JSTests/stress/array-allocation-sink-conditional-write-osr.js b/JSTests/stress/array-allocation-sink-conditional-write-osr.js
@@ -0,0 +1,86 @@
+function test(write, escape) {
+    let arr = new Array(4);
+
+    arr[1] = 1.1;
+
+    if (escape) {
+        return arr;
+    }
+
+    if (write) {
+        arr[0] = 2;
+    }
+
+}
+noInline(test);
+
+function test2(write, escape) {
+    let arr = new Array(4);
+
+    arr[1] = 1;
+
+    if (escape) {
+        return arr;
+    }
+
+    if (write) {
+        arr[0] = 2;
+    }
+}
+noInline(test2);
+
+function test3(write, escape) {
+    let arr = new Array(4);
+
+    arr[1] = {};
+
+    if (escape) {
+        return arr;
+    }
+
+    if (write) {
+        arr[0] = 2;
+    }
+}
+noInline(test3);
+
+function test4(overwrite, escape) {
+    let arr = new Array(4);
+    if (escape) {
+        return arr;
+    }
+    arr[0] = 1.1;
+    if (overwrite) {
+        arr[0] = 3.14;
+    }
+}
+noInline(test4);
+
+// JIT warmup loop
+for(let i = 0; i < testLoopCount; i++) {
+    test(true, false);
+    test(false, false);
+    test2(true, false);
+    test2(false, false);
+    test3(true, false);
+    test3(false, false);
+    test4(true, false);
+    test4(false, false);
+}
+
+function check(functor) {
+    let noWrite = functor(true, true);
+    if (0 in noWrite)
+        throw new Error(noWrite);
+}
+
+check(test);
+check(test2);
+check(test3);
+
+if (0 in test4(true, true))
+    throw new Error();
+
+if (0 in test4(false, true))
+    throw new Error();
+
diff --git a/JSTests/stress/array-sink-materialize-conditional-write-argument-value.js b/JSTests/stress/array-sink-materialize-conditional-write-argument-value.js
@@ -0,0 +1,112 @@
+function test1(write, escape, value) {
+    let arr = new Array(4);
+
+    arr[1] = 1;
+
+    if (write) {
+        arr[0] = value + 3;
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test1);
+
+function test2(write, escape, value) {
+    let arr = new Array(4);
+
+    arr[1] = 1.1;
+
+    if (write) {
+        arr[0] = value + 3;
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test2);
+
+function test3(write, escape, value) {
+    let arr = new Array(4);
+
+    arr[1] = {};
+
+    if (write) {
+        arr[0] = value + 3;
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test3);
+
+function test4(write, escape, value) {
+    let arr = new Array(4);
+
+    arr[1] = {};
+
+    if (write) {
+        arr[0] = {
+            value: value + 3,
+            valueOf() { return this.value; },
+        };
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test4);
+
+function test5(write, escape, value) {
+    let arr = new Array(4);
+
+    arr[1] = {};
+
+    if (write) {
+        arr[0] = {
+            value: value + 3,
+            valueOf() { return this.value; },
+            // Add a reference cycle.
+            arr,
+        };
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test5);
+
+// JIT warmup loop
+for(let i = 0; i < testLoopCount; i++) {
+    test1(true, false, 3);
+    test1(false, true, 3);
+    test2(true, false, 3);
+    test2(false, true, 3);
+    test3(true, false, 3);
+    test3(false, true, 3);
+    test4(true, false, 3);
+    test4(false, true, 3);
+    test5(true, false, 3);
+    test5(false, true, 3);
+}
+
+function check(functor, value) {
+    let write = functor(true, true, value);
+    if (write[0] != value + 3)
+        throw new Error(write);
+
+    let noWrite = functor(false, true, value);
+    if (0 in noWrite)
+        throw new Error(write);
+}
+
+check(test1, 3);
+check(test2, 3);
+check(test3, 3);
+check(test4, 3);
+check(test5, 3);
diff --git a/JSTests/stress/array-sink-materialize-conditional-write.js b/JSTests/stress/array-sink-materialize-conditional-write.js
@@ -0,0 +1,89 @@
+function test(write, escape) {
+    let arr = new Array(4);
+
+    arr[1] = 1.1;
+
+    if (write) {
+        arr[0] = 2;
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test);
+
+function test2(write, escape) {
+    let arr = new Array(4);
+
+    arr[1] = 1;
+
+    if (write) {
+        arr[0] = 2;
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test2);
+
+function test3(write, escape) {
+    let arr = new Array(4);
+
+    arr[1] = {};
+
+    if (write) {
+        arr[0] = 2;
+    }
+
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test3);
+
+function test4(overwrite, escape) {
+    let arr = new Array(4);
+    arr[0] = 1.1;
+    if (overwrite) {
+        arr[0] = 3.14;
+    }
+    if (escape) {
+        return arr;
+    }
+}
+noInline(test4);
+
+// JIT warmup loop
+for(let i = 0; i < testLoopCount; i++) {
+    test(true, false);
+    test(false, true);
+    test2(true, false);
+    test2(false, true);
+    test3(true, false);
+    test3(false, true);
+    test4(true, false);
+    test4(false, true);
+}
+
+function check(functor) {
+    let write = functor(true, true);
+    if (write[0] !== 2)
+        throw new Error(write);
+
+    let noWrite = functor(false, true);
+    if (0 in noWrite)
+        throw new Error(noWrite);
+}
+
+check(test);
+check(test2);
+check(test3);
+
+if (test4(true, true)[0] !== 3.14)
+    throw new Error();
+
+if (test4(false, true)[0] !== 1.1)
+    throw new Error();
+
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -3723,15 +3723,16 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
     case MaterializeNewArrayWithButterfly: {
         SpeculatedType validTypes = [&]() {
             switch (node->indexingType()) {
-            case ALL_INT32_INDEXING_TYPES: return SpecInt32Only;
+            // We can get JSValue() (aka SpecEmpty) when the property hasn't been initialized yet and is still a hole.
+            case ALL_INT32_INDEXING_TYPES: return SpecInt32Only | SpecEmpty;
             case ALL_DOUBLE_INDEXING_TYPES: return SpecBytecodeNumber;
             case ALL_CONTIGUOUS_INDEXING_TYPES: return SpecBytecodeTop;
             default: break;
             }
             RELEASE_ASSERT_NOT_REACHED();
         }();
         for (unsigned i = 2; i < node->numChildren(); ++i)
-            RELEASE_ASSERT(isSubtypeSpeculation(forNode(m_graph.varArgChild(node, i)).m_type, validTypes));
+            DFG_ASSERT(m_graph, node, isSubtypeSpeculation(forNode(m_graph.varArgChild(node, i)).m_type, validTypes));
 
         [[fallthrough]];
     }
diff --git a/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp b/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
