Bug 142862 - ES6 Classes: Runtime error in JIT'd class calling super() with arguments and superclass has default constructor
Summary: ES6 Classes: Runtime error in JIT'd class calling super() with arguments and ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Ryosuke Niwa
URL:
Keywords: InRadar
Depends on:
Blocks: 140491
  Show dependency treegraph
 
Reported: 2015-03-19 00:10 PDT by Joseph Pecoraro
Modified: 2015-03-27 20:10 PDT (History)
6 users (show)

See Also:

Attachments
[TEST] Reduction (271 bytes, text/html)
2015-03-19 00:11 PDT, Joseph Pecoraro 		no flags Details
Adds a test (1.37 KB, patch)
2015-03-27 19:39 PDT, Ryosuke Niwa 		no flags Details | Formatted Diff | Diff
Removed the workaround in Web Inspector (4.93 KB, patch)
2015-03-27 19:42 PDT, Ryosuke Niwa 		benjamin: review+
Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph Pecoraro 2015-03-19 00:10:49 PDT 
* SUMMARY
Runtime error in JIT'd class calling super() with arguments and superclass has default constructor. Doesn't happen if just called a few times.

* TEST
<script>
var A = class A { };
var B = class B extends A { };
var C = class C extends B { constructor() { super(); } };

(function() {
    var x;
    for (var i = 0; i < 1e5; ++i)
        x = new C(false); // NOTE: argument is important
    console.log(x);
})();
</script>

* ACTUAL
[Error] TypeError: undefined is not a constructor (evaluating 'super(...arguments)')

* EXPECTED
=> no exceptions.

* NOTES
- adding a "constructor() { super(); }" to class B this works.
- if the inspector is open this works, so the inspector likely prevents reaching a certain JIT tier
Comment 1 Joseph Pecoraro 2015-03-19 00:11:28 PDT 
Created attachment 249021 [details]
[TEST] Reduction

Insect the test page. If you see an error, something incorrect happened!
Comment 2 Joseph Pecoraro 2015-03-19 00:15:31 PDT 
(In reply to comment #1)
> Created attachment 249021 [details]
> [TEST] Reduction
> 
> Inspect the test page. If you see an error, something incorrect happened!

Of course this means to reproduce the error you have to close the inspector, reload the page, then open the inspector.
Comment 3 Ryosuke Niwa 2015-03-19 00:45:15 PDT 
(In reply to comment #2)
> (In reply to comment #1)
> > Created attachment 249021 [details]
> > [TEST] Reduction
> > 
> > Inspect the test page. If you see an error, something incorrect happened!
> 
> Of course this means to reproduce the error you have to close the inspector,
> reload the page, then open the inspector.

It looks like this is a bug in DFG. Disabling DFG JIT also fixes the bug.
Comment 4 Ryosuke Niwa 2015-03-19 15:39:20 PDT 
var A = class A { };
var B = class B extends A { super(...arguments) };
var C = class C extends B { constructor() { super(); } };

will also fail but forcing B to be not inlined will fix the bug so it looks like we're not inlining B in DFG correctly.
Comment 5 Radar WebKit Bug Importer 2015-03-19 15:39:37 PDT 
<rdar://problem/20231235>
Comment 6 Ryosuke Niwa 2015-03-27 19:35:17 PDT 
Looks like this has been fixed by Phil's mega patch for arguments.
Comment 7 Ryosuke Niwa 2015-03-27 19:39:18 PDT 
Created attachment 249639 [details]
Adds a test
Comment 8 Ryosuke Niwa 2015-03-27 19:42:19 PDT 
Created attachment 249641 [details]
Removed the workaround in Web Inspector
Comment 9 Ryosuke Niwa 2015-03-27 20:00:53 PDT 
Will land the patch one more test per Ben's in-person comment.
Comment 10 Ryosuke Niwa 2015-03-27 20:10:03 PDT 
Committed r182100: <http://trac.webkit.org/changeset/182100>