[Webkit-unassigned] [Bug 119117] Fix the wrong refining ArrayMode
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Jul 26 11:42:46 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119117
--- Comment #16 from Filip Pizlo <fpizlo at apple.com> 2013-07-26 11:42:34 PST ---
(From update of attachment 207514)
View in context: https://bugs.webkit.org/attachment.cgi?id=207514&action=review
> Source/JavaScriptCore/ChangeLog:11
> + If type() is Array::Unprofiled, refine func should return ArrayMode(Array::ForceExit)
> + If refine func return ArrayMode(Array::Generic) in upper condition, it will crash.
It's incorrect to return ForceExit for Unprofiled. The array profile may report Unprofiled if the base was not a cell, and in some cases if the index is not an integer. That doesn't mean that the DFG should always exit.
Also, your changelog comment saying that if you return Generic it will crash reveals that you haven't really thought this through. Why does it crash? What is the test case? I don't believe that randomly inserting crap into our code base because it averts a crash is the kind of development strategy we want to pursue.
> Source/JavaScriptCore/dfg/DFGArrayMode.cpp:130
> - if (!base || !index) {
> + if (!base || !index || type() == Array::Unprofiled) {
type() == Array::Unprofiled means that the array profile didn't have any information. But the array profile will not have any information if the array access had a weird base. In that case, we do want the access to go generic.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list