[Webkit-unassigned] [Bug 119117] Fix the wrong refining ArrayMode
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jul 29 01:27:35 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=119117
--- Comment #17 from Youngho Yoo <youngho33.yoo at lge.com> 2013-07-29 01:27:21 PST ---
(In reply to comment #16)
> (From update of attachment 207514 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=207514&action=review
> > Source/JavaScriptCore/ChangeLog:11
> > + If type() is Array::Unprofiled, refine func should return ArrayMode(Array::ForceExit)
> > + If refine func return ArrayMode(Array::Generic) in upper condition, it will crash.
> It's incorrect to return ForceExit for Unprofiled. The array profile may report Unprofiled if the base was not a cell, and in some cases if the index is not an integer. That doesn't mean that the DFG should always exit.
> Also, your changelog comment saying that if you return Generic it will crash reveals that you haven't really thought this through. Why does it crash? What is the test case? I don't believe that randomly inserting crap into our code base because it averts a crash is the kind of development strategy we want to pursue.
> > Source/JavaScriptCore/dfg/DFGArrayMode.cpp:130
> > - if (!base || !index) {
> > + if (!base || !index || type() == Array::Unprofiled) {
> type() == Array::Unprofiled means that the array profile didn't have any information. But the array profile will not have any information if the array access had a weird base. In that case, we do want the access to go generic.
OK, I will find the test case for this and I will see in more detail things.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list