[Webkit-unassigned] [Bug 176217] New: [DFG] GetArrayLength array checking is too restrictive

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 1 02:43:52 PDT 2017


            Bug ID: 176217
           Summary: [DFG] GetArrayLength array checking is too restrictive
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: utatane.tea at gmail.com

Before converting GetById to GetArrayLength, we emit array checks.
However, this array check is designed for GetByVal / PutByVal.
While it restricts the array type to specific one type (like, DoubleArray) or converting it to some generic ones (like ContiguousArray),
GetArrayLength operation itself is very generic to several array types. For example, DoubleArray and ContiguousArray should have the same way to retrieve array length.

However, the problem exists. Consider the case that we see Int32Arrays. And we eventually see DoubleArrays in the same sites (for example, we find uint32_t values!).
In that case, array check fails, and OSR exit occurs. After that, we will compile it again in DFG. But at that time, we give up converting GetById(length) => GetArrayLength
because we have m_graph.hasExitSite(..., BadCache) guard. So, it will be compiled to GetById(length), it is really bad.

I think these guards are very strange ones. GetByVal / PutByVal do not have such guards. array mode should have appropriate array profiles. Thus, checkArray should emit appropriate array type check / conversions. I think this guard is too conservative.
One concern is that checkArray sometimes attempts to convert arrays to one type, like, DoubleArray to ContiguousArray.
It is essentially unnecessary. GetArrayLength operation is very generic. It can accidentally convert arrays to very generic ones even though we just look up "length".
But I think arrays will be used soon when getting "length" property, so, anyway, this conversion happens. So, I do not think this becomes a problem in practice.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170901/8db3786f/attachment-0001.html>

More information about the webkit-unassigned mailing list