[Webkit-unassigned] [Bug 186724] New: [DFG] DFG fixup checkArray typically considers only one Structure

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=186724

            Bug ID: 186724
           Summary: [DFG] DFG fixup checkArray typically considers only
                    one Structure
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: utatane.tea at gmail.com

The simple example is below.

function test()
{
    var array = [0, 1, 2, 3];
    for (var i = 0; i < 4; ++i) {
        array[0] = array[0] + 1;
    }
    return array;
}
noInline(test);

for (var i = 0; i < 1e6; ++i)
    test();


Our ArrayProfile takes only one array. So typically, `array[0]` op_put_by_val says "Yeah, the array seems ArrayWithInt32".
But actually, this should see both `CopyOnWriteArrayWithInt32` and `ArrayWithInt32`.
The above example first emit CheckStructure for ArrayWithInt32. Then it fails repeatedly, and the op_put_by_val emits

PutByVal(Check:Untyped:@26, Check:Untyped:@29, Check:Untyped:Kill:@47, MustGen|VarArgs, Generic+OriginalNonArray+OutOfBounds+AsIs+Write, R:World, W:Heap, Exits, ClobbersExit, bc#37, ExitValid)

It is bad. Ideally, we should emit ArrayifyToStructure for ArrayWithInt32 first.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20180616/6a5d1073/attachment.html>