[Webkit-unassigned] [Bug 193413] New: [JSC] AI should check the given constant's array type when folding GetByVal into constant
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Jan 14 15:24:10 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=193413
Bug ID: 193413
Summary: [JSC] AI should check the given constant's array type
when folding GetByVal into constant
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: yusukesuzuki at slowstart.org
GetByVal has Double ArrayModes. So it expects to get Double arrays, and it will genetate a double value.
To ensure that, we have CheckStructure / CheckArray before this GetByVal.
But in AI phase, CheckStructure and CheckArray would not perform anything on a proven abstract value.
In that case, our GetByVal in AI gets unexpected array. If we do not perform any checks before using that to fold GetByVal into a constant, we have a bad time.
1: JSConstant(Array with CopyOnWrite | Contiguous) => like, ["bad"]
2: CheckStructure(@1, Array CopyOnWrite | Double) => It finally becomes OSR exit, but now, AI is not sure about it.
3: GetButterfly(@1)
4: GetByVal(@1, 0, @3, Array CopyOnWrite | Double) => If @4 can retrieve "bad" from @1, we attempt to convert @4 into "bad", but it is not acceptable since GetByVal(Double shape) should return a Double result.
We should perform array check on @1 constant before performing constant folding in AI.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190114/4c640c0e/attachment-0001.html>
More information about the webkit-unassigned
mailing list