[webkit-changes] [261725] trunk

Thu, 14 May 2020 17:21:24 -0700

Title: [261725] trunk
Revision
261725
Author
keith_mil...@apple.com
Date
2020-05-14 17:20:26 -0700 (Thu, 14 May 2020)

Log Message

Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength
https://bugs.webkit.org/show_bug.cgi?id=211914

Reviewed by Saam Barati.

JSTests:

* stress/undecided-arrays-should-not-need-original-array-for-length.js: Added.
(findFoo):
(const.nonUndecidedFrequency.1000.SubArray):
(i.i.some):

Source/_javascript_Core:

Also, fix a bug that arrayModesThatPassFiltering() can't handle
Undecided arrays. Because we can now emit a CheckArray on
Undecided AI will try to figure out what types flow out of the
check. Since Undecided was unhandled by filtering, AI will assume
bottom is the only possible value and the DFG/FTL will insert a
breakpoint, causing a crash.

* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::refine const):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):

Modified Paths

Added Paths

Diff

Modified: trunk/JSTests/ChangeLog (261724 => 261725)


--- trunk/JSTests/ChangeLog	2020-05-15 00:02:17 UTC (rev 261724)
+++ trunk/JSTests/ChangeLog	2020-05-15 00:20:26 UTC (rev 261725)
@@ -1,5 +1,17 @@
 2020-05-14  Keith Miller  <keith_mil...@apple.com>
 
+        Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength
+        https://bugs.webkit.org/show_bug.cgi?id=211914
+
+        Reviewed by Saam Barati.
+
+        * stress/undecided-arrays-should-not-need-original-array-for-length.js: Added.
+        (findFoo):
+        (const.nonUndecidedFrequency.1000.SubArray):
+        (i.i.some):
+
+2020-05-14  Keith Miller  <keith_mil...@apple.com>
+
         GetArrayLength should be "blessed" during Fixup phase in the DFG
         https://bugs.webkit.org/show_bug.cgi?id=211540

Added: trunk/JSTests/stress/undecided-arrays-should-not-need-original-array-for-length.js (0 => 261725)


--- trunk/JSTests/stress/undecided-arrays-should-not-need-original-array-for-length.js	                        (rev 0)
+++ trunk/JSTests/stress/undecided-arrays-should-not-need-original-array-for-length.js	2020-05-15 00:20:26 UTC (rev 261725)
@@ -0,0 +1,17 @@
+function findFoo(name, array, bail) {
+    let some = array.some
+    if (bail)
+        return;
+    some.call(array, function (v) {
+        return v === name;
+    });
+}
+noInline(findFoo);
+
+class SubArray extends Array {}
+for (let i = 0; i < 1e5; ++i) {
+    let array = i % 2 ? new SubArray(0) : ["foo"];
+    findFoo("foo", array, array.length);
+    for (let i = 0; i < 100; ++i)
+        [].some(function (v) { });
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (261724 => 261725)


--- trunk/Source/_javascript_Core/ChangeLog	2020-05-15 00:02:17 UTC (rev 261724)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-05-15 00:20:26 UTC (rev 261725)
@@ -1,5 +1,24 @@
 2020-05-14  Keith Miller  <keith_mil...@apple.com>
 
+        Undecided Arrays shouldn't need to be OriginalArray to covert to GetArrayLength
+        https://bugs.webkit.org/show_bug.cgi?id=211914
+
+        Reviewed by Saam Barati.
+
+        Also, fix a bug that arrayModesThatPassFiltering() can't handle
+        Undecided arrays. Because we can now emit a CheckArray on
+        Undecided AI will try to figure out what types flow out of the
+        check. Since Undecided was unhandled by filtering, AI will assume
+        bottom is the only possible value and the DFG/FTL will insert a
+        breakpoint, causing a crash.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::refine const):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+
+2020-05-14  Keith Miller  <keith_mil...@apple.com>
+
         GetArrayLength should be "blessed" during Fixup phase in the DFG
         https://bugs.webkit.org/show_bug.cgi?id=211540

Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp (261724 => 261725)


--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp	2020-05-15 00:02:17 UTC (rev 261724)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp	2020-05-15 00:20:26 UTC (rev 261725)
@@ -242,12 +242,16 @@
             return withTypeAndConversion(Array::Double, Array::Convert);
         return withTypeAndConversion(Array::Contiguous, Array::Convert);
     case Array::Undecided: {
+        // As long as we have a JSArray getting its length shouldn't require any sane chainness.
+        if (canBecomeGetArrayLength(graph, node) && isJSArray())
+            return *this;
+
         // If we have an OriginalArray and the JSArray prototype chain is sane,
         // any indexed access always return undefined. We have a fast path for that.
         JSGlobalObject* globalObject = graph.globalObjectFor(node->origin.semantic);
         Structure* arrayPrototypeStructure = globalObject->arrayPrototype()->structure(graph.m_vm);
         Structure* objectPrototypeStructure = globalObject->objectPrototype()->structure(graph.m_vm);
-        if ((node->op() == GetByVal || canBecomeGetArrayLength(graph, node))
+        if (node->op() == GetByVal
             && isJSArrayWithOriginalStructure()
             && !graph.hasExitSite(node->origin.semantic, OutOfBounds)
             && arrayPrototypeStructure->transitionWatchpointSetIsStillValid()

Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (261724 => 261725)


--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2020-05-15 00:02:17 UTC (rev 261724)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2020-05-15 00:20:26 UTC (rev 261725)
@@ -430,6 +430,8 @@
         switch (type()) {
         case Array::Generic:
             return ALL_ARRAY_MODES;
+        case Array::Undecided:
+            return arrayModesWithIndexingShapes(UndecidedShape);
         case Array::Int32:
             result = arrayModesWithIndexingShapes(Int32Shape);
             break;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to