[webkit-changes] [WebKit/WebKit] 900528: [JSC] byteLength CheckInBounds should be eliminated

Fri, 28 Feb 2025 16:16:53 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 90052846372d777d22fad055ed11885f4a84aff7
      
https://github.com/WebKit/WebKit/commit/90052846372d777d22fad055ed11885f4a84aff7
  Author: Yusuke Suzuki <[email protected]>
  Date:   2025-02-28 (Fri, 28 Feb 2025)

  Changed paths:
    A JSTests/stress/uint8array-check-in-bounds.js
    M Source/JavaScriptCore/dfg/DFGArrayMode.h
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp

  Log Message:
  -----------
  [JSC] byteLength CheckInBounds should be eliminated
https://bugs.webkit.org/show_bug.cgi?id=288709
rdar://145730507

Reviewed by Yijia Huang.

We found an issue that CheckInBounds is not eliminated when we run the
script like this.

    let array = new Uint8Array(1024);
    for (let i = 0; i < array.byteLength; ++i) {
        array[i] = 42;
    }

The reason is that we convert array.byteLength to
GetUndetachedTypeArrayLength, but SSA lowering converts PutByVal with
GetArrayLength. While GetArrayLength gets converted to 
GetUndetachedTypeArrayLength later,
it is too late and we failed to identify bound loop.

In this patch, we fix two things.

1. Fix GetUndetachedTypeArrayLength conversion's ArrayMode to align it
   to `byteLength` etc.'s ArrayMode use. This allows CSE for that.
2. Run performGlobalCSE before integer range optimization to merge
   PutByVal's GetUndetachedTypeArrayLength to loop condition's one.

* Source/JavaScriptCore/dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::withAction const):
(JSC::DFG::ArrayMode::withArrayClass const):
* Source/JavaScriptCore/dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):

Canonical link: https://commits.webkit.org/291395@main



To unsubscribe from these emails, change your notification settings at 
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to