104500 2012-12-09 17:05:47 -0800 DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation() 2012-12-09 22:56:10 -0800 1 1 1 Unclassified WebKit JavaScriptCore 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 fpizlo fpizlo barraclough ggaren mark.lam mhahnenberg msaboff oliver sam oldest_to_newest 786911 0 fpizlo 2012-12-09 17:05:47 -0800 blessArrayOperation() takes an index, which if present, indicates that the DFG should perform additional checks (on the index) when triggering array conversions. This is applicable to things like: array[100000000] = 5; Where we wouldn't want to convert to a contiguous array kind, since that would be kind of not good. But the second child of ArrayPush/Pop is not an index. For ArrayPush, it's the value being pushed. For ArrayPop, it's the storage pointer. So, if we have an ArrayPush or ArrayPop that triggers array conversion (which is admittedly rare) then we'll currently end up doing really strange things. This ought not result in incorrect execution, but likely will execute in bad performance. The Arrayify nodes are already robust against their index child being empty. So we should just pass Edge() (i.e. the non-existant edge) as the index for blessArrayOperation() on ArrayPush/Pop. 786912 1 178456 fpizlo 2012-12-09 17:07:20 -0800 Created attachment 178456 the patch 787013 2 fpizlo 2012-12-09 22:56:10 -0800 Landed in http://trac.webkit.org/changeset/137110 178456 2012-12-09 17:07:20 -0800 2012-12-09 20:00:47 -0800 the patch fixarraypush.patch text/plain 2414 fpizlo SW5kZXg6IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9DaGFuZ2VMb2cKPT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gU291 cmNlL0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkocmV2aXNpb24gMTM3MDk4KQorKysgU291cmNl L0phdmFTY3JpcHRDb3JlL0NoYW5nZUxvZwkod29ya2luZyBjb3B5KQpAQCAtMSwzICsxLDE3IEBA CisyMDEyLTEyLTA5ICBGaWxpcCBQaXpsbyAgPGZwaXpsb0BhcHBsZS5jb20+CisKKyAgICAgICAg REZHIEFycmF5UHVzaC9Qb3Agc2hvdWxkIG5vdCBwYXNzIHRoZWlyIHNlY29uZCBjaGlsZCBhcyB0 aGUgaW5kZXggZm9yIGJsZXNzQXJyYXlPcGVyYXRpb24oKQorICAgICAgICBodHRwczovL2J1Z3Mu d2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MTA0NTAwCisKKyAgICAgICAgUmV2aWV3ZWQgYnkg Tk9CT0RZIChPT1BTISkuCisKKyAgICAgICAgU2xpZ2h0IGFjcm9zcy10aGUtYm9hcmQgc3BlZWQt dXAuCisKKyAgICAgICAgKiBkZmcvREZHQWJzdHJhY3RTdGF0ZS5jcHA6CisgICAgICAgIChKU0M6 OkRGRzo6QWJzdHJhY3RTdGF0ZTo6ZXhlY3V0ZSk6CisgICAgICAgICogZGZnL0RGR0ZpeHVwUGhh c2UuY3BwOgorICAgICAgICAoSlNDOjpERkc6OkZpeHVwUGhhc2U6OmZpeHVwTm9kZSk6CisKIDIw MTItMTItMDggIEZpbGlwIFBpemxvICA8ZnBpemxvQGFwcGxlLmNvbT4KIAogICAgICAgICBKU0Mg c2hvdWxkIHNjYWxlIHRoZSBvcHRpbWl6YXRpb24gdGhyZXNob2xkIGZvciBhIGNvZGUgYmxvY2sg YWNjb3JkaW5nIHRvIHRoZSBjb3N0IG9mIGNvbXBpbGluZyBpdApJbmRleDogU291cmNlL0phdmFT Y3JpcHRDb3JlL2RmZy9ERkdBYnN0cmFjdFN0YXRlLmNwcAo9PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09Ci0tLSBTb3VyY2Uv SmF2YVNjcmlwdENvcmUvZGZnL0RGR0Fic3RyYWN0U3RhdGUuY3BwCShyZXZpc2lvbiAxMzY5ODkp CisrKyBTb3VyY2UvSmF2YVNjcmlwdENvcmUvZGZnL0RGR0Fic3RyYWN0U3RhdGUuY3BwCSh3b3Jr aW5nIGNvcHkpCkBAIC0xNTkwLDYgKzE1OTAsOCBAQCBib29sIEFic3RyYWN0U3RhdGU6OmV4ZWN1 dGUodW5zaWduZWQgaW5kCiAgICAgICAgICAgICB8fCB2YWx1ZS5tX2N1cnJlbnRLbm93blN0cnVj dHVyZS5pc1N1YnNldE9mKHNldCkpCiAgICAgICAgICAgICBtX2ZvdW5kQ29uc3RhbnRzID0gdHJ1 ZTsKICAgICAgICAgbm9kZS5zZXRDYW5FeGl0KHRydWUpOworICAgICAgICBpZiAobm9kZS5jaGls ZDIoKSkKKyAgICAgICAgICAgIGZvck5vZGUobm9kZS5jaGlsZDIoKSkuZmlsdGVyKFNwZWNJbnQz Mik7CiAgICAgICAgIGNsb2JiZXJTdHJ1Y3R1cmVzKGluZGV4SW5CbG9jayk7CiAgICAgICAgIHZh bHVlLmZpbHRlcihzZXQpOwogICAgICAgICBtX2hhdmVTdHJ1Y3R1cmVzID0gdHJ1ZTsKSW5kZXg6 IFNvdXJjZS9KYXZhU2NyaXB0Q29yZS9kZmcvREZHRml4dXBQaGFzZS5jcHAKPT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQot LS0gU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdGaXh1cFBoYXNlLmNwcAkocmV2aXNpb24g MTM2OTg5KQorKysgU291cmNlL0phdmFTY3JpcHRDb3JlL2RmZy9ERkdGaXh1cFBoYXNlLmNwcAko d29ya2luZyBjb3B5KQpAQCAtMTcyLDcgKzE3Miw3IEBAIHByaXZhdGU6CiAgICAgICAgICAgICAg ICAgICAgIG1fZ3JhcGhbbm9kZS5jaGlsZDEoKV0ucHJlZGljdGlvbigpICYgU3BlY0NlbGwsCiAg ICAgICAgICAgICAgICAgICAgIFNwZWNJbnQzMiwKICAgICAgICAgICAgICAgICAgICAgbV9ncmFw aFtub2RlLmNoaWxkMigpXS5wcmVkaWN0aW9uKCkpKTsKLSAgICAgICAgICAgIGJsZXNzQXJyYXlP cGVyYXRpb24obm9kZS5jaGlsZDEoKSwgbm9kZS5jaGlsZDIoKSwgMik7CisgICAgICAgICAgICBi bGVzc0FycmF5T3BlcmF0aW9uKG5vZGUuY2hpbGQxKCksIEVkZ2UoKSwgMik7CiAgICAgICAgICAg ICAKICAgICAgICAgICAgIE5vZGUqIG5vZGVQdHIgPSAmbV9ncmFwaFttX2NvbXBpbGVJbmRleF07 CiAgICAgICAgICAgICBzd2l0Y2ggKG5vZGVQdHItPmFycmF5TW9kZSgpLnR5cGUoKSkgewpAQCAt MTg2LDcgKzE4Niw3IEBAIHByaXZhdGU6CiAgICAgICAgIH0KICAgICAgICAgICAgIAogICAgICAg ICBjYXNlIEFycmF5UG9wOiB7Ci0gICAgICAgICAgICBibGVzc0FycmF5T3BlcmF0aW9uKG5vZGUu Y2hpbGQxKCksIG5vZGUuY2hpbGQyKCksIDEpOworICAgICAgICAgICAgYmxlc3NBcnJheU9wZXJh dGlvbihub2RlLmNoaWxkMSgpLCBFZGdlKCksIDEpOwogICAgICAgICAgICAgYnJlYWs7CiAgICAg ICAgIH0KICAgICAgICAgICAgIAo=