Bug 125425
| Summary: | Fold storage pointer for GC-allocated typed arrays | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> |
| Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> |
| Status: | REOPENED | ||
| Severity: | Normal | CC: | barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Filip Pizlo
This probably won't be *too* profitable but I suspect that eventually it'll be needed.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Filip Pizlo
*** This bug has been marked as a duplicate of bug 161100 ***
Filip Pizlo
Nope, this is still a bug.
Even if the GC-allocated typed array doesn't move, we still can't constant-fold pointers to it because of neutering:
- To constant-fold, we need to install a watchpoint on the typed array's underlying buffer to make sure that we get notified if it gets neutered.
- To install a watchpoint, we need to request the buffer.
- To request the buffer, we need to move the backing store out of GC space.
- To move it out of GC space, we need to malloc a new backing store and copy the data over and repoint m_vector.
- Therefore, constant folding will fold to the *old* buffer.
Ouch!