| Summary: | Fold storage pointer for GC-allocated typed arrays | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> |
| Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> |
| Status: | REOPENED --- | ||
| Severity: | Normal | CC: | barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
|
Description
Filip Pizlo
2013-12-08 12:04:26 PST
*** This bug has been marked as a duplicate of bug 161100 *** Nope, this is still a bug. Even if the GC-allocated typed array doesn't move, we still can't constant-fold pointers to it because of neutering: - To constant-fold, we need to install a watchpoint on the typed array's underlying buffer to make sure that we get notified if it gets neutered. - To install a watchpoint, we need to request the buffer. - To request the buffer, we need to move the backing store out of GC space. - To move it out of GC space, we need to malloc a new backing store and copy the data over and repoint m_vector. - Therefore, constant folding will fold to the *old* buffer. Ouch! |