Bug 139327

Summary: CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Severity: Normal CC: fpizlo, ggaren, mmirman, msaboff, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Description Flags
the patch
fpizlo: review-
patch 2 with test added. msaboff: review+

Description Mark Lam 2014-12-05 17:07:55 PST
The code generator speculation checks for SlowPutArrayStorageShape explicitly allows ArrayStorageShape arrays.  The runtime slow paths that handles SlowPutArrayStorageShape is also capable of handling ArrayStorageShape arrays.  As a result, the CFA may declare some basic blocks as unreachable though the code generator expects otherwise.
Comment 1 Mark Lam 2014-12-05 17:09:20 PST
Comment 2 Radar WebKit Bug Importer 2014-12-05 17:09:49 PST
Comment 3 Mark Lam 2014-12-05 17:18:14 PST
Created attachment 242687 [details]
the patch

Regression tests and benchmarks are in progress.
Comment 4 Mark Lam 2014-12-05 17:31:41 PST
Will write a regression test for this soon: https://bugs.webkit.org/show_bug.cgi?id=139328
Comment 5 Filip Pizlo 2014-12-05 17:32:10 PST
Comment on attachment 242687 [details]
the patch

Test?  Otherwise LGTM.
Comment 6 Mark Lam 2014-12-08 13:52:47 PST
Created attachment 242846 [details]
patch 2 with test added.
Comment 7 Michael Saboff 2014-12-08 14:08:27 PST
Comment on attachment 242846 [details]
patch 2 with test added.

Comment 8 Mark Lam 2014-12-08 14:12:33 PST
Thanks for the review.  Landed in r176972: <http://trac.webkit.org/r176972>.
Comment 9 Mark Lam 2014-12-08 14:13:34 PST
*** Bug 139328 has been marked as a duplicate of this bug. ***