Bug 139327

Summary: CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, mmirman, msaboff, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
the patch
fpizlo: review-
patch 2 with test added. msaboff: review+

Mark Lam
Reported 2014-12-05 17:07:55 PST
The code generator speculation checks for SlowPutArrayStorageShape explicitly allows ArrayStorageShape arrays. The runtime slow paths that handles SlowPutArrayStorageShape is also capable of handling ArrayStorageShape arrays. As a result, the CFA may declare some basic blocks as unreachable though the code generator expects otherwise.
Attachments
the patch (1.93 KB, patch)
2014-12-05 17:18 PST, Mark Lam 		fpizlo: review-
DetailsFormatted DiffDiff
patch 2 with test added. (5.32 KB, patch)
2014-12-08 13:52 PST, Mark Lam 		msaboff: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2014-12-05 17:09:20 PST
<rdar://problem/18604058>
Radar WebKit Bug Importer
Comment 2 2014-12-05 17:09:49 PST
<rdar://problem/19164372>
Mark Lam
Comment 3 2014-12-05 17:18:14 PST
Created attachment 242687 [details] the patch Regression tests and benchmarks are in progress.
Mark Lam
Comment 4 2014-12-05 17:31:41 PST
Will write a regression test for this soon: https://bugs.webkit.org/show_bug.cgi?id=139328
Filip Pizlo
Comment 5 2014-12-05 17:32:10 PST
Comment on attachment 242687 [details] the patch Test? Otherwise LGTM.
Mark Lam
Comment 6 2014-12-08 13:52:47 PST
Created attachment 242846 [details] patch 2 with test added.
Michael Saboff
Comment 7 2014-12-08 14:08:27 PST
Comment on attachment 242846 [details] patch 2 with test added. r=me
Mark Lam
Comment 8 2014-12-08 14:12:33 PST
Thanks for the review. Landed in r176972: <http://trac.webkit.org/r176972>.
Mark Lam
Comment 9 2014-12-08 14:13:34 PST
*** Bug 139328 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.