Bug 228919

Summary: New single bytecode loop for-in is missing many inline asm optimizations in 32bit
Product: WebKit Reporter: Keith Miller <keith_miller>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW    
Severity: Normal CC: angelos, guijemont, mikhail, pmatos, ticaiolima, webkit-bug-importer, xan.lopez, ysuzuki
Priority: P2 Keywords: InRadar
Version: Other   
Hardware: Unspecified   
OS: Unspecified   
See Also: https://bugs.webkit.org/show_bug.cgi?id=227989
Attachments:
Description Flags
for-in-infinite-loop.js
none
for-in-undefined.js none

Keith Miller
Reported 2021-08-09 11:47:43 PDT
With the new bytecode format 32-bit is missing a bunch of inline assembly optimizations. Most of the code should be similar to the 64 bit code or the previous per-loop instructions.
Attachments
for-in-infinite-loop.js (730 bytes, text/javascript)
2021-08-18 09:09 PDT, Mikhail R. Gadelha 		no flags
Details
for-in-undefined.js (730 bytes, text/javascript)
2021-08-18 09:10 PDT, Mikhail R. Gadelha 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2021-08-16 11:48:17 PDT
<rdar://problem/81991479>
Mikhail R. Gadelha
Comment 2 2021-08-18 09:09:38 PDT
Created attachment 435770 [details] for-in-infinite-loop.js
Mikhail R. Gadelha
Comment 3 2021-08-18 09:10:19 PDT
Created attachment 435771 [details] for-in-undefined.js
Mikhail R. Gadelha
Comment 4 2021-08-18 09:13:47 PDT
Comment on attachment 435770 [details] for-in-infinite-loop.js function makeobj(n) { var obj = {}; for (var i = 0; i < n; ++i) obj[i] = i; return obj; } function testdelete(n) { for (var propToDelete = 0; propToDelete <= n; ++propToDelete) { for (var iterToDelete = 0; iterToDelete <= n; ++iterToDelete) { for (var iterToAdd = 0; iterToAdd <= n; ++iterToAdd) { print("testing with " + n + " properties"); print("deleting property number " + propToDelete + " on iteration " + iterToDelete); print("adding a property on iteration " + iterToAdd); var iter = 0; var o = makeobj(n); for (var i in o) { if (iter == iterToDelete) delete o[propToDelete]; if (iter == iterToAdd) o["xxx"] = 1; // print("iter: " + iter + "i: " + i); print(i) ++ iter; } } } } } testdelete(6);
Mikhail R. Gadelha
Comment 5 2021-08-18 09:15:20 PDT
Added a couple of reduced test cases where jsc starts to return unexpected results: * for-in-infinite-loop.js: for-in seems to be stuck and doesn't increment the value * for-in-undefined.js: for-in returns undefined object at iteration 94
Note You need to log in before you can comment on or make changes to this bug.