Bug 232168

Summary: [JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: ews-watchlist, keith_miller, mark.lam, msaboff, rmorisset, saam, tzagallo, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch rmorisset: review+

Yusuke Suzuki
Reported 2021-10-22 13:10:39 PDT
[JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
Attachments
Patch (3.46 KB, patch)
2021-10-22 13:12 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (4.07 KB, patch)
2021-10-22 13:25 PDT, Yusuke Suzuki 		rmorisset: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2021-10-22 13:12:26 PDT
Created attachment 442188 [details] Patch
Yusuke Suzuki
Comment 2 2021-10-22 13:12:29 PDT
<rdar://problem/84366658>
Yusuke Suzuki
Comment 3 2021-10-22 13:25:29 PDT
Created attachment 442192 [details] Patch
Robin Morisset
Comment 4 2021-10-22 13:33:11 PDT
Comment on attachment 442192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442192&action=review > Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:102 > + if (m_node->arrayMode().isSomeTypedArrayView() && m_node->arrayMode().isOutOfBounds()) { This actually increases how often we take that code path, as isSomeTypedArrayView() returns true for AnyTypedArray whose typedArrayTyped() is NotTypedArray. Is it on purpose? > Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:152 > + if ((op == GetArrayLength) && m_node->arrayMode().isSomeTypedArrayView() && (m_node->arrayMode().mayBeLargeTypedArray() || m_graph.hasExitSite(m_node->origin.semantic, Overflow))) { Ah, this is the bug, thanks for finding it.
Yusuke Suzuki
Comment 5 2021-10-22 13:38:00 PDT
Comment on attachment 442192 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442192&action=review >> Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:102 >> + if (m_node->arrayMode().isSomeTypedArrayView() && m_node->arrayMode().isOutOfBounds()) { > > This actually increases how often we take that code path, as isSomeTypedArrayView() returns true for AnyTypedArray whose typedArrayTyped() is NotTypedArray. > Is it on purpose? Yes. Currently both will not get AnyArrayType value since it will be used only for some intrinsics, and they are not emitting GetByVal, PutByVal etc. But I aligned the implementation to using isSomeTypedArrayView since permitsBoundsCheckLowering (this is in the prologue of lowerBoundsCheck) is accepting AnyArrayType, and getting typed array length should work for AnyArrayType type too. >> Source/JavaScriptCore/dfg/DFGSSALoweringPhase.cpp:152 >> + if ((op == GetArrayLength) && m_node->arrayMode().isSomeTypedArrayView() && (m_node->arrayMode().mayBeLargeTypedArray() || m_graph.hasExitSite(m_node->origin.semantic, Overflow))) { > > Ah, this is the bug, thanks for finding it. Ditto.
Robin Morisset
Comment 6 2021-10-22 13:39:11 PDT
Comment on attachment 442192 [details] Patch r=me
Yusuke Suzuki
Comment 7 2021-10-22 14:56:10 PDT
Committed r284716 (243431@main): <https://commits.webkit.org/243431@main>
Note You need to log in before you can comment on or make changes to this bug.