Bug 104500 - DFG ArrayPush/Pop should not pass their second child as the index for blessArrayOperation()
Summary: DFG ArrayPush/Pop should not pass their second child as the index for blessAr...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-09 17:05 PST by Filip Pizlo
Modified: 2012-12-09 22:56 PST (History)
7 users (show)

See Also:

Attachments
the patch (2.36 KB, patch)
2012-12-09 17:07 PST, Filip Pizlo 		oliver: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2012-12-09 17:05:47 PST 
blessArrayOperation() takes an index, which if present, indicates that the DFG should perform additional checks (on the index) when triggering array conversions.  This is applicable to things like:

array[100000000] = 5;

Where we wouldn't want to convert to a contiguous array kind, since that would be kind of not good.

But the second child of ArrayPush/Pop is not an index.  For ArrayPush, it's the value being pushed.  For ArrayPop, it's the storage pointer.  So, if we have an ArrayPush or ArrayPop that triggers array conversion (which is admittedly rare) then we'll currently end up doing really strange things.  This ought not result in incorrect execution, but likely will execute in bad performance.

The Arrayify nodes are already robust against their index child being empty.  So we should just pass Edge() (i.e. the non-existant edge) as the index for blessArrayOperation() on ArrayPush/Pop.
Comment 1 Filip Pizlo 2012-12-09 17:07:20 PST 
Created attachment 178456 [details]
the patch
Comment 2 Filip Pizlo 2012-12-09 22:56:10 PST 
Landed in http://trac.webkit.org/changeset/137110