RESOLVED FIXED 109900
DFG AbstractState should filter operands to NewArray more precisely 
https://bugs.webkit.org/show_bug.cgi?id=109900
Summary DFG AbstractState should filter operands to NewArray more precisely
Filip Pizlo
Reported 2013-02-14 23:28:34 PST
Patch forthcoming
Attachments
the patch (2.31 KB, patch)
2013-02-14 23:32 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2013-02-14 23:32:21 PST
Created attachment 188489 [details] the patch
Mark Hahnenberg
Comment 2 2013-02-15 07:20:12 PST
Comment on attachment 188489 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=188489&action=review > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1300 > + forNode(m_graph.m_varArgChildren[node->firstChild() + operandIndex]).filter(SpecRealNumber); Why not SpecDouble? What would happen if somebody filled their arrays with NaNs?
Filip Pizlo
Comment 3 2013-02-15 11:37:40 PST
(In reply to comment #2) > (From update of attachment 188489 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=188489&action=review > > > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1300 > > + forNode(m_graph.m_varArgChildren[node->firstChild() + operandIndex]).filter(SpecRealNumber); > > Why not SpecDouble? What would happen if somebody filled their arrays with NaNs? NaNs can't be stored into double arrays. If you do it, they turn into contiguous arrays (of generic JSValues). The backend will speculate that you're not storing NaN into a double array and spec fail if you do (so that the baseline JIT can do the double->contiguous conversion). Hence, filtering SpecRealNumber accurately represents the speculations that the backend will do.
Mark Hahnenberg
Comment 4 2013-02-15 11:38:25 PST
Comment on attachment 188489 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=188489&action=review r=me >>> Source/JavaScriptCore/dfg/DFGAbstractState.cpp:1300 >>> + forNode(m_graph.m_varArgChildren[node->firstChild() + operandIndex]).filter(SpecRealNumber); >> >> Why not SpecDouble? What would happen if somebody filled their arrays with NaNs? > > NaNs can't be stored into double arrays. If you do it, they turn into contiguous arrays (of generic JSValues). The backend will speculate that you're not storing NaN into a double array and spec fail if you do (so that the baseline JIT can do the double->contiguous conversion). > > Hence, filtering SpecRealNumber accurately represents the speculations that the backend will do. Sounds good.
Filip Pizlo
Comment 5 2013-02-15 11:49:39 PST
Landed in http://trac.webkit.org/changeset/143024
Adam Barth
Comment 6 2013-02-15 11:57:43 PST
Reopening to attach new patch.
Adam Barth
Comment 7 2013-02-15 11:58:51 PST
oops. soryr
Note You need to log in before you can comment on or make changes to this bug.