119874 – Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access

RESOLVED FIXED 119874

Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access

https://bugs.webkit.org/show_bug.cgi?id=119874

Summary Sometimes, the DFG uses a GetById for typed array length accesses despite pro...

Filip Pizlo

Reported 2013-08-15 16:52:15 PDT

It's a confusion between heuristics in DFG::ArrayMode that are assuming that you'll use ForceExit if array profiles are empty, the JIT creating empty profiles sometimes for typed array length accesses, and the FixupPhase assuming that a ForceExit ArrayMode means that it should continue using a generic GetById.

Attachments
the patch (3.44 KB, patch) 2013-08-15 16:53 PDT, Filip Pizlo	oliver: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2013-08-15 16:53:14 PDT

Created attachment 208870 [details] the patch

Mark Hahnenberg

Comment 2 2013-08-15 17:03:50 PDT

Comment on attachment 208870 [details] the patch r=me to fwiw.

Filip Pizlo

Comment 3 2013-08-16 10:17:40 PDT

Landed in http://trac.webkit.org/changeset/154157

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2013-08-15 16:52 PDT

Modified

2013-08-16 10:17 PDT History

CC List

7 users Show

URL

Keywords

Depends on

Blocks