Bug 119874 - Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
Summary: Sometimes, the DFG uses a GetById for typed array length accesses despite pro...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-08-15 16:52 PDT by Filip Pizlo
Modified: 2013-08-16 10:17 PDT (History)
7 users (show)

See Also:

Attachments
the patch (3.44 KB, patch)
2013-08-15 16:53 PDT, Filip Pizlo 		oliver: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2013-08-15 16:52:15 PDT 
It's a confusion between heuristics in DFG::ArrayMode that are assuming that you'll use ForceExit if array profiles are empty, the JIT creating empty profiles sometimes for typed array length accesses, and the FixupPhase assuming that a ForceExit ArrayMode means that it should continue using a generic GetById.
Comment 1 Filip Pizlo 2013-08-15 16:53:14 PDT 
Created attachment 208870 [details]
the patch
Comment 2 Mark Hahnenberg 2013-08-15 17:03:50 PDT 
Comment on attachment 208870 [details]
the patch

r=me to fwiw.
Comment 3 Filip Pizlo 2013-08-16 10:17:40 PDT 
Landed in http://trac.webkit.org/changeset/154157