179594 – [DFG][FTL] Support Array::DirectArguments with OutOfBounds

Bug 179594 - [DFG][FTL] Support Array::DirectArguments with OutOfBounds

Summary: [DFG][FTL] Support Array::DirectArguments with OutOfBounds

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2017-11-12 08:36 PST by Yusuke Suzuki
Modified:	2017-11-15 09:35 PST (History)
CC List:	6 users (show)

See Also:

Attachments
Patch (8.46 KB, patch) 2017-11-12 08:36 PST, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Patch (9.52 KB, patch) 2017-11-12 08:42 PST, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Patch (12.81 KB, patch) 2017-11-12 10:48 PST, Yusuke Suzuki	no flags	Details \| Formatted Diff \| Diff
Patch (12.66 KB, patch) 2017-11-14 07:15 PST, Yusuke Suzuki	saam: review+	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yusuke Suzuki 2017-11-12 08:36:14 PST

[DFG][FTL] Support Array::DirectArguments with OutOfBounds

Comment 1 Yusuke Suzuki 2017-11-12 08:36:32 PST

Created attachment 326713 [details]
Patch

WIP

Comment 2 Yusuke Suzuki 2017-11-12 08:42:30 PST

Created attachment 326714 [details]
Patch

WIP

Comment 3 Yusuke Suzuki 2017-11-12 10:48:34 PST

Created attachment 326720 [details]
Patch

Comment 4 Yusuke Suzuki 2017-11-14 07:15:03 PST

Created attachment 326876 [details]
Patch

Comment 5 Saam Barati 2017-11-14 09:20:43 PST

Comment on attachment 326876 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=326876&action=review

> Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:245
> +                    m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);

Don’t you want to check OOB mode here? Or is the !prototypeChaneIsSane rare enough that we just do it unconditionally?

Comment 6 Yusuke Suzuki 2017-11-14 09:31:56 PST

Comment on attachment 326876 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=326876&action=review

Thank you!

>> Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:245
>> +                    m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
> 
> Don’t you want to check OOB mode here? Or is the !prototypeChaneIsSane rare enough that we just do it unconditionally?

Oh, nice catch. We should insert

if (mode.isInBounds())
    break;

check before this to align it to ClonedArguments case.

Comment 7 Yusuke Suzuki 2017-11-14 09:35:42 PST

Committed r224818: <https://trac.webkit.org/changeset/224818>

Comment 8 Radar WebKit Bug Importer 2017-11-15 09:35:41 PST

<rdar://problem/35562030>