NEW 186724
[DFG] DFG fixup checkArray typically considers only one Structure 
https://bugs.webkit.org/show_bug.cgi?id=186724
Summary [DFG] DFG fixup checkArray typically considers only one Structure
Yusuke Suzuki
Reported 2018-06-16 11:26:34 PDT
The simple example is below. function test() { var array = [0, 1, 2, 3]; for (var i = 0; i < 4; ++i) { array[0] = array[0] + 1; } return array; } noInline(test); for (var i = 0; i < 1e6; ++i) test(); Our ArrayProfile takes only one array. So typically, `array[0]` op_put_by_val says "Yeah, the array seems ArrayWithInt32". But actually, this should see both `CopyOnWriteArrayWithInt32` and `ArrayWithInt32`. The above example first emit CheckStructure for ArrayWithInt32. Then it fails repeatedly, and the op_put_by_val emits PutByVal(Check:Untyped:@26, Check:Untyped:@29, Check:Untyped:Kill:@47, MustGen|VarArgs, Generic+OriginalNonArray+OutOfBounds+AsIs+Write, R:World, W:Heap, Exits, ClobbersExit, bc#37, ExitValid) It is bad. Ideally, we should emit ArrayifyToStructure for ArrayWithInt32 first.
Attachments
Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2018-06-16 11:27:22 PDT
I think this is the reason why Kraken crypto-aes and crypto-ccm cause regression right now.
Yusuke Suzuki
Comment 2 2018-06-16 11:37:57 PDT
Keith, Saam do you have any idea to fix this? One way fixing this is https://bugs.webkit.org/show_bug.cgi?id=186193.
Keith Miller
Comment 3 2018-06-19 08:27:36 PDT
I think the simplest solution to this have ArrayProfile track if it has seen a CoW array. Then, if fixup sees original and maybe copy on write can can do an arrayify to structure. Thoughts?
Note You need to log in before you can comment on or make changes to this bug.