The simple example is below. function test() { var array = [0, 1, 2, 3]; for (var i = 0; i < 4; ++i) { array[0] = array[0] + 1; } return array; } noInline(test); for (var i = 0; i < 1e6; ++i) test(); Our ArrayProfile takes only one array. So typically, `array[0]` op_put_by_val says "Yeah, the array seems ArrayWithInt32". But actually, this should see both `CopyOnWriteArrayWithInt32` and `ArrayWithInt32`. The above example first emit CheckStructure for ArrayWithInt32. Then it fails repeatedly, and the op_put_by_val emits PutByVal(Check:Untyped:@26, Check:Untyped:@29, Check:Untyped:Kill:@47, MustGen|VarArgs, Generic+OriginalNonArray+OutOfBounds+AsIs+Write, R:World, W:Heap, Exits, ClobbersExit, bc#37, ExitValid) It is bad. Ideally, we should emit ArrayifyToStructure for ArrayWithInt32 first.
I think this is the reason why Kraken crypto-aes and crypto-ccm cause regression right now.
Keith, Saam do you have any idea to fix this? One way fixing this is https://bugs.webkit.org/show_bug.cgi?id=186193.
I think the simplest solution to this have ArrayProfile track if it has seen a CoW array. Then, if fixup sees original and maybe copy on write can can do an arrayify to structure. Thoughts?