228919 – New single bytecode loop for-in is missing many inline asm optimizations in 32bit

NEW 228919

New single bytecode loop for-in is missing many inline asm optimizations in 32bit

https://bugs.webkit.org/show_bug.cgi?id=228919

Summary New single bytecode loop for-in is missing many inline asm optimizations in 3...

Keith Miller

Reported 2021-08-09 11:47:43 PDT

With the new bytecode format 32-bit is missing a bunch of inline assembly optimizations. Most of the code should be similar to the 64 bit code or the previous per-loop instructions.

Attachments
for-in-infinite-loop.js (730 bytes, text/javascript) 2021-08-18 09:09 PDT, Mikhail R. Gadelha	no flags	Details
for-in-undefined.js (730 bytes, text/javascript) 2021-08-18 09:10 PDT, Mikhail R. Gadelha	no flags	Details
View All Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2021-08-16 11:48:17 PDT

<rdar://problem/81991479>

Mikhail R. Gadelha

Comment 2 2021-08-18 09:09:38 PDT

Created attachment 435770 [details] for-in-infinite-loop.js

Mikhail R. Gadelha

Comment 3 2021-08-18 09:10:19 PDT

Created attachment 435771 [details] for-in-undefined.js

Mikhail R. Gadelha

Comment 4 2021-08-18 09:13:47 PDT

Comment on attachment 435770 [details] for-in-infinite-loop.js function makeobj(n) { var obj = {}; for (var i = 0; i < n; ++i) obj[i] = i; return obj; } function testdelete(n) { for (var propToDelete = 0; propToDelete <= n; ++propToDelete) { for (var iterToDelete = 0; iterToDelete <= n; ++iterToDelete) { for (var iterToAdd = 0; iterToAdd <= n; ++iterToAdd) { print("testing with " + n + " properties"); print("deleting property number " + propToDelete + " on iteration " + iterToDelete); print("adding a property on iteration " + iterToAdd); var iter = 0; var o = makeobj(n); for (var i in o) { if (iter == iterToDelete) delete o[propToDelete]; if (iter == iterToAdd) o["xxx"] = 1; // print("iter: " + iter + "i: " + i); print(i) ++ iter; } } } } } testdelete(6);

Mikhail R. Gadelha

Comment 5 2021-08-18 09:15:20 PDT

Added a couple of reduced test cases where jsc starts to return unexpected results: * for-in-infinite-loop.js: for-in seems to be stuck and doesn't increment the value * for-in-undefined.js: for-in returns undefined object at iteration 94

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Nobody

Reported

2021-08-09 11:47 PDT

Modified

2021-08-18 09:15 PDT History

CC List

8 users Show

URL

Keywords InRadar

Depends on

Blocks