Ignore:
Timestamp:
Aug 15, 2013, 7:30:37 PM (12 years ago)
Author:
[email protected]
Message:

Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
https://bugs.webkit.org/show_bug.cgi?id=119874

Reviewed by Oliver Hunt and Mark Hahnenberg.

It was a confusion between heuristics in DFG::ArrayMode that are assuming that
you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
sometimes for typed array length accesses, and the FixupPhase assuming that a
ForceExit ArrayMode means that it should continue using a generic GetById.

This fixes the confusion.

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r154156 r154157  
     12013-08-15  Filip Pizlo  <[email protected]>
     2
     3        Sometimes, the DFG uses a GetById for typed array length accesses despite profiling data that indicates that it's a typed array length access
     4        https://bugs.webkit.org/show_bug.cgi?id=119874
     5
     6        Reviewed by Oliver Hunt and Mark Hahnenberg.
     7       
     8        It was a confusion between heuristics in DFG::ArrayMode that are assuming that
     9        you'll use ForceExit if array profiles are empty, the JIT creating empty profiles
     10        sometimes for typed array length accesses, and the FixupPhase assuming that a
     11        ForceExit ArrayMode means that it should continue using a generic GetById.
     12
     13        This fixes the confusion.
     14
     15        * dfg/DFGFixupPhase.cpp:
     16        (JSC::DFG::FixupPhase::fixupNode):
     17
    1182013-08-15  Mark Lam  <[email protected]>
    219
Note: See TracChangeset for help on using the changeset viewer.