ArrayMode should not try to get the DFG to think it can convert TypedArrays
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Mar 2018 19:09:01 +0000 (19:09 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 29 Mar 2018 19:09:01 +0000 (19:09 +0000)
https://bugs.webkit.org/show_bug.cgi?id=184137

Reviewed by Saam Barati.

* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::fromObserved):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230078 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGArrayMode.cpp

index 38a0c8f..4db34b4 100644 (file)
@@ -1,3 +1,13 @@
+2018-03-29  Keith Miller  <keith_miller@apple.com>
+
+        ArrayMode should not try to get the DFG to think it can convert TypedArrays
+        https://bugs.webkit.org/show_bug.cgi?id=184137
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::fromObserved):
+
 2018-03-29  Commit Queue  <commit-queue@webkit.org>
 
         Unreviewed, rolling out r230062.
index 462b47f..216bbeb 100644 (file)
@@ -118,6 +118,10 @@ ArrayMode ArrayMode::fromObserved(const ConcurrentJSLocker& locker, ArrayProfile
         return ArrayMode(Array::Float64Array, nonArray, Array::AsIs).withProfile(locker, profile, makeSafe);
 
     default:
+        // If we have seen multiple TypedArray types, or a TypedArray and non-typed array, it doesn't make sense to try to convert the object since you can't convert typed arrays.
+        if (observed & ALL_TYPED_ARRAY_MODES)
+            return ArrayMode(Array::Generic, nonArray, Array::AsIs).withProfile(locker, profile, makeSafe);
+
         if ((observed & asArrayModes(NonArray)) && profile->mayInterceptIndexedAccesses(locker))
             return ArrayMode(Array::SelectUsingPredictions).withSpeculationFromProfile(locker, profile, makeSafe);