Reduced from a failing Mochitest-2 test: -- var arr = ; arr.pop(); arr = 2; assertEq(arr.length, 1); -- $ ./js -n -a -m test.js test.js:5: Error: Assertion failed: got 0, expected 1 The problem is that jsop_setelem_dense does not update the array length if index < initializedLength.
Ah, just read some code and I think initializedLength should never be smaller than length when TI is enabled (so we only have to check initializedLength). Taking.
Created attachment 527258 [details] [diff] [review] Patch Update initialized length in array_pop_dense. Also checked array_shift and other callers of setDenseArrayLength but this seems to be the only problem.
What happens if I do: a = [1, 2, 3]; a.length = 0xffff; I would expect initializedLength to be 3 (plus whatever round-up) and length to be materially larger. Does this just disable TI?
Yes, the initialized length will still be three here, it can be less than the length property. If the assignment to a.length shrinks below the initialized length, the initialized length should be adjusted so it is <= the length property (effectively marking later slots as holes). That is similar to the bug here, where pop() (which shrinks the array) did not ensure the initialized length is <= the length. When inference is enabled in a compartment, the invariants we want to preserve are: initializedLength <= length (property of the object) initializedLength <= capacity (allocated space for slots) It can be less than either though (not a MINLENCAP retread). This is designed to handle patterns like: x = Array(1000); for (i = 0; i < 1000; i++) x[i] = 0; At the head of the loop, the initialized length will be 'i', though the length and capacity are generally larger, and we can determine there are no holes below the initialized length. This doesn't handle patterns like: x = Array(1000); for (i = 999; i >= 0; i--) x[i] = 0; This is similar to the array usage pattern seen in v8-crypto, and if we could dynamically determine the array is packed afterwards, that would help this benchmark.
Follow-up fix as discussed on IRC: http://hg.mozilla.org/projects/jaegermonkey/rev/c8cf06975dcf If initializedLength < length we should not change it.