Title: [229775] trunk
- Revision
- 229775
- Author
- sbar...@apple.com
- Date
- 2018-03-20 14:59:33 -0700 (Tue, 20 Mar 2018)
Log Message
We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
https://bugs.webkit.org/show_bug.cgi?id=183795
<rdar://problem/38298694>
Reviewed by JF Bastien.
JSTests:
* stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
(foo):
(bar):
Source/_javascript_Core:
We were just assuming that the constants we were inserting were
always exitOK=true. However, this breaks validation. The exitOK
we emit for the constants in the NewArrayBuffer should respect
the current exit state of the IR we've emitted. This is just IR
bookkeeping since JSConstant is a non-exiting node.
* dfg/DFGArgumentsEliminationPhase.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (229774 => 229775)
--- trunk/JSTests/ChangeLog 2018-03-20 21:53:38 UTC (rev 229774)
+++ trunk/JSTests/ChangeLog 2018-03-20 21:59:33 UTC (rev 229775)
@@ -1,3 +1,15 @@
+2018-03-20 Saam Barati <sbar...@apple.com>
+
+ We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
+ https://bugs.webkit.org/show_bug.cgi?id=183795
+ <rdar://problem/38298694>
+
+ Reviewed by JF Bastien.
+
+ * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
+ (foo):
+ (bar):
+
2018-03-16 Yusuke Suzuki <utatane....@gmail.com>
[DFG][FTL] Add vectorLengthHint for NewArray
Added: trunk/JSTests/stress/sink-phantom-new-array-buffer-exit-ok.js (0 => 229775)
--- trunk/JSTests/stress/sink-phantom-new-array-buffer-exit-ok.js (rev 0)
+++ trunk/JSTests/stress/sink-phantom-new-array-buffer-exit-ok.js 2018-03-20 21:59:33 UTC (rev 229775)
@@ -0,0 +1,8 @@
+function foo() {
+}
+function bar() {
+ foo(...[42]);
+}
+for (var i = 0; i < 400000; i++) {
+ bar();
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (229774 => 229775)
--- trunk/Source/_javascript_Core/ChangeLog 2018-03-20 21:53:38 UTC (rev 229774)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-03-20 21:59:33 UTC (rev 229775)
@@ -1,3 +1,19 @@
+2018-03-20 Saam Barati <sbar...@apple.com>
+
+ We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
+ https://bugs.webkit.org/show_bug.cgi?id=183795
+ <rdar://problem/38298694>
+
+ Reviewed by JF Bastien.
+
+ We were just assuming that the constants we were inserting were
+ always exitOK=true. However, this breaks validation. The exitOK
+ we emit for the constants in the NewArrayBuffer should respect
+ the current exit state of the IR we've emitted. This is just IR
+ bookkeeping since JSConstant is a non-exiting node.
+
+ * dfg/DFGArgumentsEliminationPhase.cpp:
+
2018-03-20 Guillaume Emont <guijem...@igalia.com>
MIPS+Armv7 builds are broken since r229391
Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp (229774 => 229775)
--- trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2018-03-20 21:53:38 UTC (rev 229774)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2018-03-20 21:59:33 UTC (rev 229775)
@@ -919,7 +919,6 @@
}
if (candidate->op() == PhantomNewArrayBuffer) {
- bool canExit = true;
auto* array = candidate->castOperand<JSFixedArray*>();
for (unsigned index = 0; index < array->length(); ++index) {
JSValue constant;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
