Title: [251332] branches/safari-608-branch
- Revision
- 251332
- Author
- bshaf...@apple.com
- Date
- 2019-10-20 10:32:33 -0700 (Sun, 20 Oct 2019)
Log Message
Cherry-pick r249959. rdar://problem/56280989
CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
https://bugs.webkit.org/show_bug.cgi?id=201853
<rdar://problem/53805461>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/direct-arguments-check-array-filter-type.js: Added.
(foo):
Source/_javascript_Core:
We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
out SlowPutArrayStorage. It does no such thing. We just check that the object
is either ScopedArguments/DirectArguments.
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
(JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
(JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249959 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-608-branch/JSTests/ChangeLog (251331 => 251332)
--- branches/safari-608-branch/JSTests/ChangeLog 2019-10-20 17:32:28 UTC (rev 251331)
+++ branches/safari-608-branch/JSTests/ChangeLog 2019-10-20 17:32:33 UTC (rev 251332)
@@ -1,3 +1,43 @@
+2019-10-15 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r249959. rdar://problem/56280989
+
+ CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
+ https://bugs.webkit.org/show_bug.cgi?id=201853
+ <rdar://problem/53805461>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/direct-arguments-check-array-filter-type.js: Added.
+ (foo):
+
+ Source/_javascript_Core:
+
+ We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
+ out SlowPutArrayStorage. It does no such thing. We just check that the object
+ is either ScopedArguments/DirectArguments.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249959 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-17 Saam Barati <sbar...@apple.com>
+
+ CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
+ https://bugs.webkit.org/show_bug.cgi?id=201853
+ <rdar://problem/53805461>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/direct-arguments-check-array-filter-type.js: Added.
+ (foo):
+
2019-09-30 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r250058. rdar://problem/55826329
Added: branches/safari-608-branch/JSTests/stress/direct-arguments-check-array-filter-type.js (0 => 251332)
--- branches/safari-608-branch/JSTests/stress/direct-arguments-check-array-filter-type.js (rev 0)
+++ branches/safari-608-branch/JSTests/stress/direct-arguments-check-array-filter-type.js 2019-10-20 17:32:33 UTC (rev 251332)
@@ -0,0 +1,12 @@
+//@ runDefault("--jitPolicyScale=0", "--useRandomizingFuzzerAgent=1", "--validateAbstractInterpreterState=1", "--validateAbstractInterpreterStateProbability=1.0", "--useConcurrentJIT=0")
+
+function foo(a0, a1) {
+ Function.__defineSetter__(0, ()=>{});
+ Object.freeze(arguments);
+ for (let i = 0; i < 3; i++) {}
+ arguments[0];
+ const x = 0;
+ const y = 0;
+}
+
+foo();
Modified: branches/safari-608-branch/Source/_javascript_Core/ChangeLog (251331 => 251332)
--- branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-10-20 17:32:28 UTC (rev 251331)
+++ branches/safari-608-branch/Source/_javascript_Core/ChangeLog 2019-10-20 17:32:33 UTC (rev 251332)
@@ -1,3 +1,49 @@
+2019-10-15 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r249959. rdar://problem/56280989
+
+ CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
+ https://bugs.webkit.org/show_bug.cgi?id=201853
+ <rdar://problem/53805461>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/direct-arguments-check-array-filter-type.js: Added.
+ (foo):
+
+ Source/_javascript_Core:
+
+ We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
+ out SlowPutArrayStorage. It does no such thing. We just check that the object
+ is either ScopedArguments/DirectArguments.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@249959 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-09-17 Saam Barati <sbar...@apple.com>
+
+ CheckArray on DirectArguments/ScopedArguments does not filter out slow put array storage
+ https://bugs.webkit.org/show_bug.cgi?id=201853
+ <rdar://problem/53805461>
+
+ Reviewed by Yusuke Suzuki.
+
+ We were claiming CheckArray for ScopedArguments/DirectArguments was filtering
+ out SlowPutArrayStorage. It does no such thing. We just check that the object
+ is either ScopedArguments/DirectArguments.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShape const): Deleted.
+
2019-09-30 Babak Shafiei <bshaf...@apple.com>
Cherry-pick r250058. rdar://problem/55826329
Modified: branches/safari-608-branch/Source/_javascript_Core/dfg/DFGArrayMode.h (251331 => 251332)
--- branches/safari-608-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2019-10-20 17:32:28 UTC (rev 251331)
+++ branches/safari-608-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2019-10-20 17:32:33 UTC (rev 251332)
@@ -430,21 +430,21 @@
case Array::Generic:
return ALL_ARRAY_MODES;
case Array::Int32:
- result = arrayModesWithIndexingShape(Int32Shape);
+ result = arrayModesWithIndexingShapes(Int32Shape);
break;
case Array::Double:
- result = arrayModesWithIndexingShape(DoubleShape);
+ result = arrayModesWithIndexingShapes(DoubleShape);
break;
case Array::Contiguous:
- result = arrayModesWithIndexingShape(ContiguousShape);
+ result = arrayModesWithIndexingShapes(ContiguousShape);
break;
case Array::ArrayStorage:
- return arrayModesWithIndexingShape(ArrayStorageShape);
+ return arrayModesWithIndexingShapes(ArrayStorageShape);
case Array::SlowPutArrayStorage:
return arrayModesWithIndexingShapes(SlowPutArrayStorageShape, ArrayStorageShape);
case Array::DirectArguments:
case Array::ScopedArguments:
- return arrayModesWithIndexingShapes(ArrayStorageShape, NonArray);
+ return arrayModesWithIndexingShapes(ArrayStorageShape, SlowPutArrayStorageShape, NonArray);
case Array::Int8Array:
return Int8ArrayMode;
case Array::Int16Array:
@@ -512,7 +512,7 @@
u.asWord = word;
}
- ArrayModes arrayModesWithIndexingShape(IndexingType shape) const
+ ArrayModes arrayModesWithIndexingShapes(IndexingType shape) const
{
switch (arrayClass()) {
case Array::NonArray:
@@ -537,10 +537,11 @@
}
}
- ArrayModes arrayModesWithIndexingShapes(IndexingType shape1, IndexingType shape2) const
+ template <typename... Args>
+ ArrayModes arrayModesWithIndexingShapes(IndexingType shape1, Args... args) const
{
- ArrayModes arrayMode1 = arrayModesWithIndexingShape(shape1);
- ArrayModes arrayMode2 = arrayModesWithIndexingShape(shape2);
+ ArrayModes arrayMode1 = arrayModesWithIndexingShapes(shape1);
+ ArrayModes arrayMode2 = arrayModesWithIndexingShapes(args...);
return arrayMode1 | arrayMode2;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
