Diff
Modified: trunk/JSTests/ChangeLog (285591 => 285592)
--- trunk/JSTests/ChangeLog 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/JSTests/ChangeLog 2021-11-10 18:54:59 UTC (rev 285592)
@@ -1,3 +1,19 @@
+2021-11-10 Saam Barati <sbar...@apple.com>
+
+ in_by_val should not constant fold to in_by_id when the property is a property index
+ https://bugs.webkit.org/show_bug.cgi?id=232753
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/dont-in-by-id-when-index-2.js: Added.
+ (assert):
+ (main.v179):
+ (main.async v244):
+ (main):
+ * stress/dont-in-by-id-when-index.js: Added.
+ (assert):
+ (test):
+
2021-11-10 Xan Lopez <x...@igalia.com>
[JSC][32bit] Unskip JSTests/stress/json-stringify-string-builder-overflow.js
Added: trunk/JSTests/stress/dont-in-by-id-when-index-2.js (0 => 285592)
--- trunk/JSTests/stress/dont-in-by-id-when-index-2.js (rev 0)
+++ trunk/JSTests/stress/dont-in-by-id-when-index-2.js 2021-11-10 18:54:59 UTC (rev 285592)
@@ -0,0 +1,37 @@
+//@ runDefault("--validateOptions=true", "--useConcurrentJIT=false", "--useConcurrentGC=false", "--thresholdForJITSoon=10", "--thresholdForJITAfterWarmUp=10", "--thresholdForOptimizeAfterWarmUp=100", "--thresholdForOptimizeAfterLongWarmUp=100", "--thresholdForOptimizeSoon=100", "--thresholdForFTLOptimizeAfterWarmUp=1000", "--thresholdForFTLOptimizeSoon=1000", "--validateBCE=true", "--useFTLJIT=0")
+
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+function main() {
+ let v249;
+
+ const v178 = [];
+
+ v179 = class V179 {
+ constructor(v181,v182,v183) {
+ }
+ };
+
+ const v195 = [v178,v179,1];
+ const v203 = {};
+ const v204 = [v179,v195];
+ const v205 = v204.toLocaleString();
+
+ for (const v223 of v205) {
+ const v232 = {};
+ v232[v223] = "number";
+
+ async function v244() {
+ v249 = "1" in v232;
+ const v250 = 0;
+ }
+ v244();
+ }
+
+ assert(v249 === true);
+}
+
+main();
Added: trunk/JSTests/stress/dont-in-by-id-when-index.js (0 => 285592)
--- trunk/JSTests/stress/dont-in-by-id-when-index.js (rev 0)
+++ trunk/JSTests/stress/dont-in-by-id-when-index.js 2021-11-10 18:54:59 UTC (rev 285592)
@@ -0,0 +1,15 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+function test(obj) {
+ return "1" in obj;
+}
+noInline(test);
+
+let o = [10, {}];
+
+for (let i = 0; i < 10000; ++i) {
+ assert(test(o) === true);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (285591 => 285592)
--- trunk/Source/_javascript_Core/ChangeLog 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-11-10 18:54:59 UTC (rev 285592)
@@ -1,3 +1,16 @@
+2021-11-10 Saam Barati <sbar...@apple.com>
+
+ in_by_val should not constant fold to in_by_id when the property is a property index
+ https://bugs.webkit.org/show_bug.cgi?id=232753
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGValidate.cpp:
+
2021-11-09 Commit Queue <commit-qu...@webkit.org>
Unreviewed, reverting r285246.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (285591 => 285592)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2021-11-10 18:54:59 UTC (rev 285592)
@@ -4248,7 +4248,7 @@
if (JSValue constant = property.value()) {
if (constant.isString()) {
JSString* string = asString(constant);
- if (CacheableIdentifier::isCacheableIdentifierCell(string))
+ if (CacheableIdentifier::isCacheableIdentifierCell(string) && !parseIndex(CacheableIdentifier::createFromCell(string).uid()))
m_state.setShouldTryConstantFolding(true);
}
}
Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (285591 => 285592)
--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2021-11-10 18:54:59 UTC (rev 285592)
@@ -681,7 +681,7 @@
if (JSValue constant = property.value()) {
if (constant.isString()) {
JSString* string = asString(constant);
- if (CacheableIdentifier::isCacheableIdentifierCell(string)) {
+ if (CacheableIdentifier::isCacheableIdentifierCell(string) && !parseIndex(CacheableIdentifier::createFromCell(string).uid())) {
const StringImpl* impl = string->tryGetValueImpl();
RELEASE_ASSERT(impl);
m_graph.freezeStrong(string);
Modified: trunk/Source/_javascript_Core/dfg/DFGValidate.cpp (285591 => 285592)
--- trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-10 18:46:31 UTC (rev 285591)
+++ trunk/Source/_javascript_Core/dfg/DFGValidate.cpp 2021-11-10 18:54:59 UTC (rev 285592)
@@ -29,6 +29,7 @@
#if ENABLE(DFG_JIT)
#include "ButterflyInlines.h"
+#include "CacheableIdentifierInlines.h"
#include "DFGClobberize.h"
#include "DFGClobbersExitState.h"
#include "DFGDominators.h"
@@ -234,6 +235,11 @@
if (!node->child1())
VALIDATE((node), !node->child2());
}
+
+ if (node->hasCacheableIdentifier()) {
+ auto* uid = node->cacheableIdentifier().uid();
+ VALIDATE((node), !parseIndex(*uid));
+ }
switch (node->op()) {
case Identity:
