Diff
Modified: branches/safari-612-branch/JSTests/ChangeLog (287622 => 287623)
--- branches/safari-612-branch/JSTests/ChangeLog 2022-01-05 18:20:46 UTC (rev 287622)
+++ branches/safari-612-branch/JSTests/ChangeLog 2022-01-05 18:20:50 UTC (rev 287623)
@@ -1,5 +1,50 @@
2022-01-05 Russell Epstein <repst...@apple.com>
+ Cherry-pick r286228. rdar://problem/87125189
+
+ [JSC] GetTypedArrayLengthAsInt52 can get Array::Generic ArrayMode
+ https://bugs.webkit.org/show_bug.cgi?id=233571
+ rdar://85812164
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/get-typed-array-length-as-int52-generic.js: Added.
+ (foo.bar):
+ (foo):
+
+ Source/_javascript_Core:
+
+ If speculation is not populated enough, then GetTypedArrayLengthAsInt52 can get Array::Generic.
+ In that case, we should convert it to Array::ForceExit as it is done in GetArrayLength.
+ And blessArrayOperation inserts ForceOSRExit. So GetTypedArrayLengthAsInt52 won't be compiled.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286228 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-29 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] GetTypedArrayLengthAsInt52 can get Array::Generic ArrayMode
+ https://bugs.webkit.org/show_bug.cgi?id=233571
+ rdar://85812164
+
+ Reviewed by Mark Lam.
+
+ * stress/get-typed-array-length-as-int52-generic.js: Added.
+ (foo.bar):
+ (foo):
+
+2022-01-05 Russell Epstein <repst...@apple.com>
+
Cherry-pick r286153. rdar://problem/87124911
Skip new stress test get-array-length-reuse.js if memory-limited
Added: branches/safari-612-branch/JSTests/stress/get-typed-array-length-as-int52-generic.js (0 => 287623)
--- branches/safari-612-branch/JSTests/stress/get-typed-array-length-as-int52-generic.js (rev 0)
+++ branches/safari-612-branch/JSTests/stress/get-typed-array-length-as-int52-generic.js 2022-01-05 18:20:50 UTC (rev 287623)
@@ -0,0 +1,12 @@
+//@ skip if not $jitTests
+//@ runDefault("--jitPolicyScale=0", "--useLLInt=0")
+function foo() {
+ function bar() {}
+ bar(...arguments);
+ arguments.length = undefined;
+ bar(...arguments);
+ for (let _ of new Uint8Array());
+}
+
+for (let i = 0; i < 15000; i++)
+ foo();
Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (287622 => 287623)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2022-01-05 18:20:46 UTC (rev 287622)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2022-01-05 18:20:50 UTC (rev 287623)
@@ -1,5 +1,59 @@
2022-01-05 Russell Epstein <repst...@apple.com>
+ Cherry-pick r286228. rdar://problem/87125189
+
+ [JSC] GetTypedArrayLengthAsInt52 can get Array::Generic ArrayMode
+ https://bugs.webkit.org/show_bug.cgi?id=233571
+ rdar://85812164
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/get-typed-array-length-as-int52-generic.js: Added.
+ (foo.bar):
+ (foo):
+
+ Source/_javascript_Core:
+
+ If speculation is not populated enough, then GetTypedArrayLengthAsInt52 can get Array::Generic.
+ In that case, we should convert it to Array::ForceExit as it is done in GetArrayLength.
+ And blessArrayOperation inserts ForceOSRExit. So GetTypedArrayLengthAsInt52 won't be compiled.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@286228 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-11-29 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] GetTypedArrayLengthAsInt52 can get Array::Generic ArrayMode
+ https://bugs.webkit.org/show_bug.cgi?id=233571
+ rdar://85812164
+
+ Reviewed by Mark Lam.
+
+ If speculation is not populated enough, then GetTypedArrayLengthAsInt52 can get Array::Generic.
+ In that case, we should convert it to Array::ForceExit as it is done in GetArrayLength.
+ And blessArrayOperation inserts ForceOSRExit. So GetTypedArrayLengthAsInt52 won't be compiled.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetTypedArrayLengthAsInt52):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayLengthAsInt52):
+
+2022-01-05 Russell Epstein <repst...@apple.com>
+
Cherry-pick r285978. rdar://problem/87124911
[JSC] TypedArray GetArrayLength should not use Reuse
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGClobberize.h (287622 => 287623)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2022-01-05 18:20:46 UTC (rev 287622)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2022-01-05 18:20:50 UTC (rev 287623)
@@ -1444,7 +1444,7 @@
}
default:
- ASSERT(mode.isSomeTypedArrayView());
+ DFG_ASSERT(graph, node, mode.isSomeTypedArrayView());
read(MiscFields);
def(HeapLocation(ArrayLengthLoc, MiscFields, node->child1()), LazyNode(node));
return;
@@ -1453,10 +1453,16 @@
case GetTypedArrayLengthAsInt52: {
ArrayMode mode = node->arrayMode();
- RELEASE_ASSERT(mode.isSomeTypedArrayView());
- read(MiscFields);
- def(HeapLocation(TypedArrayLengthInt52Loc, MiscFields, node->child1()), LazyNode(node));
- return;
+ DFG_ASSERT(graph, node, mode.isSomeTypedArrayView() || mode.type() == Array::ForceExit);
+ switch (mode.type()) {
+ case Array::ForceExit:
+ write(SideState);
+ return;
+ default:
+ read(MiscFields);
+ def(HeapLocation(TypedArrayLengthInt52Loc, MiscFields, node->child1()), LazyNode(node));
+ return;
+ }
}
case GetVectorLength: {
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (287622 => 287623)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2022-01-05 18:20:46 UTC (rev 287622)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2022-01-05 18:20:50 UTC (rev 287623)
@@ -2159,7 +2159,7 @@
// We don't know how to handle generic and we only emit this in the Parser when we have checked the value is an Array/TypedArray.
if (arrayMode.type() == Array::Generic)
arrayMode = arrayMode.withType(Array::ForceExit);
- ASSERT(arrayMode.isSpecific() || arrayMode.type() == Array::ForceExit);
+ DFG_ASSERT(m_graph, node, arrayMode.isSpecific() || arrayMode.type() == Array::ForceExit);
node->setArrayMode(arrayMode);
blessArrayOperation(node->child1(), Edge(), node->child2(), lengthNeedsStorage);
@@ -2169,7 +2169,9 @@
case GetTypedArrayLengthAsInt52: {
ArrayMode arrayMode = node->arrayMode().refine(m_graph, node, node->child1()->prediction(), ArrayMode::unusedIndexSpeculatedType);
- ASSERT(arrayMode.isSomeTypedArrayView());
+ if (arrayMode.type() == Array::Generic)
+ arrayMode = arrayMode.withType(Array::ForceExit);
+ DFG_ASSERT(m_graph, node, arrayMode.isSomeTypedArrayView() || arrayMode.type() == Array::ForceExit);
node->setArrayMode(arrayMode);
blessArrayOperation(node->child1(), Edge(), node->child2(), lengthNeedsStorage);
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (287622 => 287623)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2022-01-05 18:20:46 UTC (rev 287622)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2022-01-05 18:20:50 UTC (rev 287623)
@@ -2632,7 +2632,8 @@
void SpeculativeJIT::compileGetTypedArrayLengthAsInt52(Node* node)
{
- RELEASE_ASSERT(node->arrayMode().isSomeTypedArrayView());
+ // If arrayMode is ForceExit, we would not compile this node and hence, should not have arrived here.
+ DFG_ASSERT(m_graph, node, node->arrayMode().isSomeTypedArrayView());
SpeculateCellOperand base(this, node->child1());
GPRTemporary result(this, Reuse, base);
GPRReg baseGPR = base.gpr();
Modified: branches/safari-612-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (287622 => 287623)
--- branches/safari-612-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-01-05 18:20:46 UTC (rev 287622)
+++ branches/safari-612-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2022-01-05 18:20:50 UTC (rev 287623)
@@ -5090,6 +5090,7 @@
IGNORE_CLANG_WARNINGS_BEGIN("missing-noreturn")
void compileGetTypedArrayLengthAsInt52()
{
+ // If arrayMode is ForceExit, we would not compile this node and hence, should not have arrived here.
RELEASE_ASSERT(m_node->arrayMode().isSomeTypedArrayView());
// The preprocessor chokes on RELEASE_ASSERT(USE(LARGE_TYPED_ARRAYS)), this is equivalent.
RELEASE_ASSERT(sizeof(size_t) == sizeof(uint64_t));