Title: [206149] trunk
- Revision
- 206149
- Author
- sbar...@apple.com
- Date
- 2016-09-20 08:56:42 -0700 (Tue, 20 Sep 2016)
Log Message
JSTests:
Unreviewed, added test for x86 32-bit failure for HasOwnProperty node in DFG.
* stress/has-own-property-called-on-non-object.js: Added.
(let.objs):
(new.String):
(foo):
Source/_javascript_Core:
Unreviewed fix for 32-bit DFG x86 implementation of HasOwnProperty.
Fixup phase is always setting ObjectUse on child1() of HasOwnProperty.
However, on x86 32-bit, I omitted a call to speculateObject() on child1().
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (206148 => 206149)
--- trunk/JSTests/ChangeLog 2016-09-20 15:47:12 UTC (rev 206148)
+++ trunk/JSTests/ChangeLog 2016-09-20 15:56:42 UTC (rev 206149)
@@ -1,3 +1,12 @@
+2016-09-20 Saam Barati <sbar...@apple.com>
+
+ Unreviewed, added test for x86 32-bit failure for HasOwnProperty node in DFG.
+
+ * stress/has-own-property-called-on-non-object.js: Added.
+ (let.objs):
+ (new.String):
+ (foo):
+
2016-09-20 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Add `typeof value === "symbol"` handling to bytecode compiler
Added: trunk/JSTests/stress/has-own-property-called-on-non-object.js (0 => 206149)
--- trunk/JSTests/stress/has-own-property-called-on-non-object.js (rev 0)
+++ trunk/JSTests/stress/has-own-property-called-on-non-object.js 2016-09-20 15:56:42 UTC (rev 206149)
@@ -0,0 +1,21 @@
+"use strict";
+
+let objs = [
+ function() { },
+ new String(),
+ {foo: 45},
+ {bar:50, foo: 45},
+ {baz:70, bar:50, foo: 45},
+ new Date,
+];
+
+let has = ({}).hasOwnProperty;
+function foo(o) {
+ return has.call(o, "foo");
+}
+noInline(foo);
+
+for (let i = 0; i < 10000; i++)
+ foo(objs[i % objs.length]);
+
+foo("foo");
Modified: trunk/Source/_javascript_Core/ChangeLog (206148 => 206149)
--- trunk/Source/_javascript_Core/ChangeLog 2016-09-20 15:47:12 UTC (rev 206148)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-09-20 15:56:42 UTC (rev 206149)
@@ -1,3 +1,13 @@
+2016-09-20 Saam Barati <sbar...@apple.com>
+
+ Unreviewed fix for 32-bit DFG x86 implementation of HasOwnProperty.
+
+ Fixup phase is always setting ObjectUse on child1() of HasOwnProperty.
+ However, on x86 32-bit, I omitted a call to speculateObject() on child1().
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2016-09-20 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Add `typeof value === "symbol"` handling to bytecode compiler
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (206148 => 206149)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-09-20 15:47:12 UTC (rev 206148)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-09-20 15:56:42 UTC (rev 206149)
@@ -4899,6 +4899,9 @@
JSValueRegs keyRegs = key.jsValueRegs();
GPRReg objectGPR = object.gpr();
GPRReg resultGPR = result.gpr();
+
+ speculateObject(node->child1());
+
flushRegisters();
callOperation(operationHasOwnProperty, resultGPR, objectGPR, keyRegs);
booleanResult(resultGPR, node);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
