Skip to site navigation (Press enter)

[webkit-changes] [228454] trunk

sbarati Tue, 13 Feb 2018 21:07:56 -0800

Title: [228454] trunk

Revision: 228454
Author: sbar...@apple.com
Date: 2018-02-13 21:07:07 -0800 (Tue, 13 Feb 2018)

Log Message

putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>


Reviewed by Keith Miller.

JSTests:

* stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
(test1.o.get 10005):
(test1):
(test2.o.get 1000):
(test2):

Source/_javascript_Core:

putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/runtime/JSObject.cpp

Added Paths

trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js

Diff

Modified: trunk/JSTests/ChangeLog (228453 => 228454)


--- trunk/JSTests/ChangeLog	2018-02-14 04:38:33 UTC (rev 228453)
+++ trunk/JSTests/ChangeLog	2018-02-14 05:07:07 UTC (rev 228454)
@@ -1,3 +1,17 @@
+2018-02-13  Saam Barati  <sbar...@apple.com>
+
+        putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+        https://bugs.webkit.org/show_bug.cgi?id=182755
+        <rdar://problem/37080864>
+
+        Reviewed by Keith Miller.
+
+        * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
+        (test1.o.get 10005):
+        (test1):
+        (test2.o.get 1000):
+        (test2):
+
 2018-02-13  Caitlin Potter  <ca...@igalia.com>
 
         [JSC] cache TaggedTemplate arrays by callsite rather than by contents

Added: trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js (0 => 228454)


--- trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js	                        (rev 0)
+++ trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js	2018-02-14 05:07:07 UTC (rev 228454)
@@ -0,0 +1,29 @@
+function test1(item) {
+    var o = {
+        10000: item,
+        get 10005() { },
+    };
+    let arr = new Array(10008);
+    for (let key of arr.keys()) {
+        let o2 = {};
+        o[key] = o2;
+    }
+}
+test1({});
+test1(10);
+test1(10.5);
+
+function test2(item) {
+    var o = {
+        0: item,
+        get 1000() { },
+    };
+    let arr = new Array(1000);
+    for (let key of arr.keys()) {
+        let o2 = {};
+        o[key] = o2;
+    }
+}
+test2({});
+test2(10);
+test2(10.5);

Modified: trunk/Source/_javascript_Core/ChangeLog (228453 => 228454)


--- trunk/Source/_javascript_Core/ChangeLog	2018-02-14 04:38:33 UTC (rev 228453)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-02-14 05:07:07 UTC (rev 228454)
@@ -1,5 +1,22 @@
 2018-02-13  Saam Barati  <sbar...@apple.com>
 
+        putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+        https://bugs.webkit.org/show_bug.cgi?id=182755
+        <rdar://problem/37080864>
+
+        Reviewed by Keith Miller.
+
+        putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
+        the object in question to a dictionary indexing mode when the index is less than
+        the vector length. This makes no sense. If we're defining a getter, setter, or read
+        only property, we must always enter the dictionary indexing mode irrespective
+        of the index in relation to the vector length.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+
+2018-02-13  Saam Barati  <sbar...@apple.com>
+
         Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
 
         * dfg/DFGSpeculativeJIT32_64.cpp:

Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (228453 => 228454)


--- trunk/Source/_javascript_Core/runtime/JSObject.cpp	2018-02-14 04:38:33 UTC (rev 228453)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp	2018-02-14 05:07:07 UTC (rev 228454)
@@ -2922,11 +2922,9 @@
     }
         
     case ALL_INT32_INDEXING_TYPES: {
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertInt32ToArrayStorage(vm));
-        }
+        ASSERT(!indexingShouldBeSparse());
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         if (!value.isInt32()) {
             convertInt32ForValue(vm, value);
             return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2936,11 +2934,9 @@
     }
         
     case ALL_DOUBLE_INDEXING_TYPES: {
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertDoubleToArrayStorage(vm));
-        }
+        ASSERT(!indexingShouldBeSparse());
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         if (!value.isNumber()) {
             convertDoubleToContiguous(vm);
             return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2955,20 +2951,16 @@
     }
         
     case ALL_CONTIGUOUS_INDEXING_TYPES: {
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertContiguousToArrayStorage(vm));
-        }
+        ASSERT(!indexingShouldBeSparse());
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         putByIndexBeyondVectorLengthWithoutAttributes<ContiguousShape>(exec, i, value);
         return true;
     }
 
     case ALL_ARRAY_STORAGE_INDEXING_TYPES:
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-        }
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, arrayStorage());
         
     default:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes