Title: [205235] branches/safari-602-branch
- Revision
- 205235
- Author
- [email protected]
- Date
- 2016-08-31 00:20:29 -0700 (Wed, 31 Aug 2016)
Log Message
Merge r204570. rdar://problem/27991567
Modified Paths
Added Paths
Diff
Modified: branches/safari-602-branch/JSTests/ChangeLog (205234 => 205235)
--- branches/safari-602-branch/JSTests/ChangeLog 2016-08-31 07:20:25 UTC (rev 205234)
+++ branches/safari-602-branch/JSTests/ChangeLog 2016-08-31 07:20:29 UTC (rev 205235)
@@ -1,5 +1,19 @@
2016-08-30 Babak Shafiei <[email protected]>
+ Merge r204570. rdar://problem/27991567
+
+ 2016-08-17 Mark Lam <[email protected]>
+
+ Remove an invalid assertion in the DFG backend's GetById emitter.
+ https://bugs.webkit.org/show_bug.cgi?id=160925
+ <rdar://problem/27248961>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/dfg-get-by-id-should-not-assert-non-null-prediction.js: Added.
+
+2016-08-30 Babak Shafiei <[email protected]>
+
Merge r204388. rdar://problem/27991576
2016-08-11 Mark Lam <[email protected]>
Added: branches/safari-602-branch/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js (0 => 205235)
--- branches/safari-602-branch/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js (rev 0)
+++ branches/safari-602-branch/JSTests/stress/dfg-get-by-id-should-not-assert-non-null-prediction.js 2016-08-31 07:20:29 UTC (rev 205235)
@@ -0,0 +1,18 @@
+//@ runDefault
+// This test should not crash.
+
+function foo() {
+ "use strict";
+ return --arguments["callee"];
+};
+
+function test() {
+ for (var i = 0; i < 10000; i++) {
+ try {
+ foo();
+ } catch(e) {
+ }
+ }
+}
+
+test();
Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (205234 => 205235)
--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog 2016-08-31 07:20:25 UTC (rev 205234)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog 2016-08-31 07:20:29 UTC (rev 205235)
@@ -1,5 +1,34 @@
2016-08-30 Babak Shafiei <[email protected]>
+ Merge r204570. rdar://problem/27991567
+
+ 2016-08-17 Mark Lam <[email protected]>
+
+ Remove an invalid assertion in the DFG backend's GetById emitter.
+ https://bugs.webkit.org/show_bug.cgi?id=160925
+ <rdar://problem/27248961>
+
+ Reviewed by Filip Pizlo.
+
+ The DFG backend's GetById assertion that the node's prediction not be SpecNone
+ is just plain wrong. It assumes that we can never have a GetById node without a
+ type prediction, but this is not true. The following test case proves otherwise:
+
+ function foo() {
+ "use strict";
+ return --arguments["callee"];
+ }
+
+ Will remove the assertion. Nothing else needs to change as the DFG is working
+ correctly without the assertion.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2016-08-30 Babak Shafiei <[email protected]>
+
Merge r204388. rdar://problem/27991576
2016-08-11 Mark Lam <[email protected]>
Modified: branches/safari-602-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (205234 => 205235)
--- branches/safari-602-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-08-31 07:20:25 UTC (rev 205234)
+++ branches/safari-602-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-08-31 07:20:29 UTC (rev 205235)
@@ -4173,8 +4173,6 @@
}
case GetById: {
- ASSERT(node->prediction());
-
switch (node->child1().useKind()) {
case CellUse: {
SpeculateCellOperand base(this, node->child1());
Modified: branches/safari-602-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (205234 => 205235)
--- branches/safari-602-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-08-31 07:20:25 UTC (rev 205234)
+++ branches/safari-602-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-08-31 07:20:29 UTC (rev 205235)
@@ -4104,8 +4104,6 @@
}
case GetById: {
- ASSERT(node->prediction());
-
switch (node->child1().useKind()) {
case CellUse: {
SpeculateCellOperand base(this, node->child1());
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
