Skip to site navigation (Press enter)

[webkit-changes] [224381] branches/safari-604.4.7.1-branch

jmarcell Thu, 02 Nov 2017 22:31:00 -0700

Title: [224381] branches/safari-604.4.7.1-branch

Revision: 224381
Author: [email protected]
Date: 2017-11-02 22:30:18 -0700 (Thu, 02 Nov 2017)

Log Message

Cherry-pick r224366. rdar://problem/35329720


Modified Paths

branches/safari-604.4.7.1-branch/JSTests/ChangeLog
branches/safari-604.4.7.1-branch/Source/_javascript_Core/ChangeLog
branches/safari-604.4.7.1-branch/Source/_javascript_Core/dfg/DFGClobberize.h


Added Paths

branches/safari-604.4.7.1-branch/JSTests/stress/for-in-side-effects.js

Diff

Modified: branches/safari-604.4.7.1-branch/JSTests/ChangeLog (224380 => 224381)


--- branches/safari-604.4.7.1-branch/JSTests/ChangeLog	2017-11-03 05:30:15 UTC (rev 224380)
+++ branches/safari-604.4.7.1-branch/JSTests/ChangeLog	2017-11-03 05:30:18 UTC (rev 224381)
@@ -1,5 +1,26 @@
 2017-11-02  Jason Marcell  <[email protected]>
 
+        Cherry-pick r224366. rdar://problem/35329720
+
+    2017-11-02  Michael Saboff  <[email protected]>
+
+            DFG needs to handle code motion of code in for..in loop bodies
+            https://bugs.webkit.org/show_bug.cgi?id=179212
+
+            Reviewed by Keith Miller.
+
+            New regression test.
+
+            * stress/for-in-side-effects.js: Added.
+            (getPrototypeOf):
+            (reset):
+            (testWithoutFTL.f):
+            (testWithoutFTL):
+            (testWithFTL.f):
+            (testWithFTL):
+
+2017-11-02  Jason Marcell  <[email protected]>
+
         Cherry-pick r224349. rdar://problem/35329727
 
     2017-11-02  Filip Pizlo  <[email protected]>

Added: branches/safari-604.4.7.1-branch/JSTests/stress/for-in-side-effects.js (0 => 224381)


--- branches/safari-604.4.7.1-branch/JSTests/stress/for-in-side-effects.js	                        (rev 0)
+++ branches/safari-604.4.7.1-branch/JSTests/stress/for-in-side-effects.js	2017-11-03 05:30:18 UTC (rev 224381)
@@ -0,0 +1,79 @@
+// Regression test for bug 179212
+
+var p = { "a": {} };
+
+var flag = 0;
+var data = ""
+var copy = [];
+
+var z = new Proxy({}, {
+    getPrototypeOf: function() {
+        if (flag == 2) {
+            data[0] = { "x": "I changed" };
+        }
+
+        if (flag == 1) {
+            flag = 2;
+        }
+
+        return {"a": 1, "b": 2}
+    }
+});
+
+p.__proto__ = z;
+
+function reset()
+{
+    flag = 0;
+    data = "" 2.2, 3.3];
+    copy = [];
+}
+
+function runTest(func)
+{
+    reset();
+
+    for (var i = 0; i < 0x10000; i++)
+        func();
+
+    flag = 1;
+    func();
+
+    if (copy[0].x != "I changed")
+        throw "Expected updated value for copy[0]";
+}
+
+function testWithoutFTL()
+{
+    function f()
+    {
+        data[0] = 2.2;
+        for(var d in p) {
+            copy[0] = data[0];
+            copy[1] = data[1];
+            copy[2] = data[2];
+        }
+    }
+
+    noFTL(f);
+
+    runTest(f);
+}
+
+function testWithFTL()
+{
+    function f()
+    {
+        data[0] = 2.2;
+        for(var d in p) {
+            copy[0] = data[0];
+            copy[1] = data[1];
+            copy[2] = data[2];
+        }
+    }
+
+    runTest(f);
+}
+
+testWithoutFTL();
+testWithFTL();
Property changes on: branches/safari-604.4.7.1-branch/JSTests/stress/for-in-side-effects.js
___________________________________________________________________

Added: svn:executable

+* \ No newline at end of property

Modified: branches/safari-604.4.7.1-branch/Source/_javascript_Core/ChangeLog (224380 => 224381)


--- branches/safari-604.4.7.1-branch/Source/_javascript_Core/ChangeLog	2017-11-03 05:30:15 UTC (rev 224380)
+++ branches/safari-604.4.7.1-branch/Source/_javascript_Core/ChangeLog	2017-11-03 05:30:18 UTC (rev 224381)
@@ -1,5 +1,22 @@
 2017-11-02  Jason Marcell  <[email protected]>
 
+        Cherry-pick r224366. rdar://problem/35329720
+
+    2017-11-02  Michael Saboff  <[email protected]>
+
+            DFG needs to handle code motion of code in for..in loop bodies
+            https://bugs.webkit.org/show_bug.cgi?id=179212
+
+            Reviewed by Keith Miller.
+
+            The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
+            make calls with side effects.  Updated clobberize() for those nodes to take that into account.
+
+            * dfg/DFGClobberize.h:
+            (JSC::DFG::clobberize):
+
+2017-11-02  Jason Marcell  <[email protected]>
+
         Cherry-pick r224349. rdar://problem/35329727
 
     2017-11-02  Filip Pizlo  <[email protected]>

Modified: branches/safari-604.4.7.1-branch/Source/_javascript_Core/dfg/DFGClobberize.h (224380 => 224381)


--- branches/safari-604.4.7.1-branch/Source/_javascript_Core/dfg/DFGClobberize.h	2017-11-03 05:30:15 UTC (rev 224380)
+++ branches/safari-604.4.7.1-branch/Source/_javascript_Core/dfg/DFGClobberize.h	2017-11-03 05:30:18 UTC (rev 224381)
@@ -262,8 +262,13 @@
 
     case HasGenericProperty:
     case HasStructureProperty:
-    case GetEnumerableLength:
     case GetPropertyEnumerator: {
+        read(World);
+        write(Heap);
+        return;
+    }
+
+    case GetEnumerableLength: {
         read(Heap);
         write(SideState);
         return;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes