Title: [224384] branches/safari-604.4.7.0-branch
- Revision
- 224384
- Author
- [email protected]
- Date
- 2017-11-02 22:33:42 -0700 (Thu, 02 Nov 2017)
Log Message
Cherry-pick r224349. rdar://problem/35329729
Modified Paths
Added Paths
Diff
Modified: branches/safari-604.4.7.0-branch/JSTests/ChangeLog (224383 => 224384)
--- branches/safari-604.4.7.0-branch/JSTests/ChangeLog 2017-11-03 05:32:43 UTC (rev 224383)
+++ branches/safari-604.4.7.0-branch/JSTests/ChangeLog 2017-11-03 05:33:42 UTC (rev 224384)
@@ -1,5 +1,20 @@
2017-11-02 Jason Marcell <[email protected]>
+ Cherry-pick r224349. rdar://problem/35329729
+
+ 2017-11-02 Filip Pizlo <[email protected]>
+
+ AI does not correctly model the clobber case of ArithClz32
+ https://bugs.webkit.org/show_bug.cgi?id=179188
+
+ Reviewed by Michael Saboff.
+
+ * stress/arith-clz32-effects.js: Added.
+ (foo):
+ (valueOf):
+
+2017-11-02 Jason Marcell <[email protected]>
+
Cherry-pick r224302. rdar://problem/35296412
2017-11-01 Michael Saboff <[email protected]>
Added: branches/safari-604.4.7.0-branch/JSTests/stress/arith-clz32-effects.js (0 => 224384)
--- branches/safari-604.4.7.0-branch/JSTests/stress/arith-clz32-effects.js (rev 0)
+++ branches/safari-604.4.7.0-branch/JSTests/stress/arith-clz32-effects.js 2017-11-03 05:33:42 UTC (rev 224384)
@@ -0,0 +1,30 @@
+function foo(o, v)
+{
+ var result = o.f;
+ Math.clz32(v);
+ return result + o.f;
+}
+
+noInline(foo);
+
+var o = {f: 42};
+o.g = 43; // Bust the transition watchpoint of {f}.
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo({f: 42}, "42");
+ if (result != 84)
+ throw "Error: bad result in loop: " + result;
+}
+
+var o = {f: 43};
+var result = foo(o, {
+ valueOf: function()
+ {
+ delete o.f;
+ o.__defineGetter__("f", function() { return 44; });
+ }
+});
+
+if (result != 87)
+ throw "Error: bad result at end: " + result;
+
Modified: branches/safari-604.4.7.0-branch/Source/_javascript_Core/ChangeLog (224383 => 224384)
--- branches/safari-604.4.7.0-branch/Source/_javascript_Core/ChangeLog 2017-11-03 05:32:43 UTC (rev 224383)
+++ branches/safari-604.4.7.0-branch/Source/_javascript_Core/ChangeLog 2017-11-03 05:33:42 UTC (rev 224384)
@@ -1,5 +1,21 @@
2017-11-02 Jason Marcell <[email protected]>
+ Cherry-pick r224349. rdar://problem/35329729
+
+ 2017-11-02 Filip Pizlo <[email protected]>
+
+ AI does not correctly model the clobber case of ArithClz32
+ https://bugs.webkit.org/show_bug.cgi?id=179188
+
+ Reviewed by Michael Saboff.
+
+ The non-Int32 case clobbers the world because it may call valueOf.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+2017-11-02 Jason Marcell <[email protected]>
+
Cherry-pick r224302. rdar://problem/35296412
2017-11-01 Michael Saboff <[email protected]>
Modified: branches/safari-604.4.7.0-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (224383 => 224384)
--- branches/safari-604.4.7.0-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-11-03 05:32:43 UTC (rev 224383)
+++ branches/safari-604.4.7.0-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-11-03 05:33:42 UTC (rev 224384)
@@ -561,6 +561,14 @@
setConstant(node, jsNumber(clz32(value)));
break;
}
+ switch (node->child1().useKind()) {
+ case Int32Use:
+ case KnownInt32Use:
+ break;
+ default:
+ clobberWorld(node->origin.semantic, clobberLimit);
+ break;
+ }
forNode(node).setType(SpecInt32Only);
break;
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
