[webkit-changes] [226139] trunk/Source/JavaScriptCore

Tue, 19 Dec 2017 13:51:53 -0800

Title: [226139] trunk/Source/_javascript_Core
Revision
226139
Author
[email protected]
Date
2017-12-19 13:51:27 -0800 (Tue, 19 Dec 2017)

Log Message

We forgot to do index masking for in bounds int32 arrays in the FTL
https://bugs.webkit.org/show_bug.cgi?id=180987

Reviewed by Keith Miller.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (226138 => 226139)


--- trunk/Source/_javascript_Core/ChangeLog	2017-12-19 21:48:19 UTC (rev 226138)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-12-19 21:51:27 UTC (rev 226139)
@@ -1,3 +1,13 @@
+2017-12-19  Saam Barati  <[email protected]>
+
+        We forgot to do index masking for in bounds int32 arrays in the FTL
+        https://bugs.webkit.org/show_bug.cgi?id=180987
+
+        Reviewed by Keith Miller.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+
 2017-12-19  Yusuke Suzuki  <[email protected]>
 
         [DFG][FTL] NewRegexp shoud be fast

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (226138 => 226139)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-12-19 21:48:19 UTC (rev 226138)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2017-12-19 21:51:27 UTC (rev 226139)
@@ -3638,9 +3638,11 @@
             
             IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
                 m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
-            
+
+            LValue base = lowCell(m_node->child1());
+
             if (m_node->arrayMode().isInBounds()) {
-                LValue result = m_out.load64(baseIndex(heap, storage, index, m_node->child2()));
+                LValue result = m_out.load64(maskedIndex(heap, storage, index, base, m_node->child2()));
                 LValue isHole = m_out.isZero64(result);
                 if (m_node->arrayMode().isSaneChain()) {
                     DFG_ASSERT(
@@ -3653,8 +3655,6 @@
                 return;
             }
             
-            LValue base = lowCell(m_node->child1());
-            
             LBasicBlock fastCase = m_out.newBlock();
             LBasicBlock slowCase = m_out.newBlock();
             LBasicBlock continuation = m_out.newBlock();

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to