Title: [227827] branches/safari-605-branch
- Revision
- 227827
- Author
- [email protected]
- Date
- 2018-01-30 10:51:22 -0800 (Tue, 30 Jan 2018)
Log Message
Cherry-pick r227742. rdar://problem/37019360
Modified Paths
Added Paths
Diff
Modified: branches/safari-605-branch/JSTests/ChangeLog (227826 => 227827)
--- branches/safari-605-branch/JSTests/ChangeLog 2018-01-30 18:51:20 UTC (rev 227826)
+++ branches/safari-605-branch/JSTests/ChangeLog 2018-01-30 18:51:22 UTC (rev 227827)
@@ -1,5 +1,20 @@
2018-01-30 Jason Marcell <[email protected]>
+ Cherry-pick r227742. rdar://problem/37019360
+
+ 2018-01-29 Michael Saboff <[email protected]>
+
+ REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+ https://bugs.webkit.org/show_bug.cgi?id=182249
+
+ Reviewed by Keith Miller.
+
+ New regression test.
+
+ * stress/compare-clobber-untypeduse.js: Added.
+
+2018-01-30 Jason Marcell <[email protected]>
+
Cherry-pick r227716. rdar://problem/37019460
2018-01-27 Yusuke Suzuki <[email protected]>
Added: branches/safari-605-branch/JSTests/stress/compare-clobber-untypeduse.js (0 => 227827)
--- branches/safari-605-branch/JSTests/stress/compare-clobber-untypeduse.js (rev 0)
+++ branches/safari-605-branch/JSTests/stress/compare-clobber-untypeduse.js 2018-01-30 18:51:22 UTC (rev 227827)
@@ -0,0 +1,12 @@
+// Test that we properly clobber untyped uses. This test should throw or crash.
+
+let val;
+
+for (var i = 0; i < 100000; i++)
+ val = 42;
+
+for (let i = 0; i < 1e6; i++) {
+ if (val != null && val == 2) {
+ throw "Val should be 42, but is 2";
+ }
+}
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (227826 => 227827)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-01-30 18:51:20 UTC (rev 227826)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-01-30 18:51:22 UTC (rev 227827)
@@ -1,5 +1,23 @@
2018-01-30 Jason Marcell <[email protected]>
+ Cherry-pick r227742. rdar://problem/37019360
+
+ 2018-01-29 Michael Saboff <[email protected]>
+
+ REGRESSION (r227341): DFG_ASSERT failure at JSC::DFG::AtTailAbstractState::forNode()
+ https://bugs.webkit.org/show_bug.cgi?id=182249
+
+ Reviewed by Keith Miller.
+
+ Changed clobberize() handling of CompareEq, et al to properly handle comparisons between
+ Untyped and Object values when compared against built in types. Such comparisons can
+ invoke toNumber() or other methods.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
+2018-01-30 Jason Marcell <[email protected]>
+
Cherry-pick r227716. rdar://problem/37019460
2018-01-27 Yusuke Suzuki <[email protected]>
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h (227826 => 227827)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2018-01-30 18:51:20 UTC (rev 227826)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2018-01-30 18:51:22 UTC (rev 227827)
@@ -1538,12 +1538,19 @@
write(HeapObjectCount);
return;
}
- if (!node->isBinaryUseKind(UntypedUse)) {
+
+ if (node->op() == CompareEq && node->isBinaryUseKind(ObjectUse)) {
def(PureValue(node));
return;
}
- read(World);
- write(Heap);
+ if (node->child1().useKind() == UntypedUse || node->child1().useKind() == ObjectUse
+ || node->child2().useKind() == UntypedUse || node->child2().useKind() == ObjectUse) {
+ read(World);
+ write(Heap);
+ return;
+ }
+
+ def(PureValue(node));
return;
case ToNumber: {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
