[webkit-changes] [228760] releases/WebKitGTK/webkit-2.20

Tue, 20 Feb 2018 01:08:01 -0800

Title: [228760] releases/WebKitGTK/webkit-2.20
Revision
228760
Author
carlo...@webkit.org
Date
2018-02-20 01:07:21 -0800 (Tue, 20 Feb 2018)

Log Message

Merge r228454 - putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
https://bugs.webkit.org/show_bug.cgi?id=182755
<rdar://problem/37080864>

Reviewed by Keith Miller.

JSTests:

* stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
(test1.o.get 10005):
(test1):
(test2.o.get 1000):
(test2):

Source/_javascript_Core:

putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
the object in question to a dictionary indexing mode when the index is less than
the vector length. This makes no sense. If we're defining a getter, setter, or read
only property, we must always enter the dictionary indexing mode irrespective
of the index in relation to the vector length.

* runtime/JSObject.cpp:
(JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (228759 => 228760)


--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-02-20 09:07:14 UTC (rev 228759)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog	2018-02-20 09:07:21 UTC (rev 228760)
@@ -1,3 +1,17 @@
+2018-02-13  Saam Barati  <sbar...@apple.com>
+
+        putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+        https://bugs.webkit.org/show_bug.cgi?id=182755
+        <rdar://problem/37080864>
+
+        Reviewed by Keith Miller.
+
+        * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
+        (test1.o.get 10005):
+        (test1):
+        (test2.o.get 1000):
+        (test2):
+
 2018-02-13  Caitlin Potter  <ca...@igalia.com>
 
         [JSC] cache TaggedTemplate arrays by callsite rather than by contents

Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js (0 => 228760)


--- releases/WebKitGTK/webkit-2.20/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js	2018-02-20 09:07:21 UTC (rev 228760)
@@ -0,0 +1,29 @@
+function test1(item) {
+    var o = {
+        10000: item,
+        get 10005() { },
+    };
+    let arr = new Array(10008);
+    for (let key of arr.keys()) {
+        let o2 = {};
+        o[key] = o2;
+    }
+}
+test1({});
+test1(10);
+test1(10.5);
+
+function test2(item) {
+    var o = {
+        0: item,
+        get 1000() { },
+    };
+    let arr = new Array(1000);
+    for (let key of arr.keys()) {
+        let o2 = {};
+        o[key] = o2;
+    }
+}
+test2({});
+test2(10);
+test2(10.5);

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (228759 => 228760)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-02-20 09:07:14 UTC (rev 228759)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog	2018-02-20 09:07:21 UTC (rev 228760)
@@ -1,3 +1,20 @@
+2018-02-13  Saam Barati  <sbar...@apple.com>
+
+        putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+        https://bugs.webkit.org/show_bug.cgi?id=182755
+        <rdar://problem/37080864>
+
+        Reviewed by Keith Miller.
+
+        putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
+        the object in question to a dictionary indexing mode when the index is less than
+        the vector length. This makes no sense. If we're defining a getter, setter, or read
+        only property, we must always enter the dictionary indexing mode irrespective
+        of the index in relation to the vector length.
+
+        * runtime/JSObject.cpp:
+        (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+
 2018-02-13  Guillaume Emont  <guijem...@igalia.com>
 
         [YarrJIT][ARM] We need to save r8 as it is the initial start register

Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSObject.cpp (228759 => 228760)


--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSObject.cpp	2018-02-20 09:07:14 UTC (rev 228759)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/runtime/JSObject.cpp	2018-02-20 09:07:21 UTC (rev 228760)
@@ -2922,11 +2922,9 @@
     }
         
     case ALL_INT32_INDEXING_TYPES: {
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertInt32ToArrayStorage(vm));
-        }
+        ASSERT(!indexingShouldBeSparse());
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         if (!value.isInt32()) {
             convertInt32ForValue(vm, value);
             return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2936,11 +2934,9 @@
     }
         
     case ALL_DOUBLE_INDEXING_TYPES: {
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertDoubleToArrayStorage(vm));
-        }
+        ASSERT(!indexingShouldBeSparse());
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         if (!value.isNumber()) {
             convertDoubleToContiguous(vm);
             return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2955,20 +2951,16 @@
     }
         
     case ALL_CONTIGUOUS_INDEXING_TYPES: {
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertContiguousToArrayStorage(vm));
-        }
+        ASSERT(!indexingShouldBeSparse());
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         putByIndexBeyondVectorLengthWithoutAttributes<ContiguousShape>(exec, i, value);
         return true;
     }
 
     case ALL_ARRAY_STORAGE_INDEXING_TYPES:
-        if (attributes) {
-            if (i < m_butterfly->vectorLength())
-                return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
-        }
+        if (attributes)
+            return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
         return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, arrayStorage());
         
     default:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to