Title: [229234] releases/WebKitGTK/webkit-2.20/Source/_javascript_Core
- Revision
- 229234
- Author
- [email protected]
- Date
- 2018-03-05 02:49:41 -0800 (Mon, 05 Mar 2018)
Log Message
Merge r228952 - ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
https://bugs.webkit.org/show_bug.cgi?id=182982
Reviewed by Yusuke Suzuki.
I don't know why this check was not always an assert. When we see
a GetByOffset on an eliminated allocation, that allocation *must*
be a PhantomClonedArguments. If it weren't, the GetByOffset would
have escaped it. Because this transformation happens by visiting
blocks in pre-order, and by visiting nodes in a block starting from
index zero to index block->size() - 1, we're guaranteed that eliminated
allocations get transformed before users of it, since we visit nodes
in dominator order.
* dfg/DFGArgumentsEliminationPhase.cpp:
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (229233 => 229234)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-03-05 10:49:26 UTC (rev 229233)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-03-05 10:49:41 UTC (rev 229234)
@@ -1,3 +1,21 @@
+2018-02-23 Saam Barati <[email protected]>
+
+ ArgumentsEliminationPhase has a branch on GetByOffset that should be an assert
+ https://bugs.webkit.org/show_bug.cgi?id=182982
+
+ Reviewed by Yusuke Suzuki.
+
+ I don't know why this check was not always an assert. When we see
+ a GetByOffset on an eliminated allocation, that allocation *must*
+ be a PhantomClonedArguments. If it weren't, the GetByOffset would
+ have escaped it. Because this transformation happens by visiting
+ blocks in pre-order, and by visiting nodes in a block starting from
+ index zero to index block->size() - 1, we're guaranteed that eliminated
+ allocations get transformed before users of it, since we visit nodes
+ in dominator order.
+
+ * dfg/DFGArgumentsEliminationPhase.cpp:
+
2018-02-23 Yusuke Suzuki <[email protected]>
[JSC] Implement $vm.ftlTrue function for FTL testing
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp (229233 => 229234)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2018-03-05 10:49:26 UTC (rev 229233)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2018-03-05 10:49:41 UTC (rev 229234)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -708,11 +708,7 @@
if (!isEliminatedAllocation(candidate))
break;
- // FIXME: This should be an assert:
- // https://bugs.webkit.org/show_bug.cgi?id=182982
- if (node->child2()->op() != PhantomClonedArguments)
- break;
-
+ ASSERT(candidate->op() == PhantomClonedArguments);
ASSERT(node->storageAccessData().offset == clonedArgumentsLengthPropertyOffset);
// Meh, this is kind of hackish - we use an Identity so that we can reuse the
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
