Title: [234128] trunk
- Revision
- 234128
- Author
- [email protected]
- Date
- 2018-07-23 18:32:20 -0700 (Mon, 23 Jul 2018)
Log Message
need to didFoldClobberWorld when we constant fold GetByVal
https://bugs.webkit.org/show_bug.cgi?id=187917
<rdar://problem/42505095>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/get-by-val-fold-did-clobber-world.js: Added.
(__f_443):
Source/_javascript_Core:
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (234127 => 234128)
--- trunk/JSTests/ChangeLog 2018-07-24 01:05:33 UTC (rev 234127)
+++ trunk/JSTests/ChangeLog 2018-07-24 01:32:20 UTC (rev 234128)
@@ -1,3 +1,14 @@
+2018-07-23 Saam Barati <[email protected]>
+
+ need to didFoldClobberWorld when we constant fold GetByVal
+ https://bugs.webkit.org/show_bug.cgi?id=187917
+ <rdar://problem/42505095>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/get-by-val-fold-did-clobber-world.js: Added.
+ (__f_443):
+
2018-07-23 Andy VanWagoner <[email protected]>
[INTL] Language tags are not canonicalized
Added: trunk/JSTests/stress/get-by-val-fold-did-clobber-world.js (0 => 234128)
--- trunk/JSTests/stress/get-by-val-fold-did-clobber-world.js (rev 0)
+++ trunk/JSTests/stress/get-by-val-fold-did-clobber-world.js 2018-07-24 01:32:20 UTC (rev 234128)
@@ -0,0 +1,9 @@
+var __v_1673 = [16];
+function __f_443() {
+ for (var __v_1679 = 0; __v_1679 < 1e5; ++__v_1679) {
+ for (var __v_1680 = 0; __v_1680 < 7; ++__v_1680) {
+ var __v_1681 = __v_1673[__v_1680];
+ }
+ }
+}
+__f_443()
Modified: trunk/Source/_javascript_Core/ChangeLog (234127 => 234128)
--- trunk/Source/_javascript_Core/ChangeLog 2018-07-24 01:05:33 UTC (rev 234127)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-07-24 01:32:20 UTC (rev 234128)
@@ -1,3 +1,14 @@
+2018-07-23 Saam Barati <[email protected]>
+
+ need to didFoldClobberWorld when we constant fold GetByVal
+ https://bugs.webkit.org/show_bug.cgi?id=187917
+ <rdar://problem/42505095>
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2018-07-23 Andy VanWagoner <[email protected]>
[INTL] Language tags are not canonicalized
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (234127 => 234128)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-07-24 01:05:33 UTC (rev 234127)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-07-24 01:32:20 UTC (rev 234128)
@@ -1886,7 +1886,6 @@
&& globalObject->arrayPrototypeChainIsSane()) {
m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
- didFoldClobberWorld();
// Note that Array::Double and Array::Int32 return JSValue if array mode is OutOfBounds.
setConstant(node, jsUndefined());
return true;
@@ -1923,9 +1922,6 @@
if (!value)
return false;
- if (node->arrayMode().isOutOfBounds())
- didFoldClobberWorld();
-
if (value.isCell())
setConstant(node, *m_graph.freeze(value.asCell()));
else
@@ -1936,8 +1932,26 @@
return false;
};
- if (foldGetByValOnConstantProperty(m_graph.child(node, 0), m_graph.child(node, 1)))
+ bool didFold = false;
+ switch (node->arrayMode().type()) {
+ case Array::Generic:
+ case Array::Int32:
+ case Array::Double:
+ case Array::Contiguous:
+ case Array::ArrayStorage:
+ case Array::SlowPutArrayStorage:
+ if (foldGetByValOnConstantProperty(m_graph.child(node, 0), m_graph.child(node, 1))) {
+ if (!node->arrayMode().isInBounds())
+ didFoldClobberWorld();
+ didFold = true;
+ }
break;
+ default:
+ break;
+ }
+
+ if (didFold)
+ break;
}
if (node->op() != GetByVal) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
