Diff
Modified: branches/safari-606-branch/JSTests/ChangeLog (236219 => 236220)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-09-19 20:54:17 UTC (rev 236220)
@@ -1,5 +1,106 @@
2018-09-19 Kocsen Chung <[email protected]>
+ Cherry-pick r235827. rdar://problem/44613379
+
+ Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
+ https://bugs.webkit.org/show_bug.cgi?id=189317
+ <rdar://problem/44152198>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ * stress/regress-189317.js: Added.
+ (testGetter):
+ (testSetter):
+
+ Source/_javascript_Core:
+
+ handleIntrinsicCall() is normally used for checking if an op_call is a call to
+ an intrinsic function, and inlining it if it's a match.
+
+ However, getter and setter functions also does calls, and uses handleCall()
+ to implement the call. handleCall() eventually calls handleIntrinsicCall() to
+ check for intrinsics. This results in a bug because handleIntrinsicCall()
+ sometimes relies on the ArrayProfile* of the instruction, and is always assuming
+ that the instruction is op_call shaped. This turns out to be not true: getters
+ and setters can get there with op_get_by_val and op_put_by_val instead.
+
+ Since the intrinsic functions handled by handleIntrinsicCall() are never
+ intended to be used as getter / setter functions anyway, we can prevent this
+ whole class of bugs by having handleIntrinsicCall() fail early if the
+ instruction is not op_call shaped.
+
+ To implement this fix, we did the following:
+
+ 1. Introduced the OpcodeShape enum.
+ 2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the
+ shape of the specified OpcodeShape.
+ 3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from
+ the instruction given the OpcodeShape.
+
+ Using this arrayProfileFor template has the following benefits:
+ 1. Centralizes the definition of which instructions has an ArrayProfile* operand.
+ 2. Centralizes the definition of which operand is the ArrayProfile*.
+ 3. Asserts that the instruction is of the expected shape when retrieving the
+ ArrayProfile*.
+
+ 4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used
+ in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile*
+ indeed does point to an ArrayProfile.
+
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * bytecode/ArrayProfile.cpp:
+ * bytecode/ArrayProfile.h:
+ (JSC::ArrayProfile::isValid const):
+ * bytecode/OpcodeInlines.h: Added.
+ (JSC::isOpcodeShape):
+ (JSC::arrayProfileFor):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_has_indexed_property):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_has_indexed_property):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::getByVal):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-07 Mark Lam <[email protected]>
+
+ Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
+ https://bugs.webkit.org/show_bug.cgi?id=189317
+ <rdar://problem/44152198>
+
+ Reviewed by Filip Pizlo.
+
+ * stress/regress-189317.js: Added.
+ (testGetter):
+ (testSetter):
+
+2018-09-19 Kocsen Chung <[email protected]>
+
Cherry-pick r235356. rdar://problem/44613253
[JSC] Array.prototype.reverse modifies JSImmutableButterfly
Added: branches/safari-606-branch/JSTests/stress/regress-189317.js (0 => 236220)
--- branches/safari-606-branch/JSTests/stress/regress-189317.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/regress-189317.js 2018-09-19 20:54:17 UTC (rev 236220)
@@ -0,0 +1,125 @@
+let intrinsics = [
+ "Array.prototype.indexOf",
+ "Array.prototype.pop",
+ "Array.prototype.push",
+ "Array.prototype.slice",
+ "DataView.prototype.getInt8",
+ "DataView.prototype.getUint8",
+ "DataView.prototype.getInt16",
+ "DataView.prototype.getUint16",
+ "DataView.prototype.getInt32",
+ "DataView.prototype.getUint32",
+ "DataView.prototype.getFloat32",
+ "DataView.prototype.getFloat64",
+ "DataView.prototype.setInt8",
+ "DataView.prototype.setUint8",
+ "DataView.prototype.setInt16",
+ "DataView.prototype.setUint16",
+ "DataView.prototype.setInt32",
+ "DataView.prototype.setUint32",
+ "DataView.prototype.setFloat32",
+ "DataView.prototype.setFloat64",
+ "Map.prototype.get",
+ "Map.prototype.has",
+ "Map.prototype.set",
+ "Math.abs",
+ "Math.acos",
+ "Math.asin",
+ "Math.atan",
+ "Math.acosh",
+ "Math.asinh",
+ "Math.atanh",
+ "Math.cbrt",
+ "Math.ceil",
+ "Math.clz32",
+ "Math.cos",
+ "Math.cosh",
+ "Math.exp",
+ "Math.expm1",
+ "Math.floor",
+ "Math.fround",
+ "Math.log",
+ "Math.log10",
+ "Math.log1p",
+ "Math.log2",
+ "Math.max",
+ "Math.min",
+ "Math.pow",
+ "Math.random",
+ "Math.round",
+ "Math.sin",
+ "Math.sinh",
+ "Math.sqrt",
+ "Math.tan",
+ "Math.tanh",
+ "Math.trunc",
+ "Math.imul",
+ "Number.isInteger",
+ "Number.prototype.toString",
+ "Object.create",
+ "Object.getPrototypeOf",
+ "Object.is",
+ "Object.prototype.hasOwnProperty",
+ "parseInt",
+ "Set.prototype.add",
+ "Set.prototype.has",
+ "String.fromCharCode",
+ "String.prototype.charCodeAt",
+ "String.prototype.charAt",
+ "String.prototype.replace",
+ "String.prototype.slice",
+ "String.prototype.toLowerCase",
+ "String.prototype.valueOf",
+ "Reflect.getPrototypeOf",
+ "RegExp.prototype.exec",
+ "RegExp.prototype.test",
+ "WeakMap.prototype.get",
+ "WeakMap.prototype.has",
+ "WeakMap.prototype.set",
+ "WeakSet.prototype.add",
+ "WeakSet.prototype.has",
+];
+
+if (typeof Atomics !== "undefined") {
+ intrinsics = intrinsics.concat([
+ "Atomics.add",
+ "Atomics.and",
+ "Atomics.compareExchange",
+ "Atomics.exchange",
+ "Atomics.isLockFree",
+ "Atomics.load",
+ "Atomics.or",
+ "Atomics.store",
+ "Atomics.sub",
+ "Atomics.wait",
+ "Atomics.wake",
+ "Atomics.xor",
+ ]);
+}
+
+function testGetter(intrinsic) {
+ let runTest = new Function(
+ "let x = {};" + "\n" +
+ "x.__defineGetter__('a', " + intrinsic + ");" + "\n" +
+ "function test() { x['a']; }" + "\n" +
+ "for (let i = 0; i < 1000; i++) {" + "\n" +
+ " try { test(); } catch(e) { }" + "\n" +
+ "}");
+ runTest();
+}
+
+function testSetter(intrinsic) {
+ let runTest = new Function(
+ "let x = {};" + "\n" +
+ "x.__defineSetter__('a', " + intrinsic + ");" + "\n" +
+ "function test() { x['a'] = 42; }" + "\n" +
+ "for (let i = 0; i < 1000; i++) {" + "\n" +
+ " try { test(); } catch(e) { }" + "\n" +
+ "}");
+ runTest();
+}
+
+for (var i = 0; i < intrinsics.length; ++i) {
+ testGetter(intrinsics[i]);
+ testSetter(intrinsics[i]);
+}
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-19 20:54:17 UTC (rev 236220)
@@ -1,5 +1,171 @@
2018-09-19 Kocsen Chung <[email protected]>
+ Cherry-pick r235827. rdar://problem/44613379
+
+ Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
+ https://bugs.webkit.org/show_bug.cgi?id=189317
+ <rdar://problem/44152198>
+
+ Reviewed by Filip Pizlo.
+
+ JSTests:
+
+ * stress/regress-189317.js: Added.
+ (testGetter):
+ (testSetter):
+
+ Source/_javascript_Core:
+
+ handleIntrinsicCall() is normally used for checking if an op_call is a call to
+ an intrinsic function, and inlining it if it's a match.
+
+ However, getter and setter functions also does calls, and uses handleCall()
+ to implement the call. handleCall() eventually calls handleIntrinsicCall() to
+ check for intrinsics. This results in a bug because handleIntrinsicCall()
+ sometimes relies on the ArrayProfile* of the instruction, and is always assuming
+ that the instruction is op_call shaped. This turns out to be not true: getters
+ and setters can get there with op_get_by_val and op_put_by_val instead.
+
+ Since the intrinsic functions handled by handleIntrinsicCall() are never
+ intended to be used as getter / setter functions anyway, we can prevent this
+ whole class of bugs by having handleIntrinsicCall() fail early if the
+ instruction is not op_call shaped.
+
+ To implement this fix, we did the following:
+
+ 1. Introduced the OpcodeShape enum.
+ 2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the
+ shape of the specified OpcodeShape.
+ 3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from
+ the instruction given the OpcodeShape.
+
+ Using this arrayProfileFor template has the following benefits:
+ 1. Centralizes the definition of which instructions has an ArrayProfile* operand.
+ 2. Centralizes the definition of which operand is the ArrayProfile*.
+ 3. Asserts that the instruction is of the expected shape when retrieving the
+ ArrayProfile*.
+
+ 4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used
+ in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile*
+ indeed does point to an ArrayProfile.
+
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * bytecode/ArrayProfile.cpp:
+ * bytecode/ArrayProfile.h:
+ (JSC::ArrayProfile::isValid const):
+ * bytecode/OpcodeInlines.h: Added.
+ (JSC::isOpcodeShape):
+ (JSC::arrayProfileFor):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_has_indexed_property):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_has_indexed_property):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::getByVal):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@235827 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-07 Mark Lam <[email protected]>
+
+ Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
+ https://bugs.webkit.org/show_bug.cgi?id=189317
+ <rdar://problem/44152198>
+
+ Reviewed by Filip Pizlo.
+
+ handleIntrinsicCall() is normally used for checking if an op_call is a call to
+ an intrinsic function, and inlining it if it's a match.
+
+ However, getter and setter functions also does calls, and uses handleCall()
+ to implement the call. handleCall() eventually calls handleIntrinsicCall() to
+ check for intrinsics. This results in a bug because handleIntrinsicCall()
+ sometimes relies on the ArrayProfile* of the instruction, and is always assuming
+ that the instruction is op_call shaped. This turns out to be not true: getters
+ and setters can get there with op_get_by_val and op_put_by_val instead.
+
+ Since the intrinsic functions handled by handleIntrinsicCall() are never
+ intended to be used as getter / setter functions anyway, we can prevent this
+ whole class of bugs by having handleIntrinsicCall() fail early if the
+ instruction is not op_call shaped.
+
+ To implement this fix, we did the following:
+
+ 1. Introduced the OpcodeShape enum.
+ 2. Introduced isOpcodeShape<OpcodeShape>() for testing if a instruction of the
+ shape of the specified OpcodeShape.
+ 3. Introduced arrayProfileFor<OpcodeShape>() for fetching the ArrayProfile* from
+ the instruction given the OpcodeShape.
+
+ Using this arrayProfileFor template has the following benefits:
+ 1. Centralizes the definition of which instructions has an ArrayProfile* operand.
+ 2. Centralizes the definition of which operand is the ArrayProfile*.
+ 3. Asserts that the instruction is of the expected shape when retrieving the
+ ArrayProfile*.
+
+ 4. Added ArrayProfile::m_typeName and ArrayProfile::s_typeName which are used
+ in ArrayProfile::isValid() as a sanity check that a retrieved ArrayProfile*
+ indeed does point to an ArrayProfile.
+
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * bytecode/ArrayProfile.cpp:
+ * bytecode/ArrayProfile.h:
+ (JSC::ArrayProfile::isValid const):
+ * bytecode/OpcodeInlines.h: Added.
+ (JSC::isOpcodeShape):
+ (JSC::arrayProfileFor):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * jit/JITCall.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITCall32_64.cpp:
+ (JSC::JIT::compileOpCall):
+ * jit/JITOpcodes.cpp:
+ (JSC::JIT::emit_op_has_indexed_property):
+ * jit/JITOpcodes32_64.cpp:
+ (JSC::JIT::emit_op_has_indexed_property):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ (JSC::JIT::emitIntTypedArrayPutByVal):
+ (JSC::JIT::emitFloatTypedArrayPutByVal):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::emit_op_get_by_val):
+ (JSC::JIT::emit_op_put_by_val):
+ (JSC::JIT::emitGenericContiguousPutByVal):
+ (JSC::JIT::emitArrayStoragePutByVal):
+ * llint/LLIntSlowPaths.cpp:
+ (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+ (JSC::LLInt::getByVal):
+ * runtime/CommonSlowPaths.cpp:
+ (JSC::SLOW_PATH_DECL):
+
+2018-09-19 Kocsen Chung <[email protected]>
+
Cherry-pick r235356. rdar://problem/44613253
[JSC] Array.prototype.reverse modifies JSImmutableButterfly
Modified: branches/safari-606-branch/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2018-09-19 20:54:17 UTC (rev 236220)
@@ -1779,6 +1779,7 @@
FE5932A8183C5A2600A1ECCC /* VMEntryScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE5932A6183C5A2600A1ECCC /* VMEntryScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE6029D91D6E1E4F0030204D /* ExceptionEventLocation.h in Headers */ = {isa = PBXBuildFile; fileRef = FE6029D81D6E1E330030204D /* ExceptionEventLocation.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE63DD541EA9B61E00103A69 /* Printer.h in Headers */ = {isa = PBXBuildFile; fileRef = FE63DD531EA9B60E00103A69 /* Printer.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ FE64872E2141D04800AB0D3E /* OpcodeInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = FE64872D2141D04800AB0D3E /* OpcodeInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE6491371D78F01D00A694D4 /* ExceptionScope.h in Headers */ = {isa = PBXBuildFile; fileRef = FE6491361D78F01300A694D4 /* ExceptionScope.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE68C6371B90DE040042BCB3 /* MacroAssemblerPrinter.h in Headers */ = {isa = PBXBuildFile; fileRef = FE68C6361B90DDD90042BCB3 /* MacroAssemblerPrinter.h */; settings = {ATTRIBUTES = (Private, ); }; };
FE6F56DE1E64EAD600D17801 /* VMTraps.h in Headers */ = {isa = PBXBuildFile; fileRef = FE6F56DD1E64E92000D17801 /* VMTraps.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -4722,6 +4723,7 @@
FE6029D81D6E1E330030204D /* ExceptionEventLocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionEventLocation.h; sourceTree = "<group>"; };
FE63DD531EA9B60E00103A69 /* Printer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = Printer.h; sourceTree = "<group>"; };
FE63DD551EA9BC5D00103A69 /* Printer.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = Printer.cpp; sourceTree = "<group>"; };
+ FE64872D2141D04800AB0D3E /* OpcodeInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = OpcodeInlines.h; sourceTree = "<group>"; };
FE6491361D78F01300A694D4 /* ExceptionScope.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExceptionScope.h; sourceTree = "<group>"; };
FE6491381D78F3A300A694D4 /* ExceptionScope.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExceptionScope.cpp; sourceTree = "<group>"; };
FE68C6351B90DDD90042BCB3 /* MacroAssemblerPrinter.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = MacroAssemblerPrinter.cpp; sourceTree = "<group>"; };
@@ -7673,6 +7675,7 @@
0FD3E4061B618B6600C80E1E /* ObjectPropertyConditionSet.h */,
969A07940ED1D3AE00F1F681 /* Opcode.cpp */,
969A07950ED1D3AE00F1F681 /* Opcode.h */,
+ FE64872D2141D04800AB0D3E /* OpcodeInlines.h */,
0F2BDC2B151FDE8B00CD8910 /* Operands.h */,
A70447E917A0BD4600F5898E /* OperandsInlines.h */,
E34E657420668E8E00FB81AC /* ParseHash.cpp */,
@@ -9422,6 +9425,7 @@
E49DC16C12EF294E00184A1F /* SourceProviderCache.h in Headers */,
E49DC16D12EF295300184A1F /* SourceProviderCacheItem.h in Headers */,
0FDE87FC1DFE6E510064C390 /* SpaceTimeMutatorScheduler.h in Headers */,
+ FE64872E2141D04800AB0D3E /* OpcodeInlines.h in Headers */,
0FB7F39E15ED8E4600F167B2 /* SparseArrayValueMap.h in Headers */,
A7386554118697B400540279 /* SpecializedThunkJIT.h in Headers */,
0F5541B21613C1FB00CE3E25 /* SpecialPointer.h in Headers */,
Modified: branches/safari-606-branch/Source/_javascript_Core/bytecode/ArrayProfile.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/bytecode/ArrayProfile.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/bytecode/ArrayProfile.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012, 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -33,6 +33,10 @@
namespace JSC {
+#if !ASSERT_DISABLED
+const char* const ArrayProfile::s_typeName = "ArrayProfile";
+#endif
+
void dumpArrayModes(PrintStream& out, ArrayModes arrayModes)
{
if (!arrayModes) {
Modified: branches/safari-606-branch/Source/_javascript_Core/bytecode/ArrayProfile.h (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/bytecode/ArrayProfile.h 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/bytecode/ArrayProfile.h 2018-09-19 20:54:17 UTC (rev 236220)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2012-2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2012-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -275,6 +275,10 @@
CString briefDescription(const ConcurrentJSLocker&, CodeBlock*);
CString briefDescriptionWithoutUpdating(const ConcurrentJSLocker&);
+#if !ASSERT_DISABLED
+ inline bool isValid() const { return m_typeName == s_typeName; }
+#endif
+
private:
friend class LLIntOffsetsExtractor;
@@ -288,6 +292,11 @@
bool m_usesOriginalArrayStructures : 1;
bool m_didPerformFirstRunPruning : 1;
ArrayModes m_observedArrayModes;
+
+#if !ASSERT_DISABLED
+ static const char* const s_typeName;
+ const char* m_typeName { s_typeName };
+#endif
};
typedef SegmentedVector<ArrayProfile, 4> ArrayProfileVector;
Added: branches/safari-606-branch/Source/_javascript_Core/bytecode/OpcodeInlines.h (0 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/bytecode/OpcodeInlines.h (rev 0)
+++ branches/safari-606-branch/Source/_javascript_Core/bytecode/OpcodeInlines.h 2018-09-19 20:54:17 UTC (rev 236220)
@@ -0,0 +1,126 @@
+/*
+ * Copyright (C) 2018 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#pragma once
+
+#include "ArrayProfile.h"
+#include "Instruction.h"
+#include "InterpreterInlines.h"
+#include "Opcode.h"
+
+namespace JSC {
+
+enum OpcodeShape {
+ AnyOpcodeShape,
+ OpCallShape,
+ OpHasIndexedPropertyShape,
+ OpGetArrayLengthShape,
+ OpGetByValShape,
+ OpInByValShape,
+ OpPutByValShape,
+};
+
+template<OpcodeShape shape, typename = std::enable_if_t<shape != AnyOpcodeShape>>
+inline bool isOpcodeShape(OpcodeID opcodeID)
+{
+ if (shape == OpCallShape) {
+ static_assert(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_tail_call), "");
+ static_assert(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_call_eval), "");
+ static_assert(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_call_varargs), "");
+ static_assert(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_tail_call_varargs), "");
+ static_assert(OPCODE_LENGTH(op_call) == OPCODE_LENGTH(op_tail_call_forward_arguments), "");
+ return opcodeID == op_call
+ || opcodeID == op_tail_call
+ || opcodeID == op_call_eval
+ || opcodeID == op_call_varargs
+ || opcodeID == op_tail_call_varargs
+ || opcodeID == op_tail_call_forward_arguments;
+ }
+
+ if (shape == OpHasIndexedPropertyShape)
+ return opcodeID == op_has_indexed_property;
+
+ if (shape == OpGetArrayLengthShape)
+ return opcodeID == op_get_array_length;
+
+ if (shape == OpGetByValShape)
+ return opcodeID == op_get_by_val;
+
+ if (shape == OpInByValShape)
+ return opcodeID == op_in_by_val;
+
+ if (shape == OpPutByValShape) {
+ static_assert(OPCODE_LENGTH(op_put_by_val) == OPCODE_LENGTH(op_put_by_val_direct), "");
+ return opcodeID == op_put_by_val
+ || opcodeID == op_put_by_val_direct;
+ }
+
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+template<OpcodeShape shape, typename = std::enable_if_t<shape != AnyOpcodeShape>>
+inline bool isOpcodeShape(const Instruction* instruction)
+{
+ OpcodeID opcodeID = Interpreter::getOpcodeID(*instruction);
+ return isOpcodeShape<shape>(opcodeID);
+}
+
+template<OpcodeShape shape = AnyOpcodeShape>
+inline ArrayProfile* arrayProfileFor(const Instruction* instruction)
+{
+ ArrayProfile* arrayProfile = nullptr;
+ OpcodeID opcodeID = Interpreter::getOpcodeID(*instruction);
+ if (OpCallShape == shape || (AnyOpcodeShape == shape && isOpcodeShape<OpCallShape>(opcodeID))) {
+ ASSERT(isOpcodeShape<OpCallShape>(instruction));
+ arrayProfile = instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile;
+
+ } else if (OpHasIndexedPropertyShape == shape || (AnyOpcodeShape == shape && isOpcodeShape<OpHasIndexedPropertyShape>(opcodeID))) {
+ ASSERT(isOpcodeShape<OpHasIndexedPropertyShape>(instruction));
+ arrayProfile = instruction[4].u.arrayProfile;
+
+ } else if (OpGetArrayLengthShape == shape || (AnyOpcodeShape == shape && isOpcodeShape<OpGetArrayLengthShape>(opcodeID))) {
+ ASSERT(isOpcodeShape<OpGetArrayLengthShape>(instruction));
+ arrayProfile = instruction[4].u.arrayProfile;
+
+ } else if (OpGetByValShape == shape || (AnyOpcodeShape == shape && isOpcodeShape<OpGetByValShape>(opcodeID))) {
+ ASSERT(isOpcodeShape<OpGetByValShape>(instruction));
+ arrayProfile = instruction[4].u.arrayProfile;
+
+ } else if (OpInByValShape == shape || (AnyOpcodeShape == shape && isOpcodeShape<OpInByValShape>(opcodeID))) {
+ ASSERT(isOpcodeShape<OpInByValShape>(instruction));
+ arrayProfile = instruction[OPCODE_LENGTH(op_in_by_val) - 1].u.arrayProfile;
+
+ } else if (OpPutByValShape == shape || (AnyOpcodeShape == shape && isOpcodeShape<OpPutByValShape>(opcodeID))) {
+ ASSERT(isOpcodeShape<OpPutByValShape>(instruction));
+ arrayProfile = instruction[4].u.arrayProfile;
+
+ } else if (AnyOpcodeShape != shape)
+ RELEASE_ASSERT_NOT_REACHED();
+
+ ASSERT(!arrayProfile || arrayProfile->isValid());
+ return arrayProfile;
+}
+
+} // namespace JSC
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -57,6 +57,7 @@
#include "JSModuleNamespaceObject.h"
#include "NumberConstructor.h"
#include "ObjectConstructor.h"
+#include "OpcodeInlines.h"
#include "PreciseJumpTargets.h"
#include "PutByIdFlags.h"
#include "PutByIdStatus.h"
@@ -2100,7 +2101,10 @@
bool ByteCodeParser::handleIntrinsicCall(Node* callee, int resultOperand, Intrinsic intrinsic, int registerOffset, int argumentCountIncludingThis, SpeculatedType prediction, const ChecksFunctor& insertChecks)
{
VERBOSE_LOG(" The intrinsic is ", intrinsic, "\n");
-
+
+ if (!isOpcodeShape<OpCallShape>(m_currentInstruction))
+ return false;
+
// It so happens that the code below doesn't handle the invalid result case. We could fix that, but
// it would only benefit intrinsics called as setters, like if you do:
//
@@ -2212,8 +2216,7 @@
if (static_cast<unsigned>(argumentCountIncludingThis) >= MIN_SPARSE_ARRAY_INDEX)
return false;
-
- ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Write);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpCallShape>(m_currentInstruction), Array::Write);
if (!arrayMode.isJSArray())
return false;
switch (arrayMode.type()) {
@@ -2250,8 +2253,7 @@
if (m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadConstantCache)
|| m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCache))
return false;
-
- ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Read);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpCallShape>(m_currentInstruction), Array::Read);
if (!arrayMode.isJSArray())
return false;
@@ -2340,7 +2342,7 @@
|| m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType))
return false;
- ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Read);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpCallShape>(m_currentInstruction), Array::Read);
if (!arrayMode.isJSArray())
return false;
@@ -2399,8 +2401,7 @@
case ArrayPopIntrinsic: {
if (argumentCountIncludingThis != 1)
return false;
-
- ArrayMode arrayMode = getArrayMode(m_currentInstruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile, Array::Write);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpCallShape>(m_currentInstruction), Array::Write);
if (!arrayMode.isJSArray())
return false;
switch (arrayMode.type()) {
@@ -5077,7 +5078,7 @@
if (compiledAsGetById)
handleGetById(currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, AccessType::Get, OPCODE_LENGTH(op_get_by_val));
else {
- ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpGetByValShape>(currentInstruction), Array::Read);
// FIXME: We could consider making this not vararg, since it only uses three child
// slots.
// https://bugs.webkit.org/show_bug.cgi?id=184192
@@ -5149,7 +5150,7 @@
}
if (!compiledAsPutById) {
- ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Write);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpPutByValShape>(currentInstruction), Array::Write);
addVarArgChild(base);
addVarArgChild(property);
@@ -6439,7 +6440,7 @@
}
case op_in_by_val: {
- ArrayMode arrayMode = getArrayMode(currentInstruction[OPCODE_LENGTH(op_in_by_val) - 1].u.arrayProfile, Array::Read);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpInByValShape>(currentInstruction), Array::Read);
set(VirtualRegister(currentInstruction[1].u.operand),
addToGraph(InByVal, OpInfo(arrayMode.asWord()), get(VirtualRegister(currentInstruction[2].u.operand)), get(VirtualRegister(currentInstruction[3].u.operand))));
NEXT_OPCODE(op_in_by_val);
@@ -6506,7 +6507,7 @@
case op_has_indexed_property: {
Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
- ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
+ ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpHasIndexedPropertyShape>(currentInstruction), Array::Read);
Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
Node* hasIterableProperty = addToGraph(HasIndexedProperty, OpInfo(arrayMode.asWord()), OpInfo(static_cast<uint32_t>(PropertySlot::InternalMethodType::GetOwnProperty)), base, property);
set(VirtualRegister(currentInstruction[1].u.operand), hasIterableProperty);
Modified: branches/safari-606-branch/Source/_javascript_Core/jit/JITCall.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/jit/JITCall.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/jit/JITCall.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -37,6 +37,7 @@
#include "Interpreter.h"
#include "JSCInlines.h"
#include "LinkBuffer.h"
+#include "OpcodeInlines.h"
#include "ResultType.h"
#include "SetupVarargsFrame.h"
#include "StackAlignment.h"
@@ -167,7 +168,7 @@
emitGetVirtualRegister(registerOffset + CallFrame::argumentOffsetIncludingThis(0), regT0);
Jump done = branchIfNotCell(regT0);
load32(Address(regT0, JSCell::structureIDOffset()), regT0);
- store32(regT0, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile->addressOfLastSeenStructureID());
+ store32(regT0, arrayProfileFor<OpCallShape>(instruction)->addressOfLastSeenStructureID());
done.link(this);
}
Modified: branches/safari-606-branch/Source/_javascript_Core/jit/JITCall32_64.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/jit/JITCall32_64.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/jit/JITCall32_64.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -36,6 +36,7 @@
#include "JSFunction.h"
#include "JSCInlines.h"
#include "LinkBuffer.h"
+#include "OpcodeInlines.h"
#include "ResultType.h"
#include "SetupVarargsFrame.h"
#include "StackAlignment.h"
@@ -251,7 +252,7 @@
emitLoad(registerOffset + CallFrame::argumentOffsetIncludingThis(0), regT0, regT1);
Jump done = branchIfNotCell(regT0);
loadPtr(Address(regT1, JSCell::structureIDOffset()), regT1);
- storePtr(regT1, instruction[OPCODE_LENGTH(op_call) - 2].u.arrayProfile->addressOfLastSeenStructureID());
+ storePtr(regT1, arrayProfileFor<OpCallShape>(instruction)->addressOfLastSeenStructureID());
done.link(this);
}
Modified: branches/safari-606-branch/Source/_javascript_Core/jit/JITOpcodes.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/jit/JITOpcodes.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/jit/JITOpcodes.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -40,6 +40,7 @@
#include "JSPropertyNameEnumerator.h"
#include "LinkBuffer.h"
#include "MaxFrameExtentForSlowPathCall.h"
+#include "OpcodeInlines.h"
#include "SlowPathCall.h"
#include "SuperSampler.h"
#include "ThunkGenerators.h"
@@ -1159,7 +1160,7 @@
int dst = currentInstruction[1].u.operand;
int base = currentInstruction[2].u.operand;
int property = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ByValInfo* byValInfo = m_codeBlock->addByValInfo();
emitGetVirtualRegisters(base, regT0, property, regT1);
Modified: branches/safari-606-branch/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -40,7 +40,7 @@
#include "JSPropertyNameEnumerator.h"
#include "LinkBuffer.h"
#include "MaxFrameExtentForSlowPathCall.h"
-#include "Opcode.h"
+#include "OpcodeInlines.h"
#include "SlowPathCall.h"
#include "TypeProfilerLog.h"
#include "VirtualRegister.h"
@@ -1040,7 +1040,7 @@
int dst = currentInstruction[1].u.operand;
int base = currentInstruction[2].u.operand;
int property = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ByValInfo* byValInfo = m_codeBlock->addByValInfo();
emitLoadPayload(base, regT0);
Modified: branches/safari-606-branch/Source/_javascript_Core/jit/JITPropertyAccess.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -38,6 +38,7 @@
#include "JSFunction.h"
#include "JSLexicalEnvironment.h"
#include "LinkBuffer.h"
+#include "OpcodeInlines.h"
#include "ResultType.h"
#include "ScopedArguments.h"
#include "ScopedArgumentsTable.h"
@@ -55,7 +56,7 @@
int dst = currentInstruction[1].u.operand;
int base = currentInstruction[2].u.operand;
int property = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ByValInfo* byValInfo = m_codeBlock->addByValInfo();
emitGetVirtualRegister(base, regT0);
@@ -195,7 +196,7 @@
{
int base = currentInstruction[1].u.operand;
int property = currentInstruction[2].u.operand;
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ByValInfo* byValInfo = m_codeBlock->addByValInfo();
emitGetVirtualRegister(base, regT0);
@@ -252,8 +253,8 @@
JIT::JumpList JIT::emitGenericContiguousPutByVal(Instruction* currentInstruction, PatchableJump& badType, IndexingType indexingShape)
{
int value = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
-
+ ArrayProfile* profile = ""
+
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(indexingShape));
@@ -308,8 +309,8 @@
JIT::JumpList JIT::emitArrayStoragePutByVal(Instruction* currentInstruction, PatchableJump& badType)
{
int value = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
-
+ ArrayProfile* profile = ""
+
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT2, TrustedImm32(ArrayStorageShape));
@@ -1627,7 +1628,7 @@
JIT::JumpList JIT::emitIntTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
{
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ASSERT(isInt(type));
int value = currentInstruction[3].u.operand;
@@ -1700,7 +1701,7 @@
JIT::JumpList JIT::emitFloatTypedArrayPutByVal(Instruction* currentInstruction, PatchableJump& badType, TypedArrayType type)
{
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ASSERT(isFloat(type));
int value = currentInstruction[3].u.operand;
Modified: branches/safari-606-branch/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -38,6 +38,7 @@
#include "JSFunction.h"
#include "JSLexicalEnvironment.h"
#include "LinkBuffer.h"
+#include "OpcodeInlines.h"
#include "ResultType.h"
#include "SlowPathCall.h"
#include "StructureStubInfo.h"
@@ -133,7 +134,7 @@
int dst = currentInstruction[1].u.operand;
int base = currentInstruction[2].u.operand;
int property = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ByValInfo* byValInfo = m_codeBlock->addByValInfo();
emitLoad2(base, regT1, regT0, property, regT3, regT2);
@@ -253,7 +254,7 @@
{
int base = currentInstruction[1].u.operand;
int property = currentInstruction[2].u.operand;
- ArrayProfile* profile = ""
+ ArrayProfile* profile = ""
ByValInfo* byValInfo = m_codeBlock->addByValInfo();
emitLoad2(base, regT1, regT0, property, regT3, regT2);
@@ -301,8 +302,8 @@
{
int base = currentInstruction[1].u.operand;
int value = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
-
+ ArrayProfile* profile = ""
+
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT1, TrustedImm32(ContiguousShape));
@@ -360,8 +361,8 @@
{
int base = currentInstruction[1].u.operand;
int value = currentInstruction[3].u.operand;
- ArrayProfile* profile = ""
-
+ ArrayProfile* profile = ""
+
JumpList slowCases;
badType = patchableBranch32(NotEqual, regT1, TrustedImm32(ArrayStorageShape));
Modified: branches/safari-606-branch/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/llint/LLIntSlowPaths.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -60,6 +60,7 @@
#include "ModuleProgramCodeBlock.h"
#include "ObjectConstructor.h"
#include "ObjectPropertyConditionSet.h"
+#include "OpcodeInlines.h"
#include "ProgramCodeBlock.h"
#include "ProtoCallFrame.h"
#include "RegExpObject.h"
@@ -805,6 +806,7 @@
ArrayProfile* arrayProfile = codeBlock->getOrAddArrayProfile(codeBlock->bytecodeOffset(pc));
arrayProfile->observeStructure(baseValue.asCell()->structure(vm));
pc[4].u.arrayProfile = arrayProfile;
+ ASSERT(arrayProfileFor<OpGetArrayLengthShape>(pc) == arrayProfile);
// Prevent the prototype cache from ever happening.
pc[7].u.operand = 0;
@@ -941,7 +943,7 @@
if (subscript.isUInt32()) {
uint32_t i = subscript.asUInt32();
- ArrayProfile* arrayProfile = pc[4].u.arrayProfile;
+ ArrayProfile* arrayProfile = arrayProfileFor<OpGetByValShape>(pc);
if (isJSString(baseValue)) {
if (asString(baseValue)->canGetIndex(i)) {
Modified: branches/safari-606-branch/Source/_javascript_Core/runtime/CommonSlowPaths.cpp (236219 => 236220)
--- branches/safari-606-branch/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2018-09-19 20:54:11 UTC (rev 236219)
+++ branches/safari-606-branch/Source/_javascript_Core/runtime/CommonSlowPaths.cpp 2018-09-19 20:54:17 UTC (rev 236220)
@@ -60,6 +60,7 @@
#include "LowLevelInterpreter.h"
#include "MathCommon.h"
#include "ObjectConstructor.h"
+#include "OpcodeInlines.h"
#include "ScopedArguments.h"
#include "StructureRareDataInlines.h"
#include "ThunkGenerators.h"
@@ -703,7 +704,7 @@
SLOW_PATH_DECL(slow_path_in_by_val)
{
BEGIN();
- RETURN(jsBoolean(CommonSlowPaths::opInByVal(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), pc[4].u.arrayProfile)));
+ RETURN(jsBoolean(CommonSlowPaths::opInByVal(exec, OP_C(2).jsValue(), OP_C(3).jsValue(), arrayProfileFor<OpInByValShape>(pc))));
}
SLOW_PATH_DECL(slow_path_in_by_id)
@@ -782,7 +783,7 @@
JSObject* base = OP(2).jsValue().toObject(exec);
CHECK_EXCEPTION();
JSValue property = OP(3).jsValue();
- pc[4].u.arrayProfile->observeStructure(base->structure(vm));
+ arrayProfileFor<OpHasIndexedPropertyShape>(pc)->observeStructure(base->structure(vm));
ASSERT(property.isUInt32());
RETURN(jsBoolean(base->hasPropertyGeneric(exec, property.asUInt32(), PropertySlot::InternalMethodType::GetOwnProperty)));
}
