[webkit-changes] [237318] branches/safari-606-branch/Source/JavaScriptCore

Mon, 22 Oct 2018 00:20:46 -0700

Title: [237318] branches/safari-606-branch/Source/_javascript_Core
Revision
237318
Author
[email protected]
Date
2018-10-22 00:19:33 -0700 (Mon, 22 Oct 2018)

Log Message

Cherry-pick r237215. rdar://problem/45445113

    GetIndexedPropertyStorage can GC.
    https://bugs.webkit.org/show_bug.cgi?id=190625
    <rdar://problem/45309366>

    Reviewed by Saam Barati.

    This is because if the ArrayMode type is String, the DFG and FTL will be emitting
    a call to operationResolveRope, and operationResolveRope can GC.  This patch
    updates doesGC() to reflect this.

    * dfg/DFGDoesGC.cpp:
    (JSC::DFG::doesGC):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237215 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Diff

Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (237317 => 237318)


--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog	2018-10-22 07:19:31 UTC (rev 237317)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog	2018-10-22 07:19:33 UTC (rev 237318)
@@ -1,5 +1,41 @@
 2018-10-21  Babak Shafiei  <[email protected]>
 
+        Cherry-pick r237215. rdar://problem/45445113
+
+    GetIndexedPropertyStorage can GC.
+    https://bugs.webkit.org/show_bug.cgi?id=190625
+    <rdar://problem/45309366>
+    
+    Reviewed by Saam Barati.
+    
+    This is because if the ArrayMode type is String, the DFG and FTL will be emitting
+    a call to operationResolveRope, and operationResolveRope can GC.  This patch
+    updates doesGC() to reflect this.
+    
+    * dfg/DFGDoesGC.cpp:
+    (JSC::DFG::doesGC):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237215 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2018-10-16  Mark Lam  <[email protected]>
+
+            GetIndexedPropertyStorage can GC.
+            https://bugs.webkit.org/show_bug.cgi?id=190625
+            <rdar://problem/45309366>
+
+            Reviewed by Saam Barati.
+
+            This is because if the ArrayMode type is String, the DFG and FTL will be emitting
+            a call to operationResolveRope, and operationResolveRope can GC.  This patch
+            updates doesGC() to reflect this.
+
+            * dfg/DFGDoesGC.cpp:
+            (JSC::DFG::doesGC):
+
+2018-10-21  Babak Shafiei  <[email protected]>
+
         Cherry-pick r236804. rdar://problem/45285687
 
     Make string MaxLength for all WTF and JS strings consistently equal to INT_MAX.

Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp (237317 => 237318)


--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2018-10-22 07:19:31 UTC (rev 237317)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2018-10-22 07:19:33 UTC (rev 237318)
@@ -248,7 +248,6 @@
     case GetSetter:
     case GetByVal:
     case GetByValWithThis:
-    case GetIndexedPropertyStorage:
     case GetArrayLength:
     case GetVectorLength:
     case ArrayPush:
@@ -367,6 +366,11 @@
     case MapSet:
         return true;
 
+    case GetIndexedPropertyStorage:
+        if (node->arrayMode().type() == Array::String)
+            return true;
+        return false;
+
     case MapHash:
         switch (node->child1().useKind()) {
         case BooleanUse:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to