Skip to site navigation (Press enter)

[webkit-changes] [237513] releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore

aperez Sun, 28 Oct 2018 06:44:47 -0700

Title: [237513] releases/WebKitGTK/webkit-2.22/Source/_javascript_Core

Revision: 237513
Author: [email protected]
Date: 2018-10-28 06:43:17 -0700 (Sun, 28 Oct 2018)

Log Message

Merged r237215 - GetIndexedPropertyStorage can GC.
https://bugs.webkit.org/show_bug.cgi?id=190625
<rdar://problem/45309366>


Reviewed by Saam Barati.

This is because if the ArrayMode type is String, the DFG and FTL will be emitting
a call to operationResolveRope, and operationResolveRope can GC.  This patch
updates doesGC() to reflect this.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

Modified Paths

releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (237512 => 237513)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-10-28 13:43:11 UTC (rev 237512)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-10-28 13:43:17 UTC (rev 237513)
@@ -1,3 +1,18 @@
+2018-10-16  Mark Lam  <[email protected]>
+
+        GetIndexedPropertyStorage can GC.
+        https://bugs.webkit.org/show_bug.cgi?id=190625
+        <rdar://problem/45309366>
+
+        Reviewed by Saam Barati.
+
+        This is because if the ArrayMode type is String, the DFG and FTL will be emitting
+        a call to operationResolveRope, and operationResolveRope can GC.  This patch
+        updates doesGC() to reflect this.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
 2018-10-15  Saam Barati  <[email protected]>
 
         JSArray::shiftCountWithArrayStorage is wrong when an array has holes

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp (237512 => 237513)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2018-10-28 13:43:11 UTC (rev 237512)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2018-10-28 13:43:17 UTC (rev 237513)
@@ -248,7 +248,6 @@
     case GetSetter:
     case GetByVal:
     case GetByValWithThis:
-    case GetIndexedPropertyStorage:
     case GetArrayLength:
     case GetVectorLength:
     case ArrayPush:
@@ -375,6 +374,11 @@
     case MapSet:
         return true;
 
+    case GetIndexedPropertyStorage:
+        if (node->arrayMode().type() == Array::String)
+            return true;
+        return false;
+
     case MapHash:
         switch (node->child1().useKind()) {
         case BooleanUse:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes