webkit-2.22

aperez Sun, 28 Oct 2018 06:44:47 -0700

Title: [237516] releases/WebKitGTK/webkit-2.22

Revision: 237516
Author: [email protected]
Date: 2018-10-28 06:43:41 -0700 (Sun, 28 Oct 2018)

Log Message

Merged r237325 - DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
https://bugs.webkit.org/show_bug.cgi?id=190515
<rdar://problem/45222379>


Reviewed by Saam Barati.

JSTests:

* stress/regress-190515.js: Added.

Source/_javascript_Core:

1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of
   IndexingType.

2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the
   node's indexingType (instead of indexingMode) to choose the array structure
   to use for creating an array buffer with.  This turns out to not be an issue
   because when the VM is in having a bad time, all the
   arrayStructureForIndexingTypeDuringAllocation structure pointers will point to
   the SlowPutArrayStorage structure anyway.  However, to be strictly correct,
   we'll fix it to use the structure for the node's indexingMode.

* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validate const):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
* dfg/DFGRegisteredStructureSet.cpp:
(JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):

Modified Paths

releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.cpp
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.h
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGOSRExit.cpp
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Added Paths

releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-190515.js

Diff

Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog	2018-10-28 13:43:41 UTC (rev 237516)
@@ -1,3 +1,13 @@
+2018-10-22  Mark Lam  <[email protected]>
+
+        DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
+        https://bugs.webkit.org/show_bug.cgi?id=190515
+        <rdar://problem/45222379>
+
+        Reviewed by Saam Barati.
+
+        * stress/regress-190515.js: Added.
+
 2018-10-15  Saam Barati  <[email protected]>
 
         JSArray::shiftCountWithArrayStorage is wrong when an array has holes

Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-190515.js (0 => 237516)


--- releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-190515.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-190515.js	2018-10-28 13:43:41 UTC (rev 237516)
@@ -0,0 +1,26 @@
+function set(arr, value) {
+    arr[0] = value;
+}
+
+function getImmutableArrayOrSet(get) {
+    let arr = [1];
+    if (get)
+        return arr;
+
+    set(arr, 42);
+    set({}, 1);
+}
+noInline(getImmutableArrayOrSet);
+
+function test() {
+    getImmutableArrayOrSet(true);
+
+    for (let i = 0; i < 10000; i++)
+        getImmutableArrayOrSet(false);
+
+    let arr = getImmutableArrayOrSet(true);
+    if (arr[0] != 1)
+        throw "FAILED";
+}
+
+test();

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2018-10-28 13:43:41 UTC (rev 237516)
@@ -1,3 +1,34 @@
+2018-10-22  Mark Lam  <[email protected]>
+
+        DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
+        https://bugs.webkit.org/show_bug.cgi?id=190515
+        <rdar://problem/45222379>
+
+        Reviewed by Saam Barati.
+
+        1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of
+           IndexingType.
+
+        2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the
+           node's indexingType (instead of indexingMode) to choose the array structure
+           to use for creating an array buffer with.  This turns out to not be an issue
+           because when the VM is in having a bad time, all the
+           arrayStructureForIndexingTypeDuringAllocation structure pointers will point to
+           the SlowPutArrayStorage structure anyway.  However, to be strictly correct,
+           we'll fix it to use the structure for the node's indexingMode.
+
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::set):
+        (JSC::DFG::AbstractValue::mergeOSREntryValue):
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::validate const):
+        * dfg/DFGOSRExit.cpp:
+        (JSC::DFG::OSRExit::executeOSRExit):
+        * dfg/DFGRegisteredStructureSet.cpp:
+        (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
+
 2018-10-16  Mark Lam  <[email protected]>
 
         GetIndexedPropertyStorage can GC.

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.cpp	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.cpp	2018-10-28 13:43:41 UTC (rev 237516)
@@ -60,7 +60,7 @@
                 m_arrayModes = ALL_ARRAY_MODES;
                 m_structure.clobber();
             } else
-                m_arrayModes = asArrayModes(structure->indexingType());
+                m_arrayModes = asArrayModes(structure->indexingMode());
         } else {
             m_structure.makeTop();
             m_arrayModes = ALL_ARRAY_MODES;
@@ -87,7 +87,7 @@
     RELEASE_ASSERT(structure);
     
     m_structure = structure;
-    m_arrayModes = asArrayModes(structure->indexingType());
+    m_arrayModes = asArrayModes(structure->indexingMode());
     m_type = speculationFromStructure(structure.get());
     m_value = JSValue();
     
@@ -228,7 +228,7 @@
         FrozenValue* frozenValue = graph.freeze(value);
         if (frozenValue->pointsToHeap()) {
             m_structure = graph.registerStructure(frozenValue->structure());
-            m_arrayModes = asArrayModes(frozenValue->structure()->indexingType());
+            m_arrayModes = asArrayModes(frozenValue->structure()->indexingMode());
         } else {
             m_structure.clear();
             m_arrayModes = 0;
@@ -240,7 +240,7 @@
         mergeSpeculation(m_type, speculationFromValue(value));
         if (!!value && value.isCell()) {
             RegisteredStructure structure = graph.registerStructure(value.asCell()->structure(graph.m_vm));
-            mergeArrayModes(m_arrayModes, asArrayModes(structure->indexingType()));
+            mergeArrayModes(m_arrayModes, asArrayModes(structure->indexingMode()));
             m_structure.merge(RegisteredStructureSet(structure));
         }
         if (m_value != value)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.h (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.h	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.h	2018-10-28 13:43:41 UTC (rev 237516)
@@ -397,7 +397,7 @@
             ASSERT(m_type & SpecCell);
             Structure* structure = value.asCell()->structure();
             return m_structure.contains(structure)
-                && (m_arrayModes & asArrayModes(structure->indexingType()));
+                && (m_arrayModes & asArrayModes(structure->indexingMode()));
         }
         
         return true;

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGOSRExit.cpp (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGOSRExit.cpp	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGOSRExit.cpp	2018-10-28 13:43:41 UTC (rev 237516)
@@ -499,7 +499,7 @@
             ASSERT(exit.m_kind == BadCache || exit.m_kind == BadIndexingType);
             Structure* structure = profiledValue.asCell()->structure(vm);
             arrayProfile->observeStructure(structure);
-            arrayProfile->observeArrayMode(asArrayModes(structure->indexingType()));
+            arrayProfile->observeArrayMode(asArrayModes(structure->indexingMode()));
         }
         if (extraInitializationLevel <= ExtraInitializationLevel::ArrayProfileUpdate)
             break;

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp	2018-10-28 13:43:41 UTC (rev 237516)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -79,7 +79,7 @@
     ArrayModes result = 0;
     forEach(
         [&] (RegisteredStructure structure) {
-            mergeArrayModes(result, asArrayModes(structure->indexingType()));
+            mergeArrayModes(result, asArrayModes(structure->indexingMode()));
         });
     return result;
 }

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (237515 => 237516)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2018-10-28 13:43:33 UTC (rev 237515)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2018-10-28 13:43:41 UTC (rev 237516)
@@ -12113,7 +12113,7 @@
     flushRegisters();
     GPRFlushedCallResult result(this);
 
-    callOperation(operationNewArrayBuffer, result.gpr(), m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())), TrustedImmPtr(node->cellOperand()));
+    callOperation(operationNewArrayBuffer, result.gpr(), structure, TrustedImmPtr(node->cellOperand()));
     m_jit.exceptionCheck();
 
     cellResult(result.gpr(), node);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [237516] releases/WebKitGTK/webkit-2.22

Log Message

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (237515 => 237516)

Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/regress-190515.js (0 => 237516)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (237515 => 237516)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (237515 => 237516)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractValue.h (237515 => 237516)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGOSRExit.cpp (237515 => 237516)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp (237515 => 237516)

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (237515 => 237516)

Reply via email to