- Revision
- 237525
- Author
- [email protected]
- Date
- 2018-10-28 12:12:20 -0700 (Sun, 28 Oct 2018)
Log Message
Cherry-pick r237325. rdar://problem/45363533
DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
https://bugs.webkit.org/show_bug.cgi?id=190515
<rdar://problem/45222379>
Reviewed by Saam Barati.
JSTests:
* stress/regress-190515.js: Added.
Source/_javascript_Core:
1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of
IndexingType.
2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the
node's indexingType (instead of indexingMode) to choose the array structure
to use for creating an array buffer with. This turns out to not be an issue
because when the VM is in having a bad time, all the
arrayStructureForIndexingTypeDuringAllocation structure pointers will point to
the SlowPutArrayStorage structure anyway. However, to be strictly correct,
we'll fix it to use the structure for the node's indexingMode.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::validate const):
* dfg/DFGOSRExit.cpp:
(JSC::DFG::OSRExit::executeOSRExit):
* dfg/DFGRegisteredStructureSet.cpp:
(JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237325 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-606-branch/JSTests/ChangeLog (237524 => 237525)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-10-28 19:12:20 UTC (rev 237525)
@@ -1,3 +1,56 @@
+2018-10-28 Babak Shafiei <[email protected]>
+
+ Cherry-pick r237325. rdar://problem/45363533
+
+ DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
+ https://bugs.webkit.org/show_bug.cgi?id=190515
+ <rdar://problem/45222379>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/regress-190515.js: Added.
+
+ Source/_javascript_Core:
+
+ 1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of
+ IndexingType.
+
+ 2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the
+ node's indexingType (instead of indexingMode) to choose the array structure
+ to use for creating an array buffer with. This turns out to not be an issue
+ because when the VM is in having a bad time, all the
+ arrayStructureForIndexingTypeDuringAllocation structure pointers will point to
+ the SlowPutArrayStorage structure anyway. However, to be strictly correct,
+ we'll fix it to use the structure for the node's indexingMode.
+
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::mergeOSREntryValue):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::validate const):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::executeOSRExit):
+ * dfg/DFGRegisteredStructureSet.cpp:
+ (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237325 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-10-22 Mark Lam <[email protected]>
+
+ DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
+ https://bugs.webkit.org/show_bug.cgi?id=190515
+ <rdar://problem/45222379>
+
+ Reviewed by Saam Barati.
+
+ * stress/regress-190515.js: Added.
+
2018-10-26 Mark Lam <[email protected]>
Cherry-pick r237469. rdar://problem/45363534
Added: branches/safari-606-branch/JSTests/stress/regress-190515.js (0 => 237525)
--- branches/safari-606-branch/JSTests/stress/regress-190515.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/regress-190515.js 2018-10-28 19:12:20 UTC (rev 237525)
@@ -0,0 +1,26 @@
+function set(arr, value) {
+ arr[0] = value;
+}
+
+function getImmutableArrayOrSet(get) {
+ let arr = [1];
+ if (get)
+ return arr;
+
+ set(arr, 42);
+ set({}, 1);
+}
+noInline(getImmutableArrayOrSet);
+
+function test() {
+ getImmutableArrayOrSet(true);
+
+ for (let i = 0; i < 10000; i++)
+ getImmutableArrayOrSet(false);
+
+ let arr = getImmutableArrayOrSet(true);
+ if (arr[0] != 1)
+ throw "FAILED";
+}
+
+test();
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (237524 => 237525)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-10-28 19:12:20 UTC (rev 237525)
@@ -1,3 +1,77 @@
+2018-10-28 Babak Shafiei <[email protected]>
+
+ Cherry-pick r237325. rdar://problem/45363533
+
+ DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
+ https://bugs.webkit.org/show_bug.cgi?id=190515
+ <rdar://problem/45222379>
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/regress-190515.js: Added.
+
+ Source/_javascript_Core:
+
+ 1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of
+ IndexingType.
+
+ 2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the
+ node's indexingType (instead of indexingMode) to choose the array structure
+ to use for creating an array buffer with. This turns out to not be an issue
+ because when the VM is in having a bad time, all the
+ arrayStructureForIndexingTypeDuringAllocation structure pointers will point to
+ the SlowPutArrayStorage structure anyway. However, to be strictly correct,
+ we'll fix it to use the structure for the node's indexingMode.
+
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::mergeOSREntryValue):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::validate const):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::executeOSRExit):
+ * dfg/DFGRegisteredStructureSet.cpp:
+ (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@237325 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-10-22 Mark Lam <[email protected]>
+
+ DFGAbstractValue::m_arrayModes expects IndexingMode values, not IndexingType.
+ https://bugs.webkit.org/show_bug.cgi?id=190515
+ <rdar://problem/45222379>
+
+ Reviewed by Saam Barati.
+
+ 1. Fixes calls to asArrayModes() to take a structure's IndexingMode instead of
+ IndexingType.
+
+ 2. DFG's compileNewArrayBuffer()'s HaveABadTime case was previously using the
+ node's indexingType (instead of indexingMode) to choose the array structure
+ to use for creating an array buffer with. This turns out to not be an issue
+ because when the VM is in having a bad time, all the
+ arrayStructureForIndexingTypeDuringAllocation structure pointers will point to
+ the SlowPutArrayStorage structure anyway. However, to be strictly correct,
+ we'll fix it to use the structure for the node's indexingMode.
+
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::mergeOSREntryValue):
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::validate const):
+ * dfg/DFGOSRExit.cpp:
+ (JSC::DFG::OSRExit::executeOSRExit):
+ * dfg/DFGRegisteredStructureSet.cpp:
+ (JSC::DFG::RegisteredStructureSet::arrayModesFromStructures const):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileNewArrayBuffer):
+
2018-10-26 Mark Lam <[email protected]>
Cherry-pick r237469. rdar://problem/45363534
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (237524 => 237525)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2018-10-28 19:12:20 UTC (rev 237525)
@@ -60,7 +60,7 @@
m_arrayModes = ALL_ARRAY_MODES;
m_structure.clobber();
} else
- m_arrayModes = asArrayModes(structure->indexingType());
+ m_arrayModes = asArrayModes(structure->indexingMode());
} else {
m_structure.makeTop();
m_arrayModes = ALL_ARRAY_MODES;
@@ -87,7 +87,7 @@
RELEASE_ASSERT(structure);
m_structure = structure;
- m_arrayModes = asArrayModes(structure->indexingType());
+ m_arrayModes = asArrayModes(structure->indexingMode());
m_type = speculationFromStructure(structure.get());
m_value = JSValue();
@@ -228,7 +228,7 @@
FrozenValue* frozenValue = graph.freeze(value);
if (frozenValue->pointsToHeap()) {
m_structure = graph.registerStructure(frozenValue->structure());
- m_arrayModes = asArrayModes(frozenValue->structure()->indexingType());
+ m_arrayModes = asArrayModes(frozenValue->structure()->indexingMode());
} else {
m_structure.clear();
m_arrayModes = 0;
@@ -240,7 +240,7 @@
mergeSpeculation(m_type, speculationFromValue(value));
if (!!value && value.isCell()) {
RegisteredStructure structure = graph.registerStructure(value.asCell()->structure(graph.m_vm));
- mergeArrayModes(m_arrayModes, asArrayModes(structure->indexingType()));
+ mergeArrayModes(m_arrayModes, asArrayModes(structure->indexingMode()));
m_structure.merge(RegisteredStructureSet(structure));
}
if (m_value != value)
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractValue.h (237524 => 237525)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractValue.h 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractValue.h 2018-10-28 19:12:20 UTC (rev 237525)
@@ -397,7 +397,7 @@
ASSERT(m_type & SpecCell);
Structure* structure = value.asCell()->structure();
return m_structure.contains(structure)
- && (m_arrayModes & asArrayModes(structure->indexingType()));
+ && (m_arrayModes & asArrayModes(structure->indexingMode()));
}
return true;
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGOSRExit.cpp (237524 => 237525)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGOSRExit.cpp 2018-10-28 19:12:20 UTC (rev 237525)
@@ -499,7 +499,7 @@
ASSERT(exit.m_kind == BadCache || exit.m_kind == BadIndexingType);
Structure* structure = profiledValue.asCell()->structure(vm);
arrayProfile->observeStructure(structure);
- arrayProfile->observeArrayMode(asArrayModes(structure->indexingType()));
+ arrayProfile->observeArrayMode(asArrayModes(structure->indexingMode()));
}
if (extraInitializationLevel <= ExtraInitializationLevel::ArrayProfileUpdate)
break;
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp (237524 => 237525)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGRegisteredStructureSet.cpp 2018-10-28 19:12:20 UTC (rev 237525)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2017 Apple Inc. All rights reserved.
+ * Copyright (C) 2017-2018 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -79,7 +79,7 @@
ArrayModes result = 0;
forEach(
[&] (RegisteredStructure structure) {
- mergeArrayModes(result, asArrayModes(structure->indexingType()));
+ mergeArrayModes(result, asArrayModes(structure->indexingMode()));
});
return result;
}
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (237524 => 237525)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-10-28 19:12:15 UTC (rev 237524)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-10-28 19:12:20 UTC (rev 237525)
@@ -12076,7 +12076,7 @@
flushRegisters();
GPRFlushedCallResult result(this);
- callOperation(operationNewArrayBuffer, result.gpr(), m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())), TrustedImmPtr(node->cellOperand()));
+ callOperation(operationNewArrayBuffer, result.gpr(), structure, TrustedImmPtr(node->cellOperand()));
m_jit.exceptionCheck();
cellResult(result.gpr(), node);
