Diff
Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2019-02-24 01:05:52 UTC (rev 241999)
@@ -1,3 +1,14 @@
+2019-02-08 Saam barati <sbar...@apple.com>
+
+ Nodes that rely on being dominated by CheckInBounds should have a child edge to it
+ https://bugs.webkit.org/show_bug.cgi?id=194334
+ <rdar://problem/47844327>
+
+ Reviewed by Mark Lam.
+
+ * stress/check-in-bounds-should-be-a-child-use.js: Added.
+ (func):
+
2018-12-19 Mark Lam <mark....@apple.com>
JSPropertyNameEnumerator should cache the iterated object's structure only after getting its property names.
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/check-in-bounds-should-be-a-child-use.js (0 => 241999)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/check-in-bounds-should-be-a-child-use.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/check-in-bounds-should-be-a-child-use.js 2019-02-24 01:05:52 UTC (rev 241999)
@@ -0,0 +1,16 @@
+//@ runDefault("--useConcurrentJIT=0", "--thresholdForFTLOptimizeAfterWarmUp=100")
+
+const hello = [1337,1337,1337,1337];
+const arr = [1337,1337];
+
+function func(arg) {
+ for (let p in arg) {
+ arg.a = 42;
+ const val = arg[-698666199];
+ }
+}
+
+for (let i = 0; i < 10000; ++i) {
+ const a = func(arr);
+ const b = func(1337);
+}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2019-02-24 01:05:52 UTC (rev 241999)
@@ -1,3 +1,35 @@
+2019-02-08 Saam barati <sbar...@apple.com>
+
+ Nodes that rely on being dominated by CheckInBounds should have a child edge to it
+ https://bugs.webkit.org/show_bug.cgi?id=194334
+ <rdar://problem/47844327>
+
+ Reviewed by Mark Lam.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGArgumentsEliminationPhase.cpp:
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::convertToHasIndexedProperty):
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+ * dfg/DFGIntegerRangeOptimizationPhase.cpp:
+ * dfg/DFGNodeType.h:
+ * dfg/DFGSSALoweringPhase.cpp:
+ (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileHasIndexedProperty):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCheckInBounds):
+ (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
+
2019-02-18 Mark Lam <mark....@apple.com>
Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-02-24 01:05:52 UTC (rev 241999)
@@ -3370,11 +3370,16 @@
case CheckInBounds: {
JSValue left = forNode(node->child1()).value();
JSValue right = forNode(node->child2()).value();
- if (left && right && left.isInt32() && right.isInt32()
- && static_cast<uint32_t>(left.asInt32()) < static_cast<uint32_t>(right.asInt32())) {
+ if (left && right && left.isInt32() && right.isInt32() && static_cast<uint32_t>(left.asInt32()) < static_cast<uint32_t>(right.asInt32()))
m_state.setFoundConstants(true);
- break;
- }
+
+ // We claim we result in Int32. It's not really important what our result is (though we
+ // don't want to claim we may result in the empty value), other nodes with data flow edges
+ // to us just do that to maintain the invariant that they can't be hoisted higher than us.
+ // So we just arbitrarily pick Int32. In some ways, StorageResult may be the more correct
+ // thing to do here. We pick NodeResultJS because it makes converting this to an identity
+ // easier.
+ setNonCellTypeForNode(node, SpecInt32Only);
break;
}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -767,14 +767,15 @@
arg += inlineCallFrame->stackOffset;
data = "" FlushedJSValue);
+ Node* check = nullptr;
if (!inlineCallFrame || inlineCallFrame->isVarargs()) {
- insertionSet.insertNode(
+ check = insertionSet.insertNode(
nodeIndex, SpecNone, CheckInBounds, node->origin,
m_graph.varArgChild(node, 1), Edge(getArrayLength(candidate), Int32Use));
}
result = insertionSet.insertNode(
- nodeIndex, node->prediction(), GetStack, node->origin, OpInfo(data));
+ nodeIndex, node->prediction(), GetStack, node->origin, OpInfo(data), Edge(check, UntypedUse));
}
}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -6714,7 +6714,10 @@
Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
ArrayMode arrayMode = getArrayMode(arrayProfileFor<OpHasIndexedPropertyShape>(currentInstruction), Array::Read);
Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
- Node* hasIterableProperty = addToGraph(HasIndexedProperty, OpInfo(arrayMode.asWord()), OpInfo(static_cast<uint32_t>(PropertySlot::InternalMethodType::GetOwnProperty)), base, property);
+ addVarArgChild(base);
+ addVarArgChild(property);
+ addVarArgChild(nullptr);
+ Node* hasIterableProperty = addToGraph(Node::VarArg, HasIndexedProperty, OpInfo(arrayMode.asWord()), OpInfo(static_cast<uint32_t>(PropertySlot::InternalMethodType::GetOwnProperty)));
set(VirtualRegister(currentInstruction[1].u.operand), hasIterableProperty);
NEXT_OPCODE(op_has_indexed_property);
}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGClobberize.h (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGClobberize.h 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGClobberize.h 2019-02-24 01:05:52 UTC (rev 241999)
@@ -306,7 +306,7 @@
if (mode.isInBounds()) {
read(Butterfly_publicLength);
read(IndexedInt32Properties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, node->child1(), node->child2()), LazyNode(node));
+ def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
return;
}
read(Heap);
@@ -317,7 +317,7 @@
if (mode.isInBounds()) {
read(Butterfly_publicLength);
read(IndexedDoubleProperties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, node->child1(), node->child2()), LazyNode(node));
+ def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
return;
}
read(Heap);
@@ -328,7 +328,7 @@
if (mode.isInBounds()) {
read(Butterfly_publicLength);
read(IndexedContiguousProperties);
- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, node->child1(), node->child2()), LazyNode(node));
+ def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
return;
}
read(Heap);
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -341,7 +341,9 @@
JSValue right = m_state.forNode(node->child2()).value();
if (left && right && left.isInt32() && right.isInt32()
&& static_cast<uint32_t>(left.asInt32()) < static_cast<uint32_t>(right.asInt32())) {
- node->remove(m_graph);
+
+ Node* zero = m_insertionSet.insertConstant(indexInBlock, node->origin, jsNumber(0));
+ node->convertToIdentityOn(zero);
eliminated = true;
break;
}
@@ -410,10 +412,11 @@
Node* length = emitCodeToGetArgumentsArrayLength(
m_insertionSet, arguments, indexInBlock, node->origin);
- m_insertionSet.insertNode(
+ Node* check = m_insertionSet.insertNode(
indexInBlock, SpecNone, CheckInBounds, node->origin,
node->child2(), Edge(length, Int32Use));
node->convertToGetStack(data);
+ node->child1() = Edge(check, UntypedUse);
eliminated = true;
break;
}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -1698,13 +1698,13 @@
node->setArrayMode(
node->arrayMode().refine(
m_graph, node,
- node->child1()->prediction(),
- node->child2()->prediction(),
+ m_graph.varArgChild(node, 0)->prediction(),
+ m_graph.varArgChild(node, 1)->prediction(),
SpecNone));
- blessArrayOperation(node->child1(), node->child2(), node->child3());
- fixEdge<CellUse>(node->child1());
- fixEdge<KnownInt32Use>(node->child2());
+ blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
+ fixEdge<CellUse>(m_graph.varArgChild(node, 0));
+ fixEdge<KnownInt32Use>(m_graph.varArgChild(node, 1));
break;
}
case GetDirectPname: {
@@ -3322,18 +3322,29 @@
{
node->setOp(HasIndexedProperty);
node->clearFlags(NodeMustGenerate);
+
+ {
+ unsigned firstChild = m_graph.m_varArgChildren.size();
+ unsigned numChildren = 3;
+ m_graph.m_varArgChildren.append(node->child1());
+ m_graph.m_varArgChildren.append(node->child2());
+ m_graph.m_varArgChildren.append(Edge());
+ node->mergeFlags(NodeHasVarArgs);
+ node->children = AdjacencyList(AdjacencyList::Variable, firstChild, numChildren);
+ }
+
node->setArrayMode(
node->arrayMode().refine(
m_graph, node,
- node->child1()->prediction(),
- node->child2()->prediction(),
+ m_graph.varArgChild(node, 0)->prediction(),
+ m_graph.varArgChild(node, 1)->prediction(),
SpecNone));
node->setInternalMethodType(PropertySlot::InternalMethodType::HasProperty);
- blessArrayOperation(node->child1(), node->child2(), node->child3());
+ blessArrayOperation(m_graph.varArgChild(node, 0), m_graph.varArgChild(node, 1), m_graph.varArgChild(node, 2));
- fixEdge<CellUse>(node->child1());
- fixEdge<Int32Use>(node->child2());
+ fixEdge<CellUse>(m_graph.varArgChild(node, 0));
+ fixEdge<Int32Use>(m_graph.varArgChild(node, 1));
}
void fixupNormalizeMapKey(Node* node)
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -150,6 +150,7 @@
CodeOrigin m_maxOrigin;
unsigned m_count { 0 }; // If this is zero then the bounds won't necessarily make sense.
bool m_hoisted { false };
+ Node* m_dependency { nullptr };
};
IntegerCheckCombiningPhase(Graph& graph)
@@ -257,14 +258,15 @@
Arith::Unchecked);
}
+ Node* minCheck = nullptr;
if (minNode) {
- m_insertionSet.insertNode(
+ minCheck = m_insertionSet.insertNode(
nodeIndex, SpecNone, CheckInBounds, node->origin,
Edge(minNode, Int32Use), Edge(data.m_key.m_key, Int32Use));
}
- m_insertionSet.insertNode(
+ m_map[data.m_key].m_dependency = m_insertionSet.insertNode(
nodeIndex, SpecNone, CheckInBounds, node->origin,
- Edge(maxNode, Int32Use), Edge(data.m_key.m_key, Int32Use));
+ Edge(maxNode, Int32Use), Edge(data.m_key.m_key, Int32Use), Edge(minCheck, UntypedUse));
break;
}
@@ -284,7 +286,7 @@
break;
case ArrayBounds:
- node->remove(m_graph);
+ node->convertToIdentityOn(m_map[data.m_key].m_dependency);
m_changed = true;
break;
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGIntegerRangeOptimizationPhase.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -1010,16 +1010,8 @@
ASSERT(m_graph.m_form == SSA);
// Before we do anything, make sure that we have a zero constant at the top.
- for (Node* node : *m_graph.block(0)) {
- if (node->isInt32Constant() && !node->asInt32()) {
- m_zero = node;
- break;
- }
- }
- if (!m_zero) {
- m_zero = m_insertionSet.insertConstant(0, m_graph.block(0)->at(0)->origin, jsNumber(0));
- m_insertionSet.execute(m_graph.block(0));
- }
+ m_zero = m_insertionSet.insertConstant(0, m_graph.block(0)->at(0)->origin, jsNumber(0));
+ m_insertionSet.execute(m_graph.block(0));
if (DFGIntegerRangeOptimizationPhaseInternal::verbose) {
dataLog("Graph before integer range optimization:\n");
@@ -1330,7 +1322,7 @@
if (nonNegative && lessThanLength) {
executeNode(block->at(nodeIndex));
- node->remove(m_graph);
+ node->convertToIdentityOn(m_zero);
changed = true;
}
break;
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGNodeType.h (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGNodeType.h 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGNodeType.h 2019-02-24 01:05:52 UTC (rev 241999)
@@ -250,7 +250,7 @@
macro(CheckNotEmpty, NodeMustGenerate) \
macro(AssertNotEmpty, NodeMustGenerate) \
macro(CheckBadCell, NodeMustGenerate) \
- macro(CheckInBounds, NodeMustGenerate) \
+ macro(CheckInBounds, NodeMustGenerate | NodeResultJS) \
macro(CheckStringIdent, NodeMustGenerate) \
macro(CheckTypeInfoFlags, NodeMustGenerate) /* Takes an OpInfo with the flags you want to test are set */\
macro(CheckSubClass, NodeMustGenerate) \
@@ -441,7 +441,7 @@
\
/* For-in enumeration opcodes */\
macro(GetEnumerableLength, NodeMustGenerate | NodeResultJS) \
- macro(HasIndexedProperty, NodeResultBoolean) \
+ macro(HasIndexedProperty, NodeResultBoolean | NodeHasVarArgs) \
macro(HasStructureProperty, NodeResultBoolean) \
macro(HasGenericProperty, NodeResultBoolean) \
macro(GetDirectPname, NodeMustGenerate | NodeHasVarArgs | NodeResultJS) \
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -130,10 +130,15 @@
Node* length = m_insertionSet.insertNode(
m_nodeIndex, SpecInt32Only, op, m_node->origin,
- OpInfo(m_node->arrayMode().asWord()), base, storage);
- m_insertionSet.insertNode(
+ OpInfo(m_node->arrayMode().asWord()), Edge(base.node(), KnownCellUse), storage);
+ Node* checkInBounds = m_insertionSet.insertNode(
m_nodeIndex, SpecInt32Only, CheckInBounds, m_node->origin,
index, Edge(length, KnownInt32Use));
+
+ AdjacencyList adjacencyList = m_graph.copyVarargChildren(m_node);
+ m_graph.m_varArgChildren.append(Edge(checkInBounds, UntypedUse));
+ adjacencyList.setNumChildren(adjacencyList.numChildren() + 1);
+ m_node->children = adjacencyList;
return true;
}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -12808,8 +12808,8 @@
void SpeculativeJIT::compileHasIndexedProperty(Node* node)
{
- SpeculateCellOperand base(this, node->child1());
- SpeculateStrictInt32Operand index(this, node->child2());
+ SpeculateCellOperand base(this, m_graph.varArgChild(node, 0));
+ SpeculateStrictInt32Operand index(this, m_graph.varArgChild(node, 1));
GPRTemporary result(this);
GPRReg baseGPR = base.gpr();
@@ -12821,8 +12821,8 @@
switch (mode.type()) {
case Array::Int32:
case Array::Contiguous: {
- ASSERT(!!node->child3());
- StorageOperand storage(this, node->child3());
+ ASSERT(!!m_graph.varArgChild(node, 2));
+ StorageOperand storage(this, m_graph.varArgChild(node, 2));
GPRTemporary scratch(this);
GPRReg storageGPR = storage.gpr();
@@ -12845,8 +12845,8 @@
break;
}
case Array::Double: {
- ASSERT(!!node->child3());
- StorageOperand storage(this, node->child3());
+ ASSERT(!!m_graph.varArgChild(node, 2));
+ StorageOperand storage(this, m_graph.varArgChild(node, 2));
FPRTemporary scratch(this);
FPRReg scratchFPR = scratch.fpr();
GPRReg storageGPR = storage.gpr();
@@ -12863,8 +12863,8 @@
break;
}
case Array::ArrayStorage: {
- ASSERT(!!node->child3());
- StorageOperand storage(this, node->child3());
+ ASSERT(!!m_graph.varArgChild(node, 2));
+ StorageOperand storage(this, m_graph.varArgChild(node, 2));
GPRTemporary scratch(this);
GPRReg storageGPR = storage.gpr();
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (241998 => 241999)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-24 00:57:25 UTC (rev 241998)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-24 01:05:52 UTC (rev 241999)
@@ -3755,6 +3755,10 @@
speculate(
OutOfBounds, noValue(), 0,
m_out.aboveOrEqual(lowInt32(m_node->child1()), lowInt32(m_node->child2())));
+
+ // Even though we claim to have JSValue result, no user of us should
+ // depend on our value. Users of this node just need to maintain that
+ // we dominate them.
}
void compileGetByVal()
@@ -10188,12 +10192,13 @@
void compileHasIndexedProperty()
{
+ LValue base = lowCell(m_graph.varArgChild(m_node, 0));
+ LValue index = lowInt32(m_graph.varArgChild(m_node, 1));
+
switch (m_node->arrayMode().type()) {
case Array::Int32:
case Array::Contiguous: {
- LValue base = lowCell(m_node->child1());
- LValue index = lowInt32(m_node->child2());
- LValue storage = lowStorage(m_node->child3());
+ LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
@@ -10214,7 +10219,7 @@
lastNext = m_out.insertNewBlocksBefore(slowCase);
LValue checkHoleResultValue =
- m_out.notZero64(m_out.load64(baseIndex(heap, storage, index, m_node->child2())));
+ m_out.notZero64(m_out.load64(baseIndex(heap, storage, index, m_graph.varArgChild(m_node, 1))));
ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
@@ -10228,9 +10233,7 @@
return;
}
case Array::Double: {
- LValue base = lowCell(m_node->child1());
- LValue index = lowInt32(m_node->child2());
- LValue storage = lowStorage(m_node->child3());
+ LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
@@ -10249,7 +10252,7 @@
} else
lastNext = m_out.insertNewBlocksBefore(slowCase);
- LValue doubleValue = m_out.loadDouble(baseIndex(heap, storage, index, m_node->child2()));
+ LValue doubleValue = m_out.loadDouble(baseIndex(heap, storage, index, m_graph.varArgChild(m_node, 1)));
LValue checkHoleResultValue = m_out.doubleEqual(doubleValue, doubleValue);
ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
@@ -10265,9 +10268,7 @@
}
case Array::ArrayStorage: {
- LValue base = lowCell(m_node->child1());
- LValue index = lowInt32(m_node->child2());
- LValue storage = lowStorage(m_node->child3());
+ LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
LBasicBlock slowCase = m_out.newBlock();
@@ -10285,7 +10286,7 @@
lastNext = m_out.insertNewBlocksBefore(slowCase);
LValue checkHoleResultValue =
- m_out.notZero64(m_out.load64(baseIndex(m_heaps.ArrayStorage_vector, storage, index, m_node->child2())));
+ m_out.notZero64(m_out.load64(baseIndex(m_heaps.ArrayStorage_vector, storage, index, m_graph.varArgChild(m_node, 1))));
ValueFromBlock checkHoleResult = m_out.anchor(checkHoleResultValue);
m_out.branch(checkHoleResultValue, usually(continuation), rarely(slowCase));
@@ -10300,8 +10301,6 @@
}
default: {
- LValue base = lowCell(m_node->child1());
- LValue index = lowInt32(m_node->child2());
LValue internalMethodType = m_out.constInt32(static_cast<int32_t>(m_node->internalMethodType()));
setBoolean(m_out.notZero64(vmCall(Int64, m_out.operation(operationHasIndexedPropertyByInt), m_callFrame, base, index, internalMethodType)));
break;
