Title: [251271] trunk
- Revision
- 251271
- Author
- sbar...@apple.com
- Date
- 2019-10-17 17:42:25 -0700 (Thu, 17 Oct 2019)
Log Message
GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
https://bugs.webkit.org/show_bug.cgi?id=203124
<rdar://problem/55988183>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/licm-array-storage-get-and-put-by-val.js: Added.
(assert):
(foo):
Source/_javascript_Core:
* dfg/DFGAbstractHeap.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (251270 => 251271)
--- trunk/JSTests/ChangeLog 2019-10-18 00:29:33 UTC (rev 251270)
+++ trunk/JSTests/ChangeLog 2019-10-18 00:42:25 UTC (rev 251271)
@@ -1,3 +1,15 @@
+2019-10-17 Saam Barati <sbar...@apple.com>
+
+ GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
+ https://bugs.webkit.org/show_bug.cgi?id=203124
+ <rdar://problem/55988183>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/licm-array-storage-get-and-put-by-val.js: Added.
+ (assert):
+ (foo):
+
2019-10-16 Keith Miller <keith_mil...@apple.com>
Move assert in Wasm::Plan::fail.
Added: trunk/JSTests/stress/licm-array-storage-get-and-put-by-val.js (0 => 251271)
--- trunk/JSTests/stress/licm-array-storage-get-and-put-by-val.js (rev 0)
+++ trunk/JSTests/stress/licm-array-storage-get-and-put-by-val.js 2019-10-18 00:42:25 UTC (rev 251271)
@@ -0,0 +1,25 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+function foo(a) {
+ a[1] = 1;
+ let b = 0;
+ for (let j = 0; j < 10; j++) {
+ a[1] = 2;
+ b = a[1];
+ }
+ return b;
+}
+noInline(foo);
+
+let arr = new Array(5);
+for (let i = 0; i < 0x1000; i++) {
+ arr[i] = i;
+}
+arr[100000] = 1;
+
+for (let i = 0; i < 20000; i++){
+ arr[1] = 1;
+ assert(foo(arr) === 2);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (251270 => 251271)
--- trunk/Source/_javascript_Core/ChangeLog 2019-10-18 00:29:33 UTC (rev 251270)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-10-18 00:42:25 UTC (rev 251271)
@@ -1,3 +1,15 @@
+2019-10-17 Saam Barati <sbar...@apple.com>
+
+ GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
+ https://bugs.webkit.org/show_bug.cgi?id=203124
+ <rdar://problem/55988183>
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGAbstractHeap.h:
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+
2019-10-17 Mark Lam <mark....@apple.com>
Harden capacity checks in DFG::LocalCSEPhase::SmallMap.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractHeap.h (251270 => 251271)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractHeap.h 2019-10-18 00:29:33 UTC (rev 251270)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractHeap.h 2019-10-18 00:42:25 UTC (rev 251271)
@@ -65,7 +65,6 @@
macro(IndexedDoubleProperties) \
macro(IndexedContiguousProperties) \
macro(IndexedArrayStorageProperties) \
- macro(ArrayStorageProperties) \
macro(DirectArgumentsProperties) \
macro(ScopeProperties) \
macro(TypedArrayProperties) \
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (251270 => 251271)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2019-10-18 00:29:33 UTC (rev 251270)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2019-10-18 00:42:25 UTC (rev 251271)
@@ -1023,8 +1023,8 @@
}
read(Butterfly_publicLength);
read(Butterfly_vectorLength);
- read(ArrayStorageProperties);
- write(ArrayStorageProperties);
+ read(IndexedArrayStorageProperties);
+ write(IndexedArrayStorageProperties);
if (node->arrayMode().mayStoreToHole())
write(Butterfly_publicLength);
return;
@@ -1037,8 +1037,8 @@
}
read(Butterfly_publicLength);
read(Butterfly_vectorLength);
- read(ArrayStorageProperties);
- write(ArrayStorageProperties);
+ read(IndexedArrayStorageProperties);
+ write(IndexedArrayStorageProperties);
return;
case Array::Int8Array:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
