[webkit-changes] [260285] branches/safari-609-branch/Source/JavaScriptCore

[alancoon]

Title: [260285] branches/safari-609-branch/Source/_javascript_Core

Revision

260285

Author

alanc...@apple.com

Date

2020-04-17 14:34:32 -0700 (Fri, 17 Apr 2020)

Log Message

Cherry-pick r259572. rdar://problem/61943713

    [JSC] Put ensureStillAliveHere for Integer TypedArrays in GetByVal
    https://bugs.webkit.org/show_bug.cgi?id=210047

    Reviewed by Mark Lam.

    While r258381 puts ensureStillAliveHere in FTL to keep base alive for float/double TypedArrays,
    we need to do the same thing for integer TypedArrays too. This patch places it.

    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259572 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-609-branch/Source/_javascript_Core/ChangeLog
• branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Diff

Modified: branches/safari-609-branch/Source/_javascript_Core/ChangeLog (260284 => 260285)

--- branches/safari-609-branch/Source/_javascript_Core/ChangeLog	2020-04-17 21:29:48 UTC (rev 260284)
+++ branches/safari-609-branch/Source/_javascript_Core/ChangeLog	2020-04-17 21:34:32 UTC (rev 260285)
@@ -1,3 +1,33 @@
+2020-04-17  Alan Coon  <alanc...@apple.com>
+
+        Cherry-pick r259572. rdar://problem/61943713
+
+    [JSC] Put ensureStillAliveHere for Integer TypedArrays in GetByVal
+    https://bugs.webkit.org/show_bug.cgi?id=210047
+    
+    Reviewed by Mark Lam.
+    
+    While r258381 puts ensureStillAliveHere in FTL to keep base alive for float/double TypedArrays,
+    we need to do the same thing for integer TypedArrays too. This patch places it.
+    
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259572 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-04-06  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] Put ensureStillAliveHere for Integer TypedArrays in GetByVal
+            https://bugs.webkit.org/show_bug.cgi?id=210047
+
+            Reviewed by Mark Lam.
+
+            While r258381 puts ensureStillAliveHere in FTL to keep base alive for float/double TypedArrays,
+            we need to do the same thing for integer TypedArrays too. This patch places it.
+
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+
 2020-04-06  Alan Coon  <alanc...@apple.com>
 
         Cherry-pick r259424. rdar://problem/61352472

Modified: branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (260284 => 260285)

--- branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-04-17 21:29:48 UTC (rev 260284)
+++ branches/safari-609-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2020-04-17 21:34:32 UTC (rev 260285)
@@ -4645,6 +4645,8 @@
                 
                 if (isInt(type)) {
                     LValue result = loadFromIntTypedArray(pointer, type);
+                    // We have to keep base alive since that keeps storage alive.
+                    ensureStillAliveHere(base);
                     bool canSpeculate = true;
                     setIntTypedArrayLoadResult(result, type, canSpeculate);
                     return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes