[webkit-changes] [266254] trunk

[sbarati]

Title: [266254] trunk

Revision

266254

Author

sbar...@apple.com

Date

2020-08-27 14:16:01 -0700 (Thu, 27 Aug 2020)

Log Message

GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
https://bugs.webkit.org/show_bug.cgi?id=215894
<rdar://problem/67669696>

Reviewed by Michael Saboff and Keith Miller.

JSTests:

* stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.

Source/_javascript_Core:

GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
The constant folding for this though was folding to jsUndefined(). I forgot
to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
implementation.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Added Paths

• trunk/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js

Diff

Modified: trunk/JSTests/ChangeLog (266253 => 266254)

--- trunk/JSTests/ChangeLog	2020-08-27 21:10:20 UTC (rev 266253)
+++ trunk/JSTests/ChangeLog	2020-08-27 21:16:01 UTC (rev 266254)
@@ -1,3 +1,13 @@
+2020-08-27  Saam Barati  <sbar...@apple.com>
+
+        GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
+        https://bugs.webkit.org/show_bug.cgi?id=215894
+        <rdar://problem/67669696>
+
+        Reviewed by Michael Saboff and Keith Miller.
+
+        * stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.
+
 2020-08-26  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Merge putLength() into setLength()

Added: trunk/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js (0 => 266254)

--- trunk/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js	                        (rev 0)
+++ trunk/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js	2020-08-27 21:16:01 UTC (rev 266254)
@@ -0,0 +1,12 @@
+
+const a0 = [0.1];
+
+function foo() {
+    for (let i=0; i<100; i++) {
+        a0[1];
+    }
+}
+
+for (let i=0; i<100; i++) {
+    foo();
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (266253 => 266254)

--- trunk/Source/_javascript_Core/ChangeLog	2020-08-27 21:10:20 UTC (rev 266253)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-08-27 21:16:01 UTC (rev 266254)
@@ -1,3 +1,20 @@
+2020-08-27  Saam Barati  <sbar...@apple.com>
+
+        GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
+        https://bugs.webkit.org/show_bug.cgi?id=215894
+        <rdar://problem/67669696>
+
+        Reviewed by Michael Saboff and Keith Miller.
+
+        GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
+        BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
+        The constant folding for this though was folding to jsUndefined(). I forgot
+        to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
+        implementation.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2020-08-27  Keith Miller  <keith_mil...@apple.com>
 
         structureOrNull should take VM instead of getting it from the marked block

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (266253 => 266254)

--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2020-08-27 21:10:20 UTC (rev 266253)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2020-08-27 21:16:01 UTC (rev 266254)
@@ -2238,8 +2238,10 @@
                             && globalObject->arrayPrototypeChainIsSane()) {
                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
-                            // Note that Array::Double and Array::Int32 return JSValue if array mode is OutOfBounds.
-                            setConstant(node, jsUndefined());
+                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))
+                                setConstant(node, jsNumber(PNaN));
+                            else
+                                setConstant(node, jsUndefined());
                             return true;
                         }
                     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes