Skip to site navigation (Press enter)

[webkit-changes] [266285] branches/safari-610-branch

repstein Fri, 28 Aug 2020 11:03:41 -0700

Title: [266285] branches/safari-610-branch

Revision: 266285
Author: [email protected]
Date: 2020-08-28 11:02:19 -0700 (Fri, 28 Aug 2020)

Log Message

Cherry-pick r266254. rdar://problem/67949890


    GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
    https://bugs.webkit.org/show_bug.cgi?id=215894
    <rdar://problem/67669696>

    Reviewed by Michael Saboff and Keith Miller.

    JSTests:

    * stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.

    Source/_javascript_Core:

    GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
    BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
    The constant folding for this though was folding to jsUndefined(). I forgot
    to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
    implementation.

    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266254 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

branches/safari-610-branch/JSTests/ChangeLog
branches/safari-610-branch/Source/_javascript_Core/ChangeLog
branches/safari-610-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Added Paths

branches/safari-610-branch/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js

Diff

Modified: branches/safari-610-branch/JSTests/ChangeLog (266284 => 266285)


--- branches/safari-610-branch/JSTests/ChangeLog	2020-08-28 17:31:00 UTC (rev 266284)
+++ branches/safari-610-branch/JSTests/ChangeLog	2020-08-28 18:02:19 UTC (rev 266285)
@@ -1,3 +1,41 @@
+2020-08-28  Alan Coon  <[email protected]>
+
+        Cherry-pick r266254. rdar://problem/67949890
+
+    GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
+    https://bugs.webkit.org/show_bug.cgi?id=215894
+    <rdar://problem/67669696>
+    
+    Reviewed by Michael Saboff and Keith Miller.
+    
+    JSTests:
+    
+    * stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.
+    
+    Source/_javascript_Core:
+    
+    GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
+    BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
+    The constant folding for this though was folding to jsUndefined(). I forgot
+    to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
+    implementation.
+    
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266254 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-08-27  Saam Barati  <[email protected]>
+
+            GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
+            https://bugs.webkit.org/show_bug.cgi?id=215894
+            <rdar://problem/67669696>
+
+            Reviewed by Michael Saboff and Keith Miller.
+
+            * stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.
+
 2020-08-21  Alexey Shvayka  <[email protected]>
 
         Align "length" properties of function prototypes with the spec

Added: branches/safari-610-branch/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js (0 => 266285)


--- branches/safari-610-branch/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js	                        (rev 0)
+++ branches/safari-610-branch/JSTests/stress/oob-sane-chain-double-constant-fold-to-PNaN.js	2020-08-28 18:02:19 UTC (rev 266285)
@@ -0,0 +1,12 @@
+
+const a0 = [0.1];
+
+function foo() {
+    for (let i=0; i<100; i++) {
+        a0[1];
+    }
+}
+
+for (let i=0; i<100; i++) {
+    foo();
+}

Modified: branches/safari-610-branch/Source/_javascript_Core/ChangeLog (266284 => 266285)


--- branches/safari-610-branch/Source/_javascript_Core/ChangeLog	2020-08-28 17:31:00 UTC (rev 266284)
+++ branches/safari-610-branch/Source/_javascript_Core/ChangeLog	2020-08-28 18:02:19 UTC (rev 266285)
@@ -1,3 +1,48 @@
+2020-08-28  Alan Coon  <[email protected]>
+
+        Cherry-pick r266254. rdar://problem/67949890
+
+    GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
+    https://bugs.webkit.org/show_bug.cgi?id=215894
+    <rdar://problem/67669696>
+    
+    Reviewed by Michael Saboff and Keith Miller.
+    
+    JSTests:
+    
+    * stress/oob-sane-chain-double-constant-fold-to-PNaN.js: Added.
+    
+    Source/_javascript_Core:
+    
+    GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
+    BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
+    The constant folding for this though was folding to jsUndefined(). I forgot
+    to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
+    implementation.
+    
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@266254 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2020-08-27  Saam Barati  <[email protected]>
+
+            GetByVal constant folding over a Double OutOfBoundsSaneChain array with no BytecodeUsesAsOther should constant fold to PNaN, not undefined
+            https://bugs.webkit.org/show_bug.cgi?id=215894
+            <rdar://problem/67669696>
+
+            Reviewed by Michael Saboff and Keith Miller.
+
+            GetByVals of the form { OutOfBoundsSaneChain, Double } where there are no
+            BytecodeUsesAsOther return PNaN for holes and OOB accesses, not jsUndefined().
+            The constant folding for this though was folding to jsUndefined(). I forgot
+            to update that code to constant fold to PNaN when I wrote the OutOfBoundsSaneChain
+            implementation.
+
+            * dfg/DFGAbstractInterpreterInlines.h:
+            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2020-08-21  Alexey Shvayka  <[email protected]>
 
         StrictEq should not care about masqueradesAsUndefinedWatchpoint

Modified: branches/safari-610-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (266284 => 266285)


--- branches/safari-610-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2020-08-28 17:31:00 UTC (rev 266284)
+++ branches/safari-610-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2020-08-28 18:02:19 UTC (rev 266285)
@@ -2229,8 +2229,10 @@
                             && globalObject->arrayPrototypeChainIsSane()) {
                             m_graph.registerAndWatchStructureTransition(arrayPrototypeStructure);
                             m_graph.registerAndWatchStructureTransition(objectPrototypeStructure);
-                            // Note that Array::Double and Array::Int32 return JSValue if array mode is OutOfBounds.
-                            setConstant(node, jsUndefined());
+                            if (node->arrayMode().type() == Array::Double && node->arrayMode().isOutOfBoundsSaneChain() && !(node->flags() & NodeBytecodeUsesAsOther))
+                                setConstant(node, jsNumber(PNaN));
+                            else
+                                setConstant(node, jsUndefined());
                             return true;
                         }
                     }

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes