Title: [271571] trunk
- Revision
- 271571
- Author
- [email protected]
- Date
- 2021-01-17 23:16:06 -0800 (Sun, 17 Jan 2021)
Log Message
[JSC] FTL OSR entry FlushFormat array is reversed
https://bugs.webkit.org/show_bug.cgi?id=220695
<rdar://problem/72930932>
Reviewed by Mark Lam.
JSTests:
* stress/ftl-osr-entry-order-reverse.js: Added.
(shouldThrow):
(foo):
Source/_javascript_Core:
After r268783, FlushFormat array is erroneously sorted in reversed order.
This patch fixes that.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (271570 => 271571)
--- trunk/JSTests/ChangeLog 2021-01-18 06:36:18 UTC (rev 271570)
+++ trunk/JSTests/ChangeLog 2021-01-18 07:16:06 UTC (rev 271571)
@@ -1,5 +1,17 @@
2021-01-17 Yusuke Suzuki <[email protected]>
+ [JSC] FTL OSR entry FlushFormat array is reversed
+ https://bugs.webkit.org/show_bug.cgi?id=220695
+ <rdar://problem/72930932>
+
+ Reviewed by Mark Lam.
+
+ * stress/ftl-osr-entry-order-reverse.js: Added.
+ (shouldThrow):
+ (foo):
+
+2021-01-17 Yusuke Suzuki <[email protected]>
+
[JSC] GenericArguments<Type>::defineOwnProperty's assumption about error is not correct
https://bugs.webkit.org/show_bug.cgi?id=220693
<rdar://problem/72929171>
Added: trunk/JSTests/stress/ftl-osr-entry-order-reverse.js (0 => 271571)
--- trunk/JSTests/stress/ftl-osr-entry-order-reverse.js (rev 0)
+++ trunk/JSTests/stress/ftl-osr-entry-order-reverse.js 2021-01-18 07:16:06 UTC (rev 271571)
@@ -0,0 +1,34 @@
+//@ runDefault("--thresholdForJITAfterWarmUp=200", "--thresholdForOptimizeAfterWarmUp=200", "--thresholdForFTLOptimizeAfterWarmUp=5")
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+let j = 0;
+
+function foo(a0, a1, a2, a3, a4) {
+ do {
+ for (let k = 0; k < 1000; k++) {
+ let x0 = [0];
+ }
+ } while (j++ < 2);
+ isNaN(...a0);
+}
+
+for (let i=0; i<100; i++) {
+ foo('', 0, 0, {});
+}
+
+shouldThrow(() => {
+ [0, 0].reduce(foo);
+}, `TypeError: Spread syntax requires ...iterable[Symbol.iterator] to be a function`);
Modified: trunk/Source/_javascript_Core/ChangeLog (271570 => 271571)
--- trunk/Source/_javascript_Core/ChangeLog 2021-01-18 06:36:18 UTC (rev 271570)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-01-18 07:16:06 UTC (rev 271571)
@@ -1,5 +1,19 @@
2021-01-17 Yusuke Suzuki <[email protected]>
+ [JSC] FTL OSR entry FlushFormat array is reversed
+ https://bugs.webkit.org/show_bug.cgi?id=220695
+ <rdar://problem/72930932>
+
+ Reviewed by Mark Lam.
+
+ After r268783, FlushFormat array is erroneously sorted in reversed order.
+ This patch fixes that.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lower):
+
+2021-01-17 Yusuke Suzuki <[email protected]>
+
[JSC] GenericArguments<Type>::defineOwnProperty's assumption about error is not correct
https://bugs.webkit.org/show_bug.cgi?id=220693
<rdar://problem/72929171>
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (271570 => 271571)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-01-18 06:36:18 UTC (rev 271570)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-01-18 07:16:06 UTC (rev 271571)
@@ -362,8 +362,8 @@
if (m_graph.m_plan.mode() == FTLForOSREntryMode) {
auto* jitCode = m_ftlState.jitCode->ftlForOSREntry();
jitCode->argumentFlushFormats().reserveInitialCapacity(codeBlock()->numParameters());
- for (unsigned i = codeBlock()->numParameters(); i--;)
- jitCode->argumentFlushFormats().append(m_graph.m_argumentFormats[0][i]);
+ for (int i = 0; i < codeBlock()->numParameters(); ++i)
+ jitCode->argumentFlushFormats().uncheckedAppend(m_graph.m_argumentFormats[0][i]);
} else {
for (unsigned i = codeBlock()->numParameters(); i--;) {
MethodOfGettingAValueProfile profile(&m_graph.m_profiledBlock->valueProfileForArgument(i));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
