Title: [272593] branches/safari-611.1.14.0-branch
- Revision
- 272593
- Author
- [email protected]
- Date
- 2021-02-09 10:44:12 -0800 (Tue, 09 Feb 2021)
Log Message
Cherry-pick r271571. rdar://problem/74145979
[JSC] FTL OSR entry FlushFormat array is reversed
https://bugs.webkit.org/show_bug.cgi?id=220695
<rdar://problem/72930932>
Reviewed by Mark Lam.
JSTests:
* stress/ftl-osr-entry-order-reverse.js: Added.
(shouldThrow):
(foo):
Source/_javascript_Core:
After r268783, FlushFormat array is erroneously sorted in reversed order.
This patch fixes that.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lower):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271571 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-611.1.14.0-branch/JSTests/ChangeLog (272592 => 272593)
--- branches/safari-611.1.14.0-branch/JSTests/ChangeLog 2021-02-09 18:38:58 UTC (rev 272592)
+++ branches/safari-611.1.14.0-branch/JSTests/ChangeLog 2021-02-09 18:44:12 UTC (rev 272593)
@@ -1,3 +1,41 @@
+2021-02-09 Russell Epstein <[email protected]>
+
+ Cherry-pick r271571. rdar://problem/74145979
+
+ [JSC] FTL OSR entry FlushFormat array is reversed
+ https://bugs.webkit.org/show_bug.cgi?id=220695
+ <rdar://problem/72930932>
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/ftl-osr-entry-order-reverse.js: Added.
+ (shouldThrow):
+ (foo):
+
+ Source/_javascript_Core:
+
+ After r268783, FlushFormat array is erroneously sorted in reversed order.
+ This patch fixes that.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lower):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271571 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-01-17 Yusuke Suzuki <[email protected]>
+
+ [JSC] FTL OSR entry FlushFormat array is reversed
+ https://bugs.webkit.org/show_bug.cgi?id=220695
+ <rdar://problem/72930932>
+
+ Reviewed by Mark Lam.
+
+ * stress/ftl-osr-entry-order-reverse.js: Added.
+ (shouldThrow):
+ (foo):
+
2021-01-25 Alan Coon <[email protected]>
Cherry-pick r271422. rdar://problem/73477541
Added: branches/safari-611.1.14.0-branch/JSTests/stress/ftl-osr-entry-order-reverse.js (0 => 272593)
--- branches/safari-611.1.14.0-branch/JSTests/stress/ftl-osr-entry-order-reverse.js (rev 0)
+++ branches/safari-611.1.14.0-branch/JSTests/stress/ftl-osr-entry-order-reverse.js 2021-02-09 18:44:12 UTC (rev 272593)
@@ -0,0 +1,34 @@
+//@ runDefault("--thresholdForJITAfterWarmUp=200", "--thresholdForOptimizeAfterWarmUp=200", "--thresholdForFTLOptimizeAfterWarmUp=5")
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+let j = 0;
+
+function foo(a0, a1, a2, a3, a4) {
+ do {
+ for (let k = 0; k < 1000; k++) {
+ let x0 = [0];
+ }
+ } while (j++ < 2);
+ isNaN(...a0);
+}
+
+for (let i=0; i<100; i++) {
+ foo('', 0, 0, {});
+}
+
+shouldThrow(() => {
+ [0, 0].reduce(foo);
+}, `TypeError: Spread syntax requires ...iterable[Symbol.iterator] to be a function`);
Modified: branches/safari-611.1.14.0-branch/Source/_javascript_Core/ChangeLog (272592 => 272593)
--- branches/safari-611.1.14.0-branch/Source/_javascript_Core/ChangeLog 2021-02-09 18:38:58 UTC (rev 272592)
+++ branches/safari-611.1.14.0-branch/Source/_javascript_Core/ChangeLog 2021-02-09 18:44:12 UTC (rev 272593)
@@ -1,3 +1,43 @@
+2021-02-09 Russell Epstein <[email protected]>
+
+ Cherry-pick r271571. rdar://problem/74145979
+
+ [JSC] FTL OSR entry FlushFormat array is reversed
+ https://bugs.webkit.org/show_bug.cgi?id=220695
+ <rdar://problem/72930932>
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/ftl-osr-entry-order-reverse.js: Added.
+ (shouldThrow):
+ (foo):
+
+ Source/_javascript_Core:
+
+ After r268783, FlushFormat array is erroneously sorted in reversed order.
+ This patch fixes that.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lower):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271571 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-01-17 Yusuke Suzuki <[email protected]>
+
+ [JSC] FTL OSR entry FlushFormat array is reversed
+ https://bugs.webkit.org/show_bug.cgi?id=220695
+ <rdar://problem/72930932>
+
+ Reviewed by Mark Lam.
+
+ After r268783, FlushFormat array is erroneously sorted in reversed order.
+ This patch fixes that.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lower):
+
2021-02-02 Alan Coon <[email protected]>
Cherry-pick r271813. rdar://problem/73888012
Modified: branches/safari-611.1.14.0-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (272592 => 272593)
--- branches/safari-611.1.14.0-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-02-09 18:38:58 UTC (rev 272592)
+++ branches/safari-611.1.14.0-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-02-09 18:44:12 UTC (rev 272593)
@@ -362,8 +362,8 @@
if (m_graph.m_plan.mode() == FTLForOSREntryMode) {
auto* jitCode = m_ftlState.jitCode->ftlForOSREntry();
jitCode->argumentFlushFormats().reserveInitialCapacity(codeBlock()->numParameters());
- for (unsigned i = codeBlock()->numParameters(); i--;)
- jitCode->argumentFlushFormats().append(m_graph.m_argumentFormats[0][i]);
+ for (int i = 0; i < codeBlock()->numParameters(); ++i)
+ jitCode->argumentFlushFormats().uncheckedAppend(m_graph.m_argumentFormats[0][i]);
} else {
for (unsigned i = codeBlock()->numParameters(); i--;) {
MethodOfGettingAValueProfile profile(&m_graph.m_profiledBlock->valueProfileForArgument(i));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
