Title: [279052] trunk/Source/_javascript_Core
- Revision
- 279052
- Author
- [email protected]
- Date
- 2021-06-20 00:37:12 -0700 (Sun, 20 Jun 2021)
Log Message
Fix speculated type in the one-argument overload of speculateNeitherDoubleNorHeapBigIntNorString
https://bugs.webkit.org/show_bug.cgi?id=227119
Reviewed by Yusuke Suzuki.
Same problem as bug 226786: a missing check for HeapBigInt in the speculateNeitherDoubleNorHeapBigIntNorString function introduced in 226676.
I also rewrote the SpeculatedType for NeitherDoubleNorHeapBigIntNorString in typeFilterFor for readability. The old and the new SpeculatedType are perfectly identical, it is just a different (and in my view more readable) way of writing it.
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (279051 => 279052)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-20 02:05:08 UTC (rev 279051)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-20 07:37:12 UTC (rev 279052)
@@ -1,3 +1,19 @@
+2021-06-20 Robin Morisset <[email protected]>
+
+ Fix speculated type in the one-argument overload of speculateNeitherDoubleNorHeapBigIntNorString
+ https://bugs.webkit.org/show_bug.cgi?id=227119
+
+ Reviewed by Yusuke Suzuki.
+
+ Same problem as bug 226786: a missing check for HeapBigInt in the speculateNeitherDoubleNorHeapBigIntNorString function introduced in 226676.
+
+ I also rewrote the SpeculatedType for NeitherDoubleNorHeapBigIntNorString in typeFilterFor for readability. The old and the new SpeculatedType are perfectly identical, it is just a different (and in my view more readable) way of writing it.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+
2021-06-19 Mark Lam <[email protected]>
[Revert r278576] Put the Baseline JIT prologue and op_loop_hint code in JIT thunks.
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (279051 => 279052)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-06-20 02:05:08 UTC (rev 279051)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-06-20 07:37:12 UTC (rev 279052)
@@ -11726,7 +11726,7 @@
void SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString(Edge edge)
{
- if (!needsTypeCheck(edge, ~(SpecFullDouble | SpecString)))
+ if (!needsTypeCheck(edge, ~(SpecFullDouble | SpecHeapBigInt | SpecString)))
return;
JSValueOperand operand(this, edge, ManualOperandSpeculation);
Modified: trunk/Source/_javascript_Core/dfg/DFGUseKind.h (279051 => 279052)
--- trunk/Source/_javascript_Core/dfg/DFGUseKind.h 2021-06-20 02:05:08 UTC (rev 279051)
+++ trunk/Source/_javascript_Core/dfg/DFGUseKind.h 2021-06-20 07:37:12 UTC (rev 279052)
@@ -192,7 +192,7 @@
case NotDoubleUse:
return ~SpecFullDouble;
case NeitherDoubleNorHeapBigIntNorStringUse:
- return ~SpecFullDouble & ~SpecHeapBigInt & ~SpecString;
+ return ~(SpecFullDouble | SpecHeapBigInt | SpecString);
case KnownOtherUse:
case OtherUse:
return SpecOther;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
