[webkit-changes] [284369] trunk/Source/JavaScriptCore

[ysuzuki]

Title: [284369] trunk/Source/_javascript_Core

Revision

284369

Author

ysuz...@apple.com

Date

2021-10-18 06:17:20 -0700 (Mon, 18 Oct 2021)

Log Message

[JSC] Use USE(LARGE_TYPED_ARRAY)
https://bugs.webkit.org/show_bug.cgi?id=231885

Reviewed by Sam Weinig.

Fix USE(ADDRESS64) with USE(LARGE_TYPED_ARRAY). USE(ADDRESS64) is not correct (it should be CPU(ADDRESS64)).
It is coverted by JSTests/stress/typed-array-large-eventually-oob.js.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (284368 => 284369)

--- trunk/Source/_javascript_Core/ChangeLog	2021-10-18 13:07:09 UTC (rev 284368)
+++ trunk/Source/_javascript_Core/ChangeLog	2021-10-18 13:17:20 UTC (rev 284369)
@@ -1,5 +1,20 @@
 2021-10-18  Yusuke Suzuki  <ysuz...@apple.com>
 
+        [JSC] Use USE(LARGE_TYPED_ARRAY)
+        https://bugs.webkit.org/show_bug.cgi?id=231885
+
+        Reviewed by Sam Weinig.
+
+        Fix USE(ADDRESS64) with USE(LARGE_TYPED_ARRAY). USE(ADDRESS64) is not correct (it should be CPU(ADDRESS64)).
+        It is coverted by JSTests/stress/typed-array-large-eventually-oob.js.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+2021-10-18  Yusuke Suzuki  <ysuz...@apple.com>
+
         [JSC] PutByVal's child5 should be KnownInt32Use / Int52RepUse in FTL
         https://bugs.webkit.org/show_bug.cgi?id=231884
         rdar://84357099

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (284368 => 284369)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2021-10-18 13:07:09 UTC (rev 284368)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2021-10-18 13:17:20 UTC (rev 284369)
@@ -4463,7 +4463,7 @@
         break;
 
     case GetTypedArrayLengthAsInt52:
-#if USE(ADDRESS64)
+#if USE(LARGE_TYPED_ARRAYS)
         compileGetTypedArrayLengthAsInt52(node);
 #else
         RELEASE_ASSERT_NOT_REACHED();

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (284368 => 284369)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2021-10-18 13:07:09 UTC (rev 284368)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2021-10-18 13:17:20 UTC (rev 284369)
@@ -17338,7 +17338,7 @@
         auto doUntagArrayPtr = [&](LValue taggedPtr) {
 #if CPU(ARM64E)
             if (kind == Gigacage::Primitive) {
-#if USE(ADDRESS64)
+#if USE(LARGE_TYPED_ARRAYS)
                 LValue size = m_out.load64(base, m_heaps.JSArrayBufferView_length);
 #else
                 LValue size = m_out.load32(base, m_heaps.JSArrayBufferView_length);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes