Title: [284635] trunk
- Revision
- 284635
- Author
- [email protected]
- Date
- 2021-10-21 12:29:51 -0700 (Thu, 21 Oct 2021)
Log Message
[JSC] Inserted GetTypedArrayLengthAsInt52 for PutByVal should have NodeResultInt52
https://bugs.webkit.org/show_bug.cgi?id=232059
Reviewed by Saam Barati.
JSTests:
* stress/inserted-gettypedarraylengthasint52-should-have-int52-result-for-put-by-val.js: Added.
(foo.bar):
(foo):
Source/_javascript_Core:
When inserting GetTypedArrayLengthAsInt52 after fixup phase, we must set NodeResultInt52.
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (284634 => 284635)
--- trunk/JSTests/ChangeLog 2021-10-21 19:18:52 UTC (rev 284634)
+++ trunk/JSTests/ChangeLog 2021-10-21 19:29:51 UTC (rev 284635)
@@ -1,3 +1,14 @@
+2021-10-21 Yusuke Suzuki <[email protected]>
+
+ [JSC] Inserted GetTypedArrayLengthAsInt52 for PutByVal should have NodeResultInt52
+ https://bugs.webkit.org/show_bug.cgi?id=232059
+
+ Reviewed by Saam Barati.
+
+ * stress/inserted-gettypedarraylengthasint52-should-have-int52-result-for-put-by-val.js: Added.
+ (foo.bar):
+ (foo):
+
2021-10-18 Phillip Mates <[email protected]>
Test coverage for JSC shadow realms implementation
Added: trunk/JSTests/stress/inserted-gettypedarraylengthasint52-should-have-int52-result-for-put-by-val.js (0 => 284635)
--- trunk/JSTests/stress/inserted-gettypedarraylengthasint52-should-have-int52-result-for-put-by-val.js (rev 0)
+++ trunk/JSTests/stress/inserted-gettypedarraylengthasint52-should-have-int52-result-for-put-by-val.js 2021-10-21 19:29:51 UTC (rev 284635)
@@ -0,0 +1,12 @@
+//@ runDefault("--useOSRExitFuzz=1", "--fireOSRExitFuzzAtOrAfter=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+const ta = new Uint8Array();
+function foo() {
+ function bar() {
+ ta[0] = 0;
+ }
+ for (let i=0; i<100000; i++) {
+ bar();
+ }
+
+}
+foo();
Modified: trunk/Source/_javascript_Core/ChangeLog (284634 => 284635)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-21 19:18:52 UTC (rev 284634)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-21 19:29:51 UTC (rev 284635)
@@ -1,3 +1,15 @@
+2021-10-21 Yusuke Suzuki <[email protected]>
+
+ [JSC] Inserted GetTypedArrayLengthAsInt52 for PutByVal should have NodeResultInt52
+ https://bugs.webkit.org/show_bug.cgi?id=232059
+
+ Reviewed by Saam Barati.
+
+ When inserting GetTypedArrayLengthAsInt52 after fixup phase, we must set NodeResultInt52.
+
+ * dfg/DFGSSALoweringPhase.cpp:
+ (JSC::DFG::SSALoweringPhase::handleNode):
+
2021-10-21 Michael Saboff <[email protected]>
Add missing overflow check to DFGIntegerRangeOptimizationPhase::filterConstant()
Modified: trunk/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp (284634 => 284635)
--- trunk/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp 2021-10-21 19:18:52 UTC (rev 284634)
+++ trunk/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp 2021-10-21 19:29:51 UTC (rev 284635)
@@ -105,6 +105,7 @@
Node* length = m_insertionSet.insertNode(
m_nodeIndex, SpecInt52Any, GetTypedArrayLengthAsInt52, m_node->origin,
OpInfo(m_node->arrayMode().asWord()), base, storage);
+ length->setResult(NodeResultInt52);
m_graph.varArgChild(m_node, 4) = Edge(length, Int52RepUse);
} else {
#endif
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
