Title: [285287] branches/safari-612-branch
- Revision
- 285287
- Author
- [email protected]
- Date
- 2021-11-04 12:39:32 -0700 (Thu, 04 Nov 2021)
Log Message
Cherry-pick r284716. rdar://problem/84366658
[JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
https://bugs.webkit.org/show_bug.cgi?id=232168
rdar://84366658
Reviewed by Robin Morisset.
JSTests:
* stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js: Added.
(foo):
Source/_javascript_Core:
GetTypedArrayLengthAsInt52 works only when input is TypedArray, which should be validated via array-mode (and already inserted checks in fixup).
Accidentally we were inserting it without checking typed-array condition in SSA lowering phase. This patch adds a condition which ensures it
is TypedArray.
* dfg/DFGSSALoweringPhase.cpp:
(JSC::DFG::SSALoweringPhase::handleNode):
(JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284716 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-612-branch/JSTests/ChangeLog (285286 => 285287)
--- branches/safari-612-branch/JSTests/ChangeLog 2021-11-04 19:39:29 UTC (rev 285286)
+++ branches/safari-612-branch/JSTests/ChangeLog 2021-11-04 19:39:32 UTC (rev 285287)
@@ -1,5 +1,43 @@
2021-11-04 Russell Epstein <[email protected]>
+ Cherry-pick r284716. rdar://problem/84366658
+
+ [JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
+ https://bugs.webkit.org/show_bug.cgi?id=232168
+ rdar://84366658
+
+ Reviewed by Robin Morisset.
+
+ JSTests:
+
+ * stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js: Added.
+ (foo):
+
+ Source/_javascript_Core:
+
+ GetTypedArrayLengthAsInt52 works only when input is TypedArray, which should be validated via array-mode (and already inserted checks in fixup).
+ Accidentally we were inserting it without checking typed-array condition in SSA lowering phase. This patch adds a condition which ensures it
+ is TypedArray.
+
+ * dfg/DFGSSALoweringPhase.cpp:
+ (JSC::DFG::SSALoweringPhase::handleNode):
+ (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284716 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-22 Yusuke Suzuki <[email protected]>
+
+ [JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
+ https://bugs.webkit.org/show_bug.cgi?id=232168
+ rdar://84366658
+
+ Reviewed by Robin Morisset.
+
+ * stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js: Added.
+ (foo):
+
+2021-11-04 Russell Epstein <[email protected]>
+
Cherry-pick r284635. rdar://problem/84455814
[JSC] Inserted GetTypedArrayLengthAsInt52 for PutByVal should have NodeResultInt52
Added: branches/safari-612-branch/JSTests/stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js (0 => 285287)
--- branches/safari-612-branch/JSTests/stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js (rev 0)
+++ branches/safari-612-branch/JSTests/stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js 2021-11-04 19:39:32 UTC (rev 285287)
@@ -0,0 +1,10 @@
+//@ runDefault("--jitPolicyScale=0")
+function foo(arg0) {
+ arg0[0.1] = '';
+ for (let j = 0; j < 100; j++);
+}
+
+foo([0]);
+for (let i = 0; i < 1000; i++) {
+ foo(0);
+}
Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (285286 => 285287)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-11-04 19:39:29 UTC (rev 285286)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-11-04 19:39:32 UTC (rev 285287)
@@ -1,5 +1,48 @@
2021-11-04 Russell Epstein <[email protected]>
+ Cherry-pick r284716. rdar://problem/84366658
+
+ [JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
+ https://bugs.webkit.org/show_bug.cgi?id=232168
+ rdar://84366658
+
+ Reviewed by Robin Morisset.
+
+ JSTests:
+
+ * stress/gettypedarraylengthasint52-must-be-emitted-for-typedarray.js: Added.
+ (foo):
+
+ Source/_javascript_Core:
+
+ GetTypedArrayLengthAsInt52 works only when input is TypedArray, which should be validated via array-mode (and already inserted checks in fixup).
+ Accidentally we were inserting it without checking typed-array condition in SSA lowering phase. This patch adds a condition which ensures it
+ is TypedArray.
+
+ * dfg/DFGSSALoweringPhase.cpp:
+ (JSC::DFG::SSALoweringPhase::handleNode):
+ (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284716 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-22 Yusuke Suzuki <[email protected]>
+
+ [JSC] GetTypedArrayLengthAsInt52 must be inserted only when we ensure that input is TypedArray via array-mode-based filtering
+ https://bugs.webkit.org/show_bug.cgi?id=232168
+ rdar://84366658
+
+ Reviewed by Robin Morisset.
+
+ GetTypedArrayLengthAsInt52 works only when input is TypedArray, which should be validated via array-mode (and already inserted checks in fixup).
+ Accidentally we were inserting it without checking typed-array condition in SSA lowering phase. This patch adds a condition which ensures it
+ is TypedArray.
+
+ * dfg/DFGSSALoweringPhase.cpp:
+ (JSC::DFG::SSALoweringPhase::handleNode):
+ (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
+
+2021-11-04 Russell Epstein <[email protected]>
+
Cherry-pick r284646. rdar://problem/84523973
[JSC] Make GetTypedArrayLengthAsInt52 and GetTypedArrayByteOffsetAsInt52 NodeResultInt52
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp (285286 => 285287)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp 2021-11-04 19:39:29 UTC (rev 285286)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSSALoweringPhase.cpp 2021-11-04 19:39:32 UTC (rev 285287)
@@ -99,7 +99,7 @@
if (lowerBoundsCheck(base, index, storage))
break;
- if (m_node->arrayMode().typedArrayType() != NotTypedArray && m_node->arrayMode().isOutOfBounds()) {
+ if (m_node->arrayMode().isSomeTypedArrayView() && m_node->arrayMode().isOutOfBounds()) {
#if USE(LARGE_TYPED_ARRAYS)
if (m_node->arrayMode().mayBeLargeTypedArray() || m_graph.hasExitSite(m_node->origin.semantic, Overflow)) {
Node* length = m_insertionSet.insertNode(
@@ -149,7 +149,7 @@
Node* checkInBounds;
#if USE(LARGE_TYPED_ARRAYS)
- if ((op == GetArrayLength) && (m_node->arrayMode().mayBeLargeTypedArray() || m_graph.hasExitSite(m_node->origin.semantic, Overflow))) {
+ if ((op == GetArrayLength) && m_node->arrayMode().isSomeTypedArrayView() && (m_node->arrayMode().mayBeLargeTypedArray() || m_graph.hasExitSite(m_node->origin.semantic, Overflow))) {
Node* length = m_insertionSet.insertNode(
m_nodeIndex, SpecInt52Any, GetTypedArrayLengthAsInt52, m_node->origin,
OpInfo(m_node->arrayMode().asWord()), Edge(base.node(), KnownCellUse), storage);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
