Title: [288036] trunk
- Revision
- 288036
- Author
- [email protected]
- Date
- 2022-01-14 15:48:46 -0800 (Fri, 14 Jan 2022)
Log Message
JSArray::fastSlice() should not convert the source from CoW
https://bugs.webkit.org/show_bug.cgi?id=234990
Patch by Alexey Shvayka <[email protected]> on 2022-01-14
Reviewed by Yusuke Suzuki.
JSTests:
* stress/array-slice-cow.js:
Source/_javascript_Core:
Since we aren't modifying the source array in fastSlice() nor its slow path,
there is no reason to convert it from CopyOnWrite.
* runtime/JSArray.cpp:
(JSC::JSArray::fastSlice):
Modified Paths
Diff
Modified: trunk/JSTests/ChangeLog (288035 => 288036)
--- trunk/JSTests/ChangeLog 2022-01-14 23:24:08 UTC (rev 288035)
+++ trunk/JSTests/ChangeLog 2022-01-14 23:48:46 UTC (rev 288036)
@@ -1,3 +1,12 @@
+2022-01-14 Alexey Shvayka <[email protected]>
+
+ JSArray::fastSlice() should not convert the source from CoW
+ https://bugs.webkit.org/show_bug.cgi?id=234990
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/array-slice-cow.js:
+
2022-01-14 Justin Michaud <[email protected]>
Update libWABT
Modified: trunk/JSTests/stress/array-slice-cow.js (288035 => 288036)
--- trunk/JSTests/stress/array-slice-cow.js 2022-01-14 23:24:08 UTC (rev 288035)
+++ trunk/JSTests/stress/array-slice-cow.js 2022-01-14 23:48:46 UTC (rev 288036)
@@ -6,7 +6,10 @@
function testInt32()
{
var array = [0, 1, 2, 3];
- return array.slice(1);
+ var slice = array.slice(1);
+ shouldBe($vm.indexingMode(array), "CopyOnWriteArrayWithInt32");
+ shouldBe($vm.indexingMode(slice), "ArrayWithInt32");
+ return slice;
}
noInline(testInt32);
@@ -13,7 +16,10 @@
function testDouble()
{
var array = [0.1, 1.1, 2.1, 3.1];
- return array.slice(1);
+ var slice = array.slice(1);
+ shouldBe($vm.indexingMode(array), "CopyOnWriteArrayWithDouble");
+ shouldBe($vm.indexingMode(slice), "ArrayWithDouble");
+ return slice;
}
noInline(testDouble);
@@ -20,7 +26,10 @@
function testContiguous()
{
var array = [true, false, true, false];
- return array.slice(1);
+ var slice = array.slice(1);
+ shouldBe($vm.indexingMode(array), "CopyOnWriteArrayWithContiguous");
+ shouldBe($vm.indexingMode(slice), "ArrayWithContiguous");
+ return slice;
}
noInline(testContiguous);
Modified: trunk/Source/_javascript_Core/ChangeLog (288035 => 288036)
--- trunk/Source/_javascript_Core/ChangeLog 2022-01-14 23:24:08 UTC (rev 288035)
+++ trunk/Source/_javascript_Core/ChangeLog 2022-01-14 23:48:46 UTC (rev 288036)
@@ -1,3 +1,16 @@
+2022-01-14 Alexey Shvayka <[email protected]>
+
+ JSArray::fastSlice() should not convert the source from CoW
+ https://bugs.webkit.org/show_bug.cgi?id=234990
+
+ Reviewed by Yusuke Suzuki.
+
+ Since we aren't modifying the source array in fastSlice() nor its slow path,
+ there is no reason to convert it from CopyOnWrite.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::fastSlice):
+
2022-01-14 Saam Barati <[email protected]>
Make isJITPC fast
Modified: trunk/Source/_javascript_Core/runtime/JSArray.cpp (288035 => 288036)
--- trunk/Source/_javascript_Core/runtime/JSArray.cpp 2022-01-14 23:24:08 UTC (rev 288035)
+++ trunk/Source/_javascript_Core/runtime/JSArray.cpp 2022-01-14 23:48:46 UTC (rev 288036)
@@ -729,15 +729,11 @@
{
VM& vm = globalObject->vm();
- // FIXME: Avoid converting the source from CoW since we aren't modifying it.
- // https://bugs.webkit.org/show_bug.cgi?id=234990
- source->ensureWritable(vm);
-
Structure* sourceStructure = source->structure(vm);
if (sourceStructure->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
return nullptr;
- auto arrayType = source->indexingMode() | IsArray;
+ auto arrayType = source->indexingType() | IsArray;
switch (arrayType) {
case ArrayWithDouble:
case ArrayWithInt32:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
