[webkit-changes] [WebKit/WebKit] 1b4792: [JSC] Use storage node in ArrayPush for SlowPutArray

Yusuke Suzuki Wed, 12 Oct 2022 14:49:58 -0700

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 1b4792d4d3661bcde4d66b7be0d02f9b0d506392
      
https://github.com/WebKit/WebKit/commit/1b4792d4d3661bcde4d66b7be0d02f9b0d506392
  Author: Yusuke Suzuki <[email protected]>
  Date:   2022-10-12 (Wed, 12 Oct 2022)


  Changed paths:
    A JSTests/stress/slow-put-array-empty-push.js
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] Use storage node in ArrayPush for SlowPutArray
https://bugs.webkit.org/show_bug.cgi?id=246405
rdar://problem/101081844

Reviewed by Justin Michaud.

This patch fixes a bug that GetArrayLength gets nullptr crash when we convert
ArrayPush+SlowPutArray with empty arguments to GetArrayLength because we are 
discarding
butterfly storage for that case. But since SlowPutArray's ArrayPush is slow 
anyway, let's simplify
our code and always get butterfly storage even for SlowPutArray case.

* JSTests/stress/slow-put-array-empty-push.js: Added.
(runNearStackLimit):
(__f_6):
(__f_32):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):

Canonical link: https://commits.webkit.org/255454@main


_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

[webkit-changes] [WebKit/WebKit] 1b4792: [JSC] Use storage node in ArrayPush for SlowPutArray

Reply via email to