Skip to site navigation (Press enter)

[webkit-changes] [151284] trunk/Source/JavaScriptCore

fpizlo Thu, 06 Jun 2013 12:57:09 -0700

Title: [151284] trunk/Source/_javascript_Core

Revision: 151284
Author: [email protected]
Date: 2013-06-06 12:58:30 -0700 (Thu, 06 Jun 2013)

Log Message

DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
https://bugs.webkit.org/show_bug.cgi?id=117279
<rdar://problem/14078025>


Reviewed by Mark Hahnenberg.

* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::filterArrayModesByType):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (151283 => 151284)


--- trunk/Source/_javascript_Core/ChangeLog	2013-06-06 18:45:54 UTC (rev 151283)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-06-06 19:58:30 UTC (rev 151284)
@@ -1,3 +1,14 @@
+2013-06-05  Filip Pizlo  <[email protected]>
+
+        DFG CFA shouldn't filter ArrayModes with ALL_NON_ARRAY_ARRAY_MODES if the speculated type is not SpecArray
+        https://bugs.webkit.org/show_bug.cgi?id=117279
+        <rdar://problem/14078025>        
+
+        Reviewed by Mark Hahnenberg.
+
+        * dfg/DFGAbstractValue.h:
+        (JSC::DFG::AbstractValue::filterArrayModesByType):
+
 2013-06-05  Michael Saboff  <[email protected]>
 
         JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h (151283 => 151284)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h	2013-06-06 18:45:54 UTC (rev 151283)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h	2013-06-06 19:58:30 UTC (rev 151284)
@@ -525,8 +525,17 @@
             m_arrayModes = 0;
         else if (!(m_type & ~SpecArray))
             m_arrayModes &= ALL_ARRAY_ARRAY_MODES;
-        else if (!(m_type & SpecArray))
-            m_arrayModes &= ALL_NON_ARRAY_ARRAY_MODES;
+
+        // NOTE: If m_type doesn't have SpecArray set, that doesn't mean that the
+        // array modes have to be a subset of ALL_NON_ARRAY_ARRAY_MODES, since
+        // in the speculated type type-system, RegExpMatchesArry and ArrayPrototype
+        // are Otherobj (since they are not *exactly* JSArray) but in the ArrayModes
+        // type system they are arrays (since they expose the magical length
+        // property and are otherwise allocated using array allocation). Hence the
+        // following would be wrong:
+        //
+        // if (!(m_type & SpecArray))
+        //    m_arrayModes &= ALL_NON_ARRAY_ARRAY_MODES;
     }
 };

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes