Diff
Modified: trunk/LayoutTests/ChangeLog (158772 => 158773)
--- trunk/LayoutTests/ChangeLog 2013-11-06 20:31:40 UTC (rev 158772)
+++ trunk/LayoutTests/ChangeLog 2013-11-06 20:32:19 UTC (rev 158773)
@@ -1,3 +1,18 @@
+2013-11-06 Filip Pizlo <[email protected]>
+
+ DFG CheckArray(NonArray) should prove that the child isn't an array
+ https://bugs.webkit.org/show_bug.cgi?id=123911
+ <rdar://problem/15202803>
+
+ Reviewed by Mark Hahnenberg.
+
+ * js/dfg-check-array-non-array-expected.txt: Added.
+ * js/dfg-check-array-non-array.html: Added.
+ * js/script-tests/dfg-check-array-non-array.js: Added.
+ (foo):
+ (bar):
+ (baz):
+
2013-11-06 Brendan Long <[email protected]>
Add "id" attribute to TextTrack
Added: trunk/LayoutTests/js/dfg-check-array-non-array-expected.txt (0 => 158773)
--- trunk/LayoutTests/js/dfg-check-array-non-array-expected.txt (rev 0)
+++ trunk/LayoutTests/js/dfg-check-array-non-array-expected.txt 2013-11-06 20:32:19 UTC (rev 158773)
@@ -0,0 +1,10 @@
+Tests that CheckArray(NonArray) actually proves that the input isn't an array.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS baz(["blah"], true) is "blahblah"
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/js/dfg-check-array-non-array.html (0 => 158773)
--- trunk/LayoutTests/js/dfg-check-array-non-array.html (rev 0)
+++ trunk/LayoutTests/js/dfg-check-array-non-array.html 2013-11-06 20:32:19 UTC (rev 158773)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: trunk/LayoutTests/js/script-tests/dfg-check-array-non-array.js (0 => 158773)
--- trunk/LayoutTests/js/script-tests/dfg-check-array-non-array.js (rev 0)
+++ trunk/LayoutTests/js/script-tests/dfg-check-array-non-array.js 2013-11-06 20:32:19 UTC (rev 158773)
@@ -0,0 +1,37 @@
+description(
+"Tests that CheckArray(NonArray) actually proves that the input isn't an array."
+);
+
+function foo(a, i) {
+ return a[i];
+}
+
+function bar(o, p, q) {
+ if (q)
+ o = 42;
+ if (p)
+ return o[0];
+ else
+ return 42;
+}
+
+function baz(o, p) {
+ var result = foo(o, 0);
+ result += bar(o, p, false);
+ return result;
+}
+
+neverInlineFunction(baz);
+
+// Get bar's profiling to claim that it sees a particular original array.
+for (var i = 0; i < 100; ++i)
+ bar(["fizz"], true, false);
+
+while (!dfgCompiled({f:baz})) {
+ var o = {};
+ o[0] = "buzz";
+ baz(o, false);
+}
+
+shouldBe("baz([\"blah\"], true)", "\"blahblah\"");
+
Modified: trunk/Source/_javascript_Core/ChangeLog (158772 => 158773)
--- trunk/Source/_javascript_Core/ChangeLog 2013-11-06 20:31:40 UTC (rev 158772)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-11-06 20:32:19 UTC (rev 158773)
@@ -1,3 +1,16 @@
+2013-11-06 Filip Pizlo <[email protected]>
+
+ DFG CheckArray(NonArray) should prove that the child isn't an array
+ https://bugs.webkit.org/show_bug.cgi?id=123911
+ <rdar://problem/15202803>
+
+ Reviewed by Mark Hahnenberg.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpSlowForUnwantedArrayMode):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::isArrayType):
+
2013-11-06 Mark Hahnenberg <[email protected]>
JSExport doesn't support constructors
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (158772 => 158773)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2013-11-06 20:31:40 UTC (rev 158772)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2013-11-06 20:32:19 UTC (rev 158773)
@@ -671,10 +671,19 @@
return m_jit.branch32(
MacroAssembler::NotEqual, tempGPR, TrustedImm32(IsArray | shape));
- default:
+ case Array::NonArray:
+ case Array::OriginalNonArray:
+ m_jit.and32(TrustedImm32(IsArray | IndexingShapeMask), tempGPR);
+ return m_jit.branch32(
+ MacroAssembler::NotEqual, tempGPR, TrustedImm32(shape));
+
+ case Array::PossiblyArray:
m_jit.and32(TrustedImm32(IndexingShapeMask), tempGPR);
return m_jit.branch32(MacroAssembler::NotEqual, tempGPR, TrustedImm32(shape));
}
+
+ RELEASE_ASSERT_NOT_REACHED();
+ return JITCompiler::Jump();
}
JITCompiler::JumpList SpeculativeJIT::jumpSlowForUnwantedArrayMode(GPRReg tempGPR, ArrayMode arrayMode)
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (158772 => 158773)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2013-11-06 20:31:40 UTC (rev 158772)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2013-11-06 20:32:19 UTC (rev 158773)
@@ -3277,11 +3277,19 @@
m_out.bitAnd(indexingType, m_out.constInt8(IsArray | IndexingShapeMask)),
m_out.constInt8(IsArray | arrayMode.shapeMask()));
- default:
+ case Array::NonArray:
+ case Array::OriginalNonArray:
return m_out.equal(
+ m_out.bitAnd(indexingType, m_out.constInt8(IsArray | IndexingShapeMask)),
+ m_out.constInt8(arrayMode.shapeMask()));
+
+ case Array::PossiblyArray:
+ return m_out.equal(
m_out.bitAnd(indexingType, m_out.constInt8(IndexingShapeMask)),
m_out.constInt8(arrayMode.shapeMask()));
}
+
+ RELEASE_ASSERT_NOT_REACHED();
}
default:
