Title: [161411] trunk/Source/_javascript_Core
- Revision
- 161411
- Author
- [email protected]
- Date
- 2014-01-07 00:22:04 -0800 (Tue, 07 Jan 2014)
Log Message
SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS
https://bugs.webkit.org/show_bug.cgi?id=126563
Reviewed by Gavin Barraclough.
This was a rookie arguments simplification mistake: the SetLocal needs to record the fact
that although it set JSValue(), OSR should think it set Arguments. DataFormatArguments
conveys this, and dataFormatFor(FlushFormat) will do the right thing.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js: Added.
(foo):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (161410 => 161411)
--- trunk/Source/_javascript_Core/ChangeLog 2014-01-07 07:26:58 UTC (rev 161410)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-01-07 08:22:04 UTC (rev 161411)
@@ -1,3 +1,21 @@
+2014-01-07 Filip Pizlo <[email protected]>
+
+ SetLocal for a FlushedArguments should not claim that the dataFormat is DataFormatJS
+ https://bugs.webkit.org/show_bug.cgi?id=126563
+
+ Reviewed by Gavin Barraclough.
+
+ This was a rookie arguments simplification mistake: the SetLocal needs to record the fact
+ that although it set JSValue(), OSR should think it set Arguments. DataFormatArguments
+ conveys this, and dataFormatFor(FlushFormat) will do the right thing.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js: Added.
+ (foo):
+
2014-01-06 Filip Pizlo <[email protected]>
Make the different flavors of integer arithmetic more explicit, and don't rely on (possibly stale) results of the backwards propagator to decide integer arithmetic semantics
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (161410 => 161411)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-01-07 07:26:58 UTC (rev 161410)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-01-07 08:22:04 UTC (rev 161411)
@@ -1958,7 +1958,7 @@
m_jit.store32(value.payloadGPR(), JITCompiler::payloadFor(node->machineLocal()));
m_jit.store32(value.tagGPR(), JITCompiler::tagFor(node->machineLocal()));
noResult(node);
- recordSetLocal(DataFormatJS);
+ recordSetLocal(dataFormatFor(node->variableAccessData()->flushFormat()));
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (161410 => 161411)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-01-07 07:26:58 UTC (rev 161410)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-01-07 08:22:04 UTC (rev 161411)
@@ -2275,7 +2275,7 @@
JSValueOperand value(this, node->child1());
m_jit.store64(value.gpr(), JITCompiler::addressFor(node->machineLocal()));
noResult(node);
- recordSetLocal(DataFormatJS);
+ recordSetLocal(dataFormatFor(node->variableAccessData()->flushFormat()));
break;
}
Added: trunk/Source/_javascript_Core/tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js (0 => 161411)
--- trunk/Source/_javascript_Core/tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/phantom-arguments-set-local-then-exit-in-same-block.js 2014-01-07 08:22:04 UTC (rev 161411)
@@ -0,0 +1,17 @@
+function foo(o) {
+ var a = arguments;
+ var result = o.f;
+ for (var i = 1; i < a.length; ++i)
+ result += a[i];
+ return result;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 100; ++i)
+ foo({f:42}, 1, 2, 3);
+
+var result = foo({g:40, f:41}, 1, 2.5, 3);
+if (result != 47.5)
+ throw "Bad result: " + result;
+
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
