Modified: trunk/Source/_javascript_Core/ChangeLog (190681 => 190682)
--- trunk/Source/_javascript_Core/ChangeLog 2015-10-07 20:25:29 UTC (rev 190681)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-10-07 20:27:46 UTC (rev 190682)
@@ -1,5 +1,20 @@
2015-10-07 Filip Pizlo <[email protected]>
+ Don't setOutOfBounds in JIT code for PutByVal, since the C++ slow path already does it
+ https://bugs.webkit.org/show_bug.cgi?id=149885
+
+ Reviewed by Geoffrey Garen.
+
+ This simplifies the slow path code, which will make it easier to put read barriers on all of
+ the butterflies.
+
+ * jit/JITOperations.cpp:
+ (JSC::getByVal):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitSlow_op_put_by_val):
+
+2015-10-07 Filip Pizlo <[email protected]>
+
Get rid of JIT::compilePutDirectOffset
https://bugs.webkit.org/show_bug.cgi?id=149884
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (190681 => 190682)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2015-10-07 20:25:29 UTC (rev 190681)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2015-10-07 20:27:46 UTC (rev 190682)
@@ -401,6 +401,9 @@
if (object->canSetIndexQuickly(i))
object->setIndexQuickly(callFrame->vm(), i, value);
else {
+ // FIXME: This will make us think that in-bounds typed array accesses are actually
+ // out-of-bounds.
+ // https://bugs.webkit.org/show_bug.cgi?id=149886
byValInfo->arrayProfile->setOutOfBounds();
object->methodTable(vm)->putByIndex(object, callFrame, i, value, callFrame->codeBlock()->isStrictMode());
}
@@ -434,6 +437,9 @@
return;
}
+ // FIXME: This will make us think that in-bounds typed array accesses are actually
+ // out-of-bounds.
+ // https://bugs.webkit.org/show_bug.cgi?id=149886
byValInfo->arrayProfile->setOutOfBounds();
baseObject->putDirectIndex(callFrame, index, value, 0, isStrictMode ? PutDirectIndexShouldThrow : PutDirectIndexShouldNotThrow);
return;
@@ -1588,8 +1594,12 @@
if (object->canGetIndexQuickly(i))
return object->getIndexQuickly(i);
- if (!canAccessArgumentIndexQuickly(*object, i))
+ if (!canAccessArgumentIndexQuickly(*object, i)) {
+ // FIXME: This will make us think that in-bounds typed array accesses are actually
+ // out-of-bounds.
+ // https://bugs.webkit.org/show_bug.cgi?id=149886
byValInfo->arrayProfile->setOutOfBounds();
+ }
}
return baseValue.get(exec, i);
@@ -1750,8 +1760,12 @@
if (object->canGetIndexQuickly(index))
return JSValue::encode(JSValue(JSValue::JSTrue));
- if (!canAccessArgumentIndexQuickly(*object, index))
+ if (!canAccessArgumentIndexQuickly(*object, index)) {
+ // FIXME: This will make us think that in-bounds typed array accesses are actually
+ // out-of-bounds.
+ // https://bugs.webkit.org/show_bug.cgi?id=149886
byValInfo->arrayProfile->setOutOfBounds();
+ }
return JSValue::encode(jsBoolean(object->hasProperty(exec, index)));
}
@@ -1770,8 +1784,12 @@
if (object->canGetIndexQuickly(index))
return JSValue::encode(JSValue(JSValue::JSTrue));
- if (!canAccessArgumentIndexQuickly(*object, index))
+ if (!canAccessArgumentIndexQuickly(*object, index)) {
+ // FIXME: This will make us think that in-bounds typed array accesses are actually
+ // out-of-bounds.
+ // https://bugs.webkit.org/show_bug.cgi?id=149886
byValInfo->arrayProfile->setOutOfBounds();
+ }
return JSValue::encode(jsBoolean(object->hasProperty(exec, subscript.asUInt32())));
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (190681 => 190682)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2015-10-07 20:25:29 UTC (rev 190681)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2015-10-07 20:27:46 UTC (rev 190682)
@@ -448,6 +448,8 @@
linkSlowCase(iter); // property int32 check
linkSlowCase(iter); // base not array check
+ linkSlowCase(iter); // out of bounds
+
JITArrayMode mode = chooseArrayMode(profile);
switch (mode) {
case JITInt32:
@@ -458,11 +460,6 @@
break;
}
- Jump skipProfiling = jump();
- linkSlowCase(iter); // out of bounds
- emitArrayProfileOutOfBoundsSpecialCase(profile);
- skipProfiling.link(this);
-
Label slowPath = label();
emitGetVirtualRegister(base, regT0);
