Changeset 231990 in webkit
- Timestamp:
- May 18, 2018 4:16:09 PM (6 years ago)
- Location:
- trunk
- Files:
-
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r231983 r231990 1 2018-05-18 Keith Miller <keith_miller@apple.com> 2 3 op_in should mark if it sees out of bounds accesses 4 https://bugs.webkit.org/show_bug.cgi?id=185792 5 6 Reviewed by Filip Pizlo. 7 8 * stress/has-indexed-property-array-storage-ftl.js: 9 (test2): 10 * stress/has-indexed-property-slow-put-array-storage-ftl.js: 11 (test2): 12 1 13 2018-05-18 Mark Lam <mark.lam@apple.com> 2 14 -
trunk/JSTests/stress/has-indexed-property-array-storage-ftl.js
r229057 r231990 33 33 { 34 34 didFTLCompile = ftlTrue(); 35 return 2in array;35 return 13 in array; 36 36 } 37 37 noInline(test2); 38 38 39 var array1 = [1, 2, 3, 4 ];39 var array1 = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14]; 40 40 ensureArrayStorage(array1); 41 41 var array2 = [1, 2]; -
trunk/JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js
r229057 r231990 44 44 { 45 45 didFTLCompile = ftlTrue(); 46 return 2in array;46 return 9 in array; 47 47 } 48 48 noInline(test2); 49 49 50 var array1 = [1, 2, 3, 4 ];50 var array1 = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10]; 51 51 array1.__proto__ = object; 52 52 ensureArrayStorage(array1); -
trunk/Source/JavaScriptCore/ChangeLog
r231983 r231990 1 2018-05-18 Keith Miller <keith_miller@apple.com> 2 3 op_in should mark if it sees out of bounds accesses 4 https://bugs.webkit.org/show_bug.cgi?id=185792 5 6 Reviewed by Filip Pizlo. 7 8 This would used to cause us to OSR loop since we would always speculate 9 we were in bounds in HasIndexedProperty. 10 11 * bytecode/ArrayProfile.cpp: 12 (JSC::ArrayProfile::observeIndexedRead): 13 * bytecode/ArrayProfile.h: 14 * runtime/CommonSlowPaths.h: 15 (JSC::CommonSlowPaths::opIn): 16 1 17 2018-05-18 Mark Lam <mark.lam@apple.com> 2 18 -
trunk/Source/JavaScriptCore/bytecode/ArrayProfile.cpp
r225618 r231990 122 122 } 123 123 124 void ArrayProfile::observeIndexedRead(VM& vm, JSCell* cell, unsigned index) 125 { 126 m_lastSeenStructureID = cell->structureID(); 127 128 if (JSObject* object = jsDynamicCast<JSObject*>(vm, cell)) { 129 if (hasAnyArrayStorage(object->indexingType()) && index >= object->getVectorLength()) 130 setOutOfBounds(); 131 else if (index >= object->getArrayLength()) 132 setOutOfBounds(); 133 } 134 135 if (JSString* string = jsDynamicCast<JSString*>(vm, cell)) { 136 if (index >= string->length()) 137 setOutOfBounds(); 138 } 139 } 140 124 141 CString ArrayProfile::briefDescription(const ConcurrentJSLocker& locker, CodeBlock* codeBlock) 125 142 { -
trunk/Source/JavaScriptCore/bytecode/ArrayProfile.h
r222871 r231990 215 215 m_lastSeenStructureID = structure->id(); 216 216 } 217 217 218 218 void computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock*); 219 219 void computeUpdatedPrediction(const ConcurrentJSLocker&, CodeBlock*, Structure* lastSeenStructure); 220 220 221 221 void observeArrayMode(ArrayModes mode) { m_observedArrayModes |= mode; } 222 void observeIndexedRead(VM&, JSCell*, unsigned index); 223 222 224 ArrayModes observedArrayModes(const ConcurrentJSLocker&) const { return m_observedArrayModes; } 223 225 bool mayInterceptIndexedAccesses(const ConcurrentJSLocker&) const { return m_mayInterceptIndexedAccesses; } -
trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.h
r231976 r231990 101 101 uint32_t i; 102 102 if (propName.getUInt32(i)) { 103 if (arrayProfile) 104 arrayProfile->observeIndexedRead(vm, baseObj, i); 103 105 scope.release(); 104 106 return baseObj->hasProperty(exec, i);
Note: See TracChangeset
for help on using the changeset viewer.