Context Navigation

← Previous Changeset
Next Changeset →

Changeset 234075 in webkit

Timestamp:

Jul 20, 2018 4:48:16 PM (6 years ago)

Author:

msaboff@apple.com

Message:

DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
https://bugs.webkit.org/show_bug.cgi?id=187827
rdar://problem/42146858

Reviewed by Saam Barati.

JSTests:

New regression tests.

stress/direct-arguments-check-array.js: Added.

(setup.f2):
(setup):
(forOfArray):
(forOfArgs):
(callEveryOnArgs):

stress/scoped-arguments-check-array.js: Added.

(setup.foo):
(setup.f2):
(setup):
(forOfArray):
(forOfArgs):
(callEveryOnArgs):

Source/JavaScriptCore:

When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
putByIndex() path that doesn't change the shape.

dfg/DFGArrayMode.h:

(JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):

Location:

trunk

Files:

: 2 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/direct-arguments-check-array.js (added)
JSTests/stress/scoped-arguments-check-array.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGArrayMode.h (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r234066
+                      r234075
+-07-20  Michael Saboff  <msaboff@apple.com>
+        DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+        https://bugs.webkit.org/show_bug.cgi?id=187827
+        rdar://problem/42146858
+        Reviewed by Saam Barati.
+        New regression tests.
+        * stress/direct-arguments-check-array.js: Added.
+        (setup.f2):
+        (setup):
+        (forOfArray):
+        (forOfArgs):
+        (callEveryOnArgs):
+        * stress/scoped-arguments-check-array.js: Added.
+        (setup.foo):
+        (setup.f2):
+        (setup):
+        (forOfArray):
+        (forOfArgs):
+        (callEveryOnArgs):
 -07-20  Yusuke Suzuki  <utatane.tea@gmail.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r234066
+                      r234075
+-07-20  Michael Saboff  <msaboff@apple.com>
+        DFG AbstractInterpreter: CheckArray filters array modes for DirectArguments/ScopedArguments using only NonArray
+        https://bugs.webkit.org/show_bug.cgi?id=187827
+        rdar://problem/42146858
+        Reviewed by Saam Barati.
+        When filtering array modes for DirectArguments or ScopedArguments, we need to allow for the possibility
+        that they can either be NonArray or NonArrayWithArrayStorage (aka ArrayStorageShape).
+        We can't end up with other shapes, Int32, Double, etc because GenericArguments sets
+        InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero which will cause us to go down a
+        putByIndex() path that doesn't change the shape.
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering const):
 -07-20  Yusuke Suzuki  <utatane.tea@gmail.com>

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

-                      r232376
+                      r234075
         case Array::SlowPutArrayStorage:
             return arrayModesWithIndexingShapes(SlowPutArrayStorageShape, ArrayStorageShape);
+        case Array::DirectArguments:
+        case Array::ScopedArguments:
+            return arrayModesWithIndexingShapes(ArrayStorageShape, NonArray);
         default:
             return asArrayModes(NonArray);

Note: See TracChangeset for help on using the changeset viewer.