Title: [201254] trunk
- Revision
- 201254
- Author
- sbar...@apple.com
- Date
- 2016-05-22 12:13:23 -0700 (Sun, 22 May 2016)
Log Message
REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
https://bugs.webkit.org/show_bug.cgi?id=157968
<rdar://problem/26404735>
Reviewed by Ryosuke Niwa and Filip Pizlo.
Source/_javascript_Core:
There was a bug in the DFG where we were checking a condition
on the wrong variable.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
LayoutTests:
* TestExpectations:
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (201253 => 201254)
--- trunk/LayoutTests/ChangeLog 2016-05-22 17:27:18 UTC (rev 201253)
+++ trunk/LayoutTests/ChangeLog 2016-05-22 19:13:23 UTC (rev 201254)
@@ -1,3 +1,13 @@
+2016-05-22 Saam barati <sbar...@apple.com>
+
+ REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
+ https://bugs.webkit.org/show_bug.cgi?id=157968
+ <rdar://problem/26404735>
+
+ Reviewed by Ryosuke Niwa and Filip Pizlo.
+
+ * TestExpectations:
+
2016-05-20 Joseph Pecoraro <pecor...@apple.com>
Unreviewed test gardening after r201237 exposed an issue.
Modified: trunk/LayoutTests/TestExpectations (201253 => 201254)
--- trunk/LayoutTests/TestExpectations 2016-05-22 17:27:18 UTC (rev 201253)
+++ trunk/LayoutTests/TestExpectations 2016-05-22 19:13:23 UTC (rev 201254)
@@ -980,5 +980,3 @@
webkit.org/b/157589 fast/text-autosizing/ios/text-autosizing-after-back.html [ Pass Timeout ]
webkit.org/b/157816 http/tests/performance/performance-resource-timing-cached-entries.html [ Pass Failure ]
-
-webkit.org/b/157968 js/regress/string-replace-generic.html [ Pass Failure ]
Modified: trunk/Source/_javascript_Core/ChangeLog (201253 => 201254)
--- trunk/Source/_javascript_Core/ChangeLog 2016-05-22 17:27:18 UTC (rev 201253)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-05-22 19:13:23 UTC (rev 201254)
@@ -1,3 +1,17 @@
+2016-05-22 Saam barati <sbar...@apple.com>
+
+ REGRESSION(r199075): String.prototype.replace fails after being used many times with different replace values
+ https://bugs.webkit.org/show_bug.cgi?id=157968
+ <rdar://problem/26404735>
+
+ Reviewed by Ryosuke Niwa and Filip Pizlo.
+
+ There was a bug in the DFG where we were checking a condition
+ on the wrong variable.
+
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+
2016-05-22 Chris Dumez <cdu...@apple.com>
Remove uses of PassRefPtr in JS bindings code
Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (201253 => 201254)
--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2016-05-22 17:27:18 UTC (rev 201253)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2016-05-22 19:13:23 UTC (rev 201254)
@@ -639,7 +639,7 @@
}
String replace = m_node->child3()->tryGetString(m_graph);
- if (!string)
+ if (!replace)
break;
StringBuilder builder;
Added: trunk/Source/_javascript_Core/tests/stress/string-replace-constant-folding-replacer-not-string.js (0 => 201254)
--- trunk/Source/_javascript_Core/tests/stress/string-replace-constant-folding-replacer-not-string.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/string-replace-constant-folding-replacer-not-string.js 2016-05-22 19:13:23 UTC (rev 201254)
@@ -0,0 +1,13 @@
+function foo() {
+ "foo".replace(/f/g, "");
+ return "foo".replace(/f/g, 42);
+}
+noInline(foo);
+
+let result;
+for (let i = 0; i < 10000; i++) {
+ result = foo();
+ if (result !== "42oo")
+ throw new Error("Error: bad result: " + result);
+}
+
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
