Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (232379 => 232380)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-06-01 00:19:32 UTC (rev 232379)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-06-01 00:19:34 UTC (rev 232380)
@@ -1,5 +1,9 @@
2018-05-31 Kocsen Chung <kocsen_ch...@apple.com>
+ Revert r231540. rdar://problem/40050814
+
+2018-05-31 Kocsen Chung <kocsen_ch...@apple.com>
+
Cherry-pick r232219. rdar://problem/40641075
for-in loops should preserve and restore the TDZ stack for each of its internal loops.
Modified: branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (232379 => 232380)
--- branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-06-01 00:19:32 UTC (rev 232379)
+++ branches/safari-605-branch/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-06-01 00:19:34 UTC (rev 232380)
@@ -1382,7 +1382,7 @@
loadi 4[PC], t2
storei t0, TagOffset[cfr, t2, 8]
storei t1, PayloadOffset[cfr, t2, 8]
- valueProfile(t0, t1, 28, t2)
+ valueProfile(t0, t1, 32, t2)
dispatch(constexpr op_get_by_id_length)
.opGetByIdSlow:
@@ -1403,7 +1403,7 @@
loadp JSObject::m_butterfly[t3], t0
loadi -sizeof IndexingHeader + IndexingHeader::u.lengths.publicLength[t0], t0
bilt t0, 0, .opGetArrayLengthSlow
- valueProfile(Int32Tag, t0, 28, t2)
+ valueProfile(Int32Tag, t0, 32, t2)
storep t0, PayloadOffset[cfr, t1, 8]
storep Int32Tag, TagOffset[cfr, t1, 8]
dispatch(constexpr op_get_array_length_length)
