Log Message
putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present https://bugs.webkit.org/show_bug.cgi?id=182755 <rdar://problem/37080864>
Reviewed by Keith Miller. JSTests: * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added. (test1.o.get 10005): (test1): (test2.o.get 1000): (test2): Source/_javascript_Core: putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted the object in question to a dictionary indexing mode when the index is less than the vector length. This makes no sense. If we're defining a getter, setter, or read only property, we must always enter the dictionary indexing mode irrespective of the index in relation to the vector length. * runtime/JSObject.cpp: (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
Modified Paths
- trunk/JSTests/ChangeLog
- trunk/Source/_javascript_Core/ChangeLog
- trunk/Source/_javascript_Core/runtime/JSObject.cpp
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (228453 => 228454)
--- trunk/JSTests/ChangeLog 2018-02-14 04:38:33 UTC (rev 228453)
+++ trunk/JSTests/ChangeLog 2018-02-14 05:07:07 UTC (rev 228454)
@@ -1,3 +1,17 @@
+2018-02-13 Saam Barati <sbar...@apple.com>
+
+ putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+ https://bugs.webkit.org/show_bug.cgi?id=182755
+ <rdar://problem/37080864>
+
+ Reviewed by Keith Miller.
+
+ * stress/always-enter-dictionary-indexing-mode-with-getter.js: Added.
+ (test1.o.get 10005):
+ (test1):
+ (test2.o.get 1000):
+ (test2):
+
2018-02-13 Caitlin Potter <ca...@igalia.com>
[JSC] cache TaggedTemplate arrays by callsite rather than by contents
Added: trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js (0 => 228454)
--- trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js (rev 0)
+++ trunk/JSTests/stress/always-enter-dictionary-indexing-mode-with-getter.js 2018-02-14 05:07:07 UTC (rev 228454)
@@ -0,0 +1,29 @@
+function test1(item) {
+ var o = {
+ 10000: item,
+ get 10005() { },
+ };
+ let arr = new Array(10008);
+ for (let key of arr.keys()) {
+ let o2 = {};
+ o[key] = o2;
+ }
+}
+test1({});
+test1(10);
+test1(10.5);
+
+function test2(item) {
+ var o = {
+ 0: item,
+ get 1000() { },
+ };
+ let arr = new Array(1000);
+ for (let key of arr.keys()) {
+ let o2 = {};
+ o[key] = o2;
+ }
+}
+test2({});
+test2(10);
+test2(10.5);
Modified: trunk/Source/_javascript_Core/ChangeLog (228453 => 228454)
--- trunk/Source/_javascript_Core/ChangeLog 2018-02-14 04:38:33 UTC (rev 228453)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-02-14 05:07:07 UTC (rev 228454)
@@ -1,5 +1,22 @@
2018-02-13 Saam Barati <sbar...@apple.com>
+ putDirectIndexSlowOrBeyondVectorLength needs to convert to dictionary indexing mode always if attributes are present
+ https://bugs.webkit.org/show_bug.cgi?id=182755
+ <rdar://problem/37080864>
+
+ Reviewed by Keith Miller.
+
+ putDirectIndexSlowOrBeyondVectorLength with non-zero attributes only converted
+ the object in question to a dictionary indexing mode when the index is less than
+ the vector length. This makes no sense. If we're defining a getter, setter, or read
+ only property, we must always enter the dictionary indexing mode irrespective
+ of the index in relation to the vector length.
+
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
+
+2018-02-13 Saam Barati <sbar...@apple.com>
+
Follup fix to r228411 for 32-bit builds. I missed a place where we used non vararg getter for child2().
* dfg/DFGSpeculativeJIT32_64.cpp:
Modified: trunk/Source/_javascript_Core/runtime/JSObject.cpp (228453 => 228454)
--- trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-02-14 04:38:33 UTC (rev 228453)
+++ trunk/Source/_javascript_Core/runtime/JSObject.cpp 2018-02-14 05:07:07 UTC (rev 228454)
@@ -2922,11 +2922,9 @@
}
case ALL_INT32_INDEXING_TYPES: {
- if (attributes) {
- if (i < m_butterfly->vectorLength())
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertInt32ToArrayStorage(vm));
- }
+ ASSERT(!indexingShouldBeSparse());
+ if (attributes)
+ return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
if (!value.isInt32()) {
convertInt32ForValue(vm, value);
return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2936,11 +2934,9 @@
}
case ALL_DOUBLE_INDEXING_TYPES: {
- if (attributes) {
- if (i < m_butterfly->vectorLength())
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertDoubleToArrayStorage(vm));
- }
+ ASSERT(!indexingShouldBeSparse());
+ if (attributes)
+ return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
if (!value.isNumber()) {
convertDoubleToContiguous(vm);
return putDirectIndexSlowOrBeyondVectorLength(exec, i, value, attributes, mode);
@@ -2955,20 +2951,16 @@
}
case ALL_CONTIGUOUS_INDEXING_TYPES: {
- if (attributes) {
- if (i < m_butterfly->vectorLength())
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, convertContiguousToArrayStorage(vm));
- }
+ ASSERT(!indexingShouldBeSparse());
+ if (attributes)
+ return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
putByIndexBeyondVectorLengthWithoutAttributes<ContiguousShape>(exec, i, value);
return true;
}
case ALL_ARRAY_STORAGE_INDEXING_TYPES:
- if (attributes) {
- if (i < m_butterfly->vectorLength())
- return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
- }
+ if (attributes)
+ return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, ensureArrayStorageExistsAndEnterDictionaryIndexingMode(vm));
return putDirectIndexBeyondVectorLengthWithArrayStorage(exec, i, value, attributes, mode, arrayStorage());
default:
_______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes