[webkit-changes] [229892] trunk/Source/JavaScriptCore

[utatane . tea]

Title: [229892] trunk/Source/_javascript_Core

Revision

229892

Author

utatane....@gmail.com

Date

2018-03-23 05:32:40 -0700 (Fri, 23 Mar 2018)

Log Message

[FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
https://bugs.webkit.org/show_bug.cgi?id=182960

Reviewed by Saam Barati.

This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
It should always touch ArrayStorage_vector. To unify
vector setting code for the real ArrayStorage_vector and
ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
annotate this.

* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (229891 => 229892)

--- trunk/Source/_javascript_Core/ChangeLog	2018-03-23 11:49:04 UTC (rev 229891)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-03-23 12:32:40 UTC (rev 229892)
@@ -1,3 +1,19 @@
+2018-03-23  Yusuke Suzuki  <utatane....@gmail.com>
+
+        [FTL] Fix ArrayPush(ArrayStorage)'s abstract heap
+        https://bugs.webkit.org/show_bug.cgi?id=182960
+
+        Reviewed by Saam Barati.
+
+        This patch fixes ArrayPush(ArrayStorage)'s abstract heap.
+        It should always touch ArrayStorage_vector. To unify
+        vector setting code for the real ArrayStorage_vector and
+        ScratchBuffer, we use ArrayStorage_vector.atAnyIndex() to
+        annotate this.
+
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
+
 2018-03-23  Zan Dobersek  <zdober...@igalia.com>
 
         Unreviewed build fix for GCC 4.9 builds.

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (229891 => 229892)

--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-03-23 11:49:04 UTC (rev 229891)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2018-03-23 12:32:40 UTC (rev 229892)
@@ -4660,7 +4660,7 @@
                 Edge& element = m_graph.varArgChild(m_node, elementIndex + elementOffset);
 
                 LValue value = lowJSValue(element);
-                m_out.store64(value, m_out.baseIndex(m_heaps.variables, buffer, m_out.constInt32(elementIndex), jsNumber(elementIndex)));
+                m_out.store64(value, m_out.baseIndex(m_heaps.ArrayStorage_vector.atAnyIndex(), buffer, m_out.constIntPtr(elementIndex), ScaleEight));
             }
             ValueFromBlock fastResult = m_out.anchor(boxInt32(newLength));
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes