Title: [239287] trunk
- Revision
- 239287
- Author
- mark....@apple.com
- Date
- 2018-12-17 13:32:39 -0800 (Mon, 17 Dec 2018)
Log Message
Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
https://bugs.webkit.org/show_bug.cgi?id=192770
<rdar://problem/46449037>
Reviewed by Keith Miller.
JSTests:
* stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
Source/_javascript_Core:
This assertion was added before Array::OriginalNonArray was introduced. It just
needs to be updated to allow for Array::OriginalNonArray.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (239286 => 239287)
--- trunk/JSTests/ChangeLog 2018-12-17 21:16:30 UTC (rev 239286)
+++ trunk/JSTests/ChangeLog 2018-12-17 21:32:39 UTC (rev 239287)
@@ -1,3 +1,13 @@
+2018-12-17 Mark Lam <mark....@apple.com>
+
+ Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
+ https://bugs.webkit.org/show_bug.cgi?id=192770
+ <rdar://problem/46449037>
+
+ Reviewed by Keith Miller.
+
+ * stress/force-string-arrayMode-on-originalNonArray-array-class.js: Added.
+
2018-12-14 Mark Lam <mark....@apple.com>
CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive.
Added: trunk/JSTests/stress/force-string-arrayMode-on-originalNonArray-array-class.js (0 => 239287)
--- trunk/JSTests/stress/force-string-arrayMode-on-originalNonArray-array-class.js (rev 0)
+++ trunk/JSTests/stress/force-string-arrayMode-on-originalNonArray-array-class.js 2018-12-17 21:32:39 UTC (rev 239287)
@@ -0,0 +1,16 @@
+//@ requireOptions("--jitPolicyScale=0.1")
+
+function foo(a) {
+ a.length;
+}
+
+for (let i = 0; i < 100; i++) {
+ let a = i % 2 ? new Uint8Array() : new Uint16Array();
+
+ for (let j = 0; j < 2; j++)
+ foo(a);
+
+ gc();
+ foo('');
+ foo(a);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (239286 => 239287)
--- trunk/Source/_javascript_Core/ChangeLog 2018-12-17 21:16:30 UTC (rev 239286)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-12-17 21:32:39 UTC (rev 239287)
@@ -1,3 +1,17 @@
+2018-12-17 Mark Lam <mark....@apple.com>
+
+ Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
+ https://bugs.webkit.org/show_bug.cgi?id=192770
+ <rdar://problem/46449037>
+
+ Reviewed by Keith Miller.
+
+ This assertion was added before Array::OriginalNonArray was introduced. It just
+ needs to be updated to allow for Array::OriginalNonArray.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion):
+
2018-12-17 Matt Lewis <jlew...@apple.com>
Unreviewed, rolling out r239254.
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (239286 => 239287)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2018-12-17 21:16:30 UTC (rev 239286)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2018-12-17 21:32:39 UTC (rev 239287)
@@ -2432,7 +2432,7 @@
template<UseKind useKind>
void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node)
{
- ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read));
+ ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read));
if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic))
return;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
