Title: [241114] trunk
- Revision
- 241114
- Author
- ysuz...@apple.com
- Date
- 2019-02-06 20:26:25 -0800 (Wed, 06 Feb 2019)
Log Message
[JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
https://bugs.webkit.org/show_bug.cgi?id=194369
<rdar://problem/47813087>
Reviewed by Saam Barati.
JSTests:
* stress/initialize-entrypoint-arguments-with-tdz.js: Added.
(A):
Source/_javascript_Core:
InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
constant folding phase.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (241113 => 241114)
--- trunk/JSTests/ChangeLog 2019-02-07 03:13:11 UTC (rev 241113)
+++ trunk/JSTests/ChangeLog 2019-02-07 04:26:25 UTC (rev 241114)
@@ -1,5 +1,16 @@
2019-02-06 Yusuke Suzuki <ysuz...@apple.com>
+ [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
+ https://bugs.webkit.org/show_bug.cgi?id=194369
+ <rdar://problem/47813087>
+
+ Reviewed by Saam Barati.
+
+ * stress/initialize-entrypoint-arguments-with-tdz.js: Added.
+ (A):
+
+2019-02-06 Yusuke Suzuki <ysuz...@apple.com>
+
[JSC] PrivateName to PublicName hash table is wasteful
https://bugs.webkit.org/show_bug.cgi?id=194277
Added: trunk/JSTests/stress/initialize-entrypoint-arguments-with-tdz.js (0 => 241114)
--- trunk/JSTests/stress/initialize-entrypoint-arguments-with-tdz.js (rev 0)
+++ trunk/JSTests/stress/initialize-entrypoint-arguments-with-tdz.js 2019-02-07 04:26:25 UTC (rev 241114)
@@ -0,0 +1,27 @@
+//@ runDefault("--jitPolicyScale=0", "--useConcurrentGC=false", "--useConcurrentJIT=false", "--useGenerationalGC=false")
+class A extends Object {
+ constructor(beforeSuper) {
+ let touchThis = () => {
+ try {
+ this.x = this.x;
+ } catch (e) {
+ }
+ try {
+ this.x = +this.x
+ } catch (e) {
+ }
+ };
+ if (beforeSuper) {
+ touchThis();
+ super();
+ } else {
+ super();
+ touchThis();
+ }
+ }
+}
+
+for (var i = 0; i < 10000; i++) {
+ new A(false);
+ new A(true);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (241113 => 241114)
--- trunk/Source/_javascript_Core/ChangeLog 2019-02-07 03:13:11 UTC (rev 241113)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-02-07 04:26:25 UTC (rev 241114)
@@ -1,3 +1,18 @@
+2019-02-06 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] InitializeEntrypointArguments should produce SpecCellCheck if FlushFormat is FlushedCell
+ https://bugs.webkit.org/show_bug.cgi?id=194369
+ <rdar://problem/47813087>
+
+ Reviewed by Saam Barati.
+
+ InitializeEntrypointArguments says SpecCell if the FlushFormat is FlushedCell. But this actually has
+ JSEmpty if it is TDZ. This incorrectly proved type information removes necessary CheckNotEmpty in
+ constant folding phase.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2019-02-06 Devin Rousso <drou...@apple.com>
Web Inspector: DOM: don't send the entire function string with each event listener
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (241113 => 241114)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-02-07 03:13:11 UTC (rev 241113)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2019-02-07 04:26:25 UTC (rev 241114)
@@ -341,7 +341,7 @@
value.setNonCellType(SpecBoolean);
break;
case FlushedCell:
- value.setType(m_graph, SpecCell);
+ value.setType(m_graph, SpecCellCheck);
break;
case FlushedJSValue:
value.makeBytecodeTop();
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
