Title: [258078] trunk
- Revision
- 258078
- Author
- [email protected]
- Date
- 2020-03-07 13:56:44 -0800 (Sat, 07 Mar 2020)
Log Message
Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
https://bugs.webkit.org/show_bug.cgi?id=208764
<rdar://problem/59940095>
Reviewed by Keith Miller.
JSTests:
* stress/delete-by-val-with-base-and-subscript-using-same-cell.js: Added.
* stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js: Added.
Source/_javascript_Core:
The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal
JS to pass in the same value as the base and subscript. The runtime will handle
it properly.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (258077 => 258078)
--- trunk/JSTests/ChangeLog 2020-03-07 21:46:23 UTC (rev 258077)
+++ trunk/JSTests/ChangeLog 2020-03-07 21:56:44 UTC (rev 258078)
@@ -1,3 +1,14 @@
+2020-03-07 Mark Lam <[email protected]>
+
+ Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
+ https://bugs.webkit.org/show_bug.cgi?id=208764
+ <rdar://problem/59940095>
+
+ Reviewed by Keith Miller.
+
+ * stress/delete-by-val-with-base-and-subscript-using-same-cell.js: Added.
+ * stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js: Added.
+
2020-03-06 Yusuke Suzuki <[email protected]>
[JSC] Enable public class fields
Added: trunk/JSTests/stress/delete-by-val-with-base-and-subscript-using-same-cell.js (0 => 258078)
--- trunk/JSTests/stress/delete-by-val-with-base-and-subscript-using-same-cell.js (rev 0)
+++ trunk/JSTests/stress/delete-by-val-with-base-and-subscript-using-same-cell.js 2020-03-07 21:56:44 UTC (rev 258078)
@@ -0,0 +1,8 @@
+function foo(x) {
+ delete x[x];
+}
+noInline(foo);
+
+for (let i = 0; i < 20000; i++)
+ foo({});
+
Added: trunk/JSTests/stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js (0 => 258078)
--- trunk/JSTests/stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js (rev 0)
+++ trunk/JSTests/stress/delete-by-val-with-base-and-subscript-using-same-non-cell.js 2020-03-07 21:56:44 UTC (rev 258078)
@@ -0,0 +1,8 @@
+function foo(x) {
+ delete x[x];
+}
+noInline(foo);
+
+for (let i = 0; i < 20000; i++)
+ foo(true);
+
Modified: trunk/Source/_javascript_Core/ChangeLog (258077 => 258078)
--- trunk/Source/_javascript_Core/ChangeLog 2020-03-07 21:46:23 UTC (rev 258077)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-03-07 21:56:44 UTC (rev 258078)
@@ -1,3 +1,18 @@
+2020-03-07 Mark Lam <[email protected]>
+
+ Remove bad assertion in FTLLowerDFGToB3's compileDelBy().
+ https://bugs.webkit.org/show_bug.cgi?id=208764
+ <rdar://problem/59940095>
+
+ Reviewed by Keith Miller.
+
+ The assertion ASSERT(base.gpr() != params[2].gpr()) is wrong because it is legal
+ JS to pass in the same value as the base and subscript. The runtime will handle
+ it properly.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileDelBy):
+
2020-03-05 Sam Weinig <[email protected]>
Move _javascript_Core related feature defines from FeatureDefines.xcconfig to PlatformEnableCocoa.h
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (258077 => 258078)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-03-07 21:46:23 UTC (rev 258077)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-03-07 21:56:44 UTC (rev 258078)
@@ -5195,7 +5195,6 @@
if constexpr (kind == DelByKind::Normal)
return CCallHelpers::TrustedImmPtr(subscriptValue);
else {
- ASSERT(base.gpr() != params[2].gpr());
ASSERT(params.gpScratch(0) != params[2].gpr());
if (node->child2().useKind() == UntypedUse)
slowCases.append(jit.branchIfNotCell(JSValueRegs(params[2].gpr())));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes