Title: [259598] branches/safari-609.2.1.2-branch/Source/_javascript_Core
- Revision
- 259598
- Author
- alanc...@apple.com
- Date
- 2020-04-06 15:47:10 -0700 (Mon, 06 Apr 2020)
Log Message
Cherry-pick r259264. rdar://problem/61352437
[JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=209791
Reviewed by Saam Barati.
DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition.
* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::alreadyChecked const):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259264 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609.2.1.2-branch/Source/_javascript_Core/ChangeLog (259597 => 259598)
--- branches/safari-609.2.1.2-branch/Source/_javascript_Core/ChangeLog 2020-04-06 21:59:37 UTC (rev 259597)
+++ branches/safari-609.2.1.2-branch/Source/_javascript_Core/ChangeLog 2020-04-06 22:47:10 UTC (rev 259598)
@@ -1,3 +1,35 @@
+2020-04-06 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r259264. rdar://problem/61352437
+
+ [JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage
+ https://bugs.webkit.org/show_bug.cgi?id=209791
+
+ Reviewed by Saam Barati.
+
+ DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition.
+
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::alreadyChecked const):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@259264 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-03-30 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage
+ https://bugs.webkit.org/show_bug.cgi?id=209791
+
+ Reviewed by Saam Barati.
+
+ DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition.
+
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::ArrayMode::alreadyChecked const):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+
2020-04-03 Alan Coon <alanc...@apple.com>
Cherry-pick r259355. rdar://problem/61269741
Modified: branches/safari-609.2.1.2-branch/Source/_javascript_Core/dfg/DFGArrayMode.cpp (259597 => 259598)
--- branches/safari-609.2.1.2-branch/Source/_javascript_Core/dfg/DFGArrayMode.cpp 2020-04-06 21:59:37 UTC (rev 259597)
+++ branches/safari-609.2.1.2-branch/Source/_javascript_Core/dfg/DFGArrayMode.cpp 2020-04-06 22:47:10 UTC (rev 259598)
@@ -510,7 +510,8 @@
case Array::SlowPutArrayStorage:
switch (arrayClass()) {
- case Array::OriginalArray: {
+ case Array::OriginalArray:
+ case Array::OriginalCopyOnWriteArray: {
CRASH();
return false;
}
@@ -529,8 +530,26 @@
}
return true;
}
-
- default: {
+
+ // Array::OriginalNonArray can be shown when the value is a TypedArray with original structure.
+ // But here, we already filtered TypedArrays. So, just handle it like a NonArray.
+ case Array::NonArray:
+ case Array::OriginalNonArray: {
+ if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModesIgnoringTypedArrays(NonArrayWithArrayStorage) | asArrayModesIgnoringTypedArrays(NonArrayWithSlowPutArrayStorage)))
+ return true;
+ if (value.m_structure.isTop())
+ return false;
+ for (unsigned i = value.m_structure.size(); i--;) {
+ RegisteredStructure structure = value.m_structure[i];
+ if (!hasAnyArrayStorage(structure->indexingType()))
+ return false;
+ if (structure->indexingType() & IsArray)
+ return false;
+ }
+ return true;
+ }
+
+ case Array::PossiblyArray: {
if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModesIgnoringTypedArrays(NonArrayWithArrayStorage) | asArrayModesIgnoringTypedArrays(ArrayWithArrayStorage) | asArrayModesIgnoringTypedArrays(NonArrayWithSlowPutArrayStorage) | asArrayModesIgnoringTypedArrays(ArrayWithSlowPutArrayStorage)))
return true;
if (value.m_structure.isTop())
@@ -541,7 +560,8 @@
return false;
}
return true;
- } }
+ }
+ }
case Array::DirectArguments:
return speculationChecked(value.m_type, SpecDirectArguments);
Modified: branches/safari-609.2.1.2-branch/Source/_javascript_Core/dfg/DFGArrayMode.h (259597 => 259598)
--- branches/safari-609.2.1.2-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2020-04-06 21:59:37 UTC (rev 259597)
+++ branches/safari-609.2.1.2-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2020-04-06 22:47:10 UTC (rev 259598)
@@ -531,10 +531,9 @@
if (hasInt32(shape) || hasDouble(shape) || hasContiguous(shape))
return asArrayModesIgnoringTypedArrays(shape) | asArrayModesIgnoringTypedArrays(shape | IsArray) | asArrayModesIgnoringTypedArrays(shape | IsArray | CopyOnWrite);
return asArrayModesIgnoringTypedArrays(shape) | asArrayModesIgnoringTypedArrays(shape | IsArray);
- default:
- // This is only necessary for C++ compilers that don't understand enums.
- return 0;
}
+ // This is only necessary for C++ compilers that don't understand enums.
+ return 0;
}
template <typename... Args>
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
