Title: [267135] trunk
- Revision
- 267135
- Author
- sbar...@apple.com
- Date
- 2020-09-15 23:07:36 -0700 (Tue, 15 Sep 2020)
Log Message
JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
https://bugs.webkit.org/show_bug.cgi?id=216589
<rdar://problem/68061245>
Reviewed by Yusuke Suzuki.
JSTests:
* stress/jsimmutablebutterfly-get-must-return-double-boxed-value.js: Added.
Source/_javascript_Core:
We are using JSImmutableButterfly::get in AI to constant fold GetByVal,
but we were failing to always return a boxed double value for double loads.
We were calling jsNumber instead of jsDooubleNumber. This is in contrast to
the runtime, which always returns a double boxed value. This would lead AI
to disagree with the runtime, and miscompile code.
* runtime/JSImmutableButterfly.h:
(JSC::JSImmutableButterfly::get const):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (267134 => 267135)
--- trunk/JSTests/ChangeLog 2020-09-16 04:43:48 UTC (rev 267134)
+++ trunk/JSTests/ChangeLog 2020-09-16 06:07:36 UTC (rev 267135)
@@ -1,3 +1,13 @@
+2020-09-15 Saam Barati <sbar...@apple.com>
+
+ JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
+ https://bugs.webkit.org/show_bug.cgi?id=216589
+ <rdar://problem/68061245>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/jsimmutablebutterfly-get-must-return-double-boxed-value.js: Added.
+
2020-09-15 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Cache UDateTimePatternGenerator
Added: trunk/JSTests/stress/jsimmutablebutterfly-get-must-return-double-boxed-value.js (0 => 267135)
--- trunk/JSTests/stress/jsimmutablebutterfly-get-must-return-double-boxed-value.js (rev 0)
+++ trunk/JSTests/stress/jsimmutablebutterfly-get-must-return-double-boxed-value.js 2020-09-16 06:07:36 UTC (rev 267135)
@@ -0,0 +1,14 @@
+const a0 = [ 2, 0.3 ];
+const o = {};
+function foo(arg) {
+ for (const c of '123456') {
+ let b = arg instanceof Array;
+ let cond = a0[-b] < 1;
+ do {} while (cond);
+ o[arg] = undefined;
+ }
+}
+foo([]);
+foo('');
+foo('');
+foo('');
Modified: trunk/Source/_javascript_Core/ChangeLog (267134 => 267135)
--- trunk/Source/_javascript_Core/ChangeLog 2020-09-16 04:43:48 UTC (rev 267134)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-09-16 06:07:36 UTC (rev 267135)
@@ -1,3 +1,20 @@
+2020-09-15 Saam Barati <sbar...@apple.com>
+
+ JSImmutableButterfly::get needs to return jsDoubleNumber for double arrays
+ https://bugs.webkit.org/show_bug.cgi?id=216589
+ <rdar://problem/68061245>
+
+ Reviewed by Yusuke Suzuki.
+
+ We are using JSImmutableButterfly::get in AI to constant fold GetByVal,
+ but we were failing to always return a boxed double value for double loads.
+ We were calling jsNumber instead of jsDooubleNumber. This is in contrast to
+ the runtime, which always returns a double boxed value. This would lead AI
+ to disagree with the runtime, and miscompile code.
+
+ * runtime/JSImmutableButterfly.h:
+ (JSC::JSImmutableButterfly::get const):
+
2020-09-15 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Cache UDateTimePatternGenerator
Modified: trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h (267134 => 267135)
--- trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h 2020-09-16 04:43:48 UTC (rev 267134)
+++ trunk/Source/_javascript_Core/runtime/JSImmutableButterfly.h 2020-09-16 06:07:36 UTC (rev 267135)
@@ -142,7 +142,7 @@
double value = toButterfly()->contiguousDouble().at(this, index);
// Holes are not supported yet.
ASSERT(!std::isnan(value));
- return jsNumber(value);
+ return jsDoubleNumber(value);
}
static void visitChildren(JSCell*, SlotVisitor&);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
