[webkit-changes] [287621] branches/safari-612-branch

Wed, 05 Jan 2022 10:21:36 -0800

Title: [287621] branches/safari-612-branch
Revision
287621
Author
repst...@apple.com
Date
2022-01-05 10:20:44 -0800 (Wed, 05 Jan 2022)

Log Message

Cherry-pick r285978. rdar://problem/87124911

    [JSC] TypedArray GetArrayLength should not use Reuse
    https://bugs.webkit.org/show_bug.cgi?id=233299
    rdar://85502079

    Reviewed by Robin Morisset.

    JSTests:

    * stress/get-array-length-reuse.js: Added.
    (foo):

    Source/_javascript_Core:

    We should not perform OSR exit after assigning a value to a reused register, otherwise,
    OSR exit cannot recover the proper value. Now TypedArray GetArrayLength can perform
    OSR exit after loading a length, so we should not use reused register for length.

    * dfg/DFGSpeculativeJIT.cpp:

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@285978 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

Added Paths

Diff

Modified: branches/safari-612-branch/JSTests/ChangeLog (287620 => 287621)


--- branches/safari-612-branch/JSTests/ChangeLog	2022-01-05 18:20:40 UTC (rev 287620)
+++ branches/safari-612-branch/JSTests/ChangeLog	2022-01-05 18:20:44 UTC (rev 287621)
@@ -1,3 +1,39 @@
+2022-01-05  Russell Epstein  <repst...@apple.com>
+
+        Cherry-pick r285978. rdar://problem/87124911
+
+    [JSC] TypedArray GetArrayLength should not use Reuse
+    https://bugs.webkit.org/show_bug.cgi?id=233299
+    rdar://85502079
+    
+    Reviewed by Robin Morisset.
+    
+    JSTests:
+    
+    * stress/get-array-length-reuse.js: Added.
+    (foo):
+    
+    Source/_javascript_Core:
+    
+    We should not perform OSR exit after assigning a value to a reused register, otherwise,
+    OSR exit cannot recover the proper value. Now TypedArray GetArrayLength can perform
+    OSR exit after loading a length, so we should not use reused register for length.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@285978 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-11-17  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] TypedArray GetArrayLength should not use Reuse
+            https://bugs.webkit.org/show_bug.cgi?id=233299
+            rdar://85502079
+
+            Reviewed by Robin Morisset.
+
+            * stress/get-array-length-reuse.js: Added.
+            (foo):
+
 2021-11-11  Alan Coon  <alanc...@apple.com>
 
         Cherry-pick r283300. rdar://problem/85259264

Added: branches/safari-612-branch/JSTests/stress/get-array-length-reuse.js (0 => 287621)


--- branches/safari-612-branch/JSTests/stress/get-array-length-reuse.js	                        (rev 0)
+++ branches/safari-612-branch/JSTests/stress/get-array-length-reuse.js	2022-01-05 18:20:44 UTC (rev 287621)
@@ -0,0 +1,12 @@
+function foo(a) {
+  arguments;
+  a.length;
+}
+
+let x = new Uint8Array();
+for (let i = 0; i < 10000; ++i)
+  foo(x);
+
+try {
+    foo(new Uint8Array(2**31));
+} catch { }

Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (287620 => 287621)


--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2022-01-05 18:20:40 UTC (rev 287620)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog	2022-01-05 18:20:44 UTC (rev 287621)
@@ -1,3 +1,42 @@
+2022-01-05  Russell Epstein  <repst...@apple.com>
+
+        Cherry-pick r285978. rdar://problem/87124911
+
+    [JSC] TypedArray GetArrayLength should not use Reuse
+    https://bugs.webkit.org/show_bug.cgi?id=233299
+    rdar://85502079
+    
+    Reviewed by Robin Morisset.
+    
+    JSTests:
+    
+    * stress/get-array-length-reuse.js: Added.
+    (foo):
+    
+    Source/_javascript_Core:
+    
+    We should not perform OSR exit after assigning a value to a reused register, otherwise,
+    OSR exit cannot recover the proper value. Now TypedArray GetArrayLength can perform
+    OSR exit after loading a length, so we should not use reused register for length.
+    
+    * dfg/DFGSpeculativeJIT.cpp:
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@285978 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-11-17  Yusuke Suzuki  <ysuz...@apple.com>
+
+            [JSC] TypedArray GetArrayLength should not use Reuse
+            https://bugs.webkit.org/show_bug.cgi?id=233299
+            rdar://85502079
+
+            Reviewed by Robin Morisset.
+
+            We should not perform OSR exit after assigning a value to a reused register, otherwise,
+            OSR exit cannot recover the proper value. Now TypedArray GetArrayLength can perform
+            OSR exit after loading a length, so we should not use reused register for length.
+
+            * dfg/DFGSpeculativeJIT.cpp:
+
 2021-11-11  Alan Coon  <alanc...@apple.com>
 
         Cherry-pick r283300. rdar://problem/85259264

Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (287620 => 287621)


--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2022-01-05 18:20:40 UTC (rev 287620)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2022-01-05 18:20:44 UTC (rev 287621)
@@ -8358,7 +8358,7 @@
     default: {
         ASSERT(node->arrayMode().isSomeTypedArrayView());
         SpeculateCellOperand base(this, node->child1());
-        GPRTemporary result(this, Reuse, base);
+        GPRTemporary result(this);
         GPRReg baseGPR = base.gpr();
         GPRReg resultGPR = result.gpr();
 #if USE(LARGE_TYPED_ARRAYS)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to