Diff
Modified: branches/safari-600.3-branch/LayoutTests/ChangeLog (177096 => 177097)
--- branches/safari-600.3-branch/LayoutTests/ChangeLog 2014-12-10 21:51:15 UTC (rev 177096)
+++ branches/safari-600.3-branch/LayoutTests/ChangeLog 2014-12-10 21:51:20 UTC (rev 177097)
@@ -1,3 +1,21 @@
+2014-12-10 Matthew Hanson <matthew_han...@apple.com>
+
+ Merge r176972. <rdar://problem/19196762>
+
+ 2014-12-08 Mark Lam <mark....@apple.com>
+
+ CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
+ <https://webkit.org/b/139327>
+
+ Reviewed by Michael Saboff.
+
+ * js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt: Added.
+ * js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html: Added.
+ * js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js: Added.
+ (foo):
+ (test):
+
+
2014-10-29 Chris Dumez <cdu...@apple.com>
Crash in CachedRawResource::canReuse() when reloading http://dnd.wizards.com/dungeons-and-dragons/story
Added: branches/safari-600.3-branch/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt (0 => 177097)
--- branches/safari-600.3-branch/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt (rev 0)
+++ branches/safari-600.3-branch/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt 2014-12-10 21:51:20 UTC (rev 177097)
@@ -0,0 +1,9 @@
+This tests that DFG generated code speculating SlowPutArrayStorageShape doesn't crash when seeing fast ArrayStorageShapes.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: branches/safari-600.3-branch/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html (0 => 177097)
--- branches/safari-600.3-branch/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html (rev 0)
+++ branches/safari-600.3-branch/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html 2014-12-10 21:51:20 UTC (rev 177097)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Added: branches/safari-600.3-branch/LayoutTests/js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js (0 => 177097)
--- branches/safari-600.3-branch/LayoutTests/js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js (rev 0)
+++ branches/safari-600.3-branch/LayoutTests/js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js 2014-12-10 21:51:20 UTC (rev 177097)
@@ -0,0 +1,38 @@
+description(
+"This tests that DFG generated code speculating SlowPutArrayStorageShape doesn't crash when seeing fast ArrayStorageShapes."
+);
+
+var slowPutArrayStorageArray = [ "slow" ];
+var fastArrayStorageArray = [ "fast" ];
+fastArrayStorageArray[1000] = 50;
+
+var o = { a: 10 };
+Object.defineProperties(o, {
+ "0": {
+ set: function(x) { this.a = x; },
+ },
+});
+
+slowPutArrayStorageArray.__proto__ = o;
+
+function foo(a, isFast) {
+ var result = 10;
+ if (!a)
+ return result;
+
+ var doStuff = a[0] && isFast;
+ if (doStuff)
+ result = a[0] + 10;
+ return result;
+}
+
+function test() {
+ for (var k = 0; k < 5000; k++) {
+ foo(slowPutArrayStorageArray, false);
+ foo(fastArrayStorageArray, true);
+ }
+}
+
+test();
+
+var successfullyParsed = true;
Modified: branches/safari-600.3-branch/Source/_javascript_Core/ChangeLog (177096 => 177097)
--- branches/safari-600.3-branch/Source/_javascript_Core/ChangeLog 2014-12-10 21:51:15 UTC (rev 177096)
+++ branches/safari-600.3-branch/Source/_javascript_Core/ChangeLog 2014-12-10 21:51:20 UTC (rev 177097)
@@ -1,5 +1,24 @@
2014-12-10 Matthew Hanson <matthew_han...@apple.com>
+ Merge r176972. <rdar://problem/19196762>
+
+ 2014-12-08 Mark Lam <mark....@apple.com>
+
+ CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
+ <https://webkit.org/b/139327>
+
+ Reviewed by Michael Saboff.
+
+ The code generator and runtime slow paths expects otherwise. This patch fixes
+ CFA to match the code generator's expectation.
+
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
+ (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):
+
+
+2014-12-10 Matthew Hanson <matthew_han...@apple.com>
+
Merge r175653. <rdar://problem/19196762>
2014-11-05 Mark Lam <mark....@apple.com>
Modified: branches/safari-600.3-branch/Source/_javascript_Core/dfg/DFGArrayMode.h (177096 => 177097)
--- branches/safari-600.3-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2014-12-10 21:51:15 UTC (rev 177096)
+++ branches/safari-600.3-branch/Source/_javascript_Core/dfg/DFGArrayMode.h 2014-12-10 21:51:20 UTC (rev 177097)
@@ -406,7 +406,7 @@
case Array::ArrayStorage:
return arrayModesWithIndexingShape(ArrayStorageShape);
case Array::SlowPutArrayStorage:
- return arrayModesWithIndexingShape(SlowPutArrayStorageShape);
+ return arrayModesWithIndexingShapes(SlowPutArrayStorageShape, ArrayStorageShape);
default:
return asArrayModes(NonArray);
}
@@ -462,6 +462,13 @@
}
}
+ ArrayModes arrayModesWithIndexingShapes(IndexingType shape1, IndexingType shape2) const
+ {
+ ArrayModes arrayMode1 = arrayModesWithIndexingShape(shape1);
+ ArrayModes arrayMode2 = arrayModesWithIndexingShape(shape2);
+ return arrayMode1 | arrayMode2;
+ }
+
bool alreadyChecked(Graph&, Node*, AbstractValue&, IndexingType shape) const;
union {