DFG loads from signed 8-bit and 16-bit typed arrays are broken
https://bugs.webkit.org/show_bug.cgi?id=75163
Source/JavaScriptCore:
Reviewed by Geoffrey Garen.
Added 8-bit and 16-bit signed loads. Because doing so on ARM is less trivial, I'm
currently disabling Int8Array and Int16Array optimizations on ARM.
- assembler/MacroAssemblerX86Common.h:
(JSC::MacroAssemblerX86Common::load8Signed):
(JSC::MacroAssemblerX86Common::load16Signed):
- assembler/X86Assembler.h:
(JSC::X86Assembler::movswl_mr):
(JSC::X86Assembler::movsbl_mr):
- bytecode/PredictedType.h:
(JSC::isActionableMutableArrayPrediction):
(JSC::DFG::Node::shouldSpeculateInt8Array):
(JSC::DFG::Node::shouldSpeculateInt16Array):
- dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
LayoutTests:
Reviewed by Geoffrey Garen.
Fixed some minor goofs in the previously comitted typed array tests, and added
new ones to cover this bug.
- fast/js/dfg-int16array-expected.txt: Added.
- fast/js/dfg-int16array.html: Added.
- fast/js/dfg-int8array-expected.txt: Added.
- fast/js/dfg-int8array.html: Added.
- fast/js/script-tests/dfg-float32array.js:
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
- fast/js/script-tests/dfg-int16array.js: Added.
(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):
- fast/js/script-tests/dfg-int32array.js:
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
- fast/js/script-tests/dfg-int8array.js: Added.
(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):
