Changeset 129588 in webkit for trunk/Source/JavaScriptCore/dfg


Ignore:
Timestamp:
Sep 25, 2012, 7:56:19 PM (13 years ago)
Author:
[email protected]
Message:

DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly
https://bugs.webkit.org/show_bug.cgi?id=97535

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

  • dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsic):

  • dfg/DFGStructureCheckHoistingPhase.cpp:

(JSC::DFG::StructureCheckHoistingPhase::run):

LayoutTests:

Rubber stamped by Oliver Hunt.

  • fast/js/dfg-array-pop-side-effects-expected.txt: Added.
  • fast/js/dfg-array-pop-side-effects.html: Added.
  • fast/js/dfg-array-push-bad-time-expected.txt: Added.
  • fast/js/dfg-array-push-bad-time.html: Added.
  • fast/js/dfg-array-push-slow-put-expected.txt: Added.
  • fast/js/dfg-array-push-slow-put.html: Added.
  • fast/js/jsc-test-list:
  • fast/js/script-tests/dfg-array-pop-side-effects.js: Added.

(foo):
(.b):

  • fast/js/script-tests/dfg-array-push-bad-time.js: Added.
  • fast/js/script-tests/dfg-array-push-slow-put.js: Added.

(foo):

Location:
trunk/Source/JavaScriptCore/dfg
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

    r129316 r129588  
    10021002    case ArrayPush:
    10031003        node.setCanExit(true);
     1004        clobberWorld(node.codeOrigin, indexInBlock);
    10041005        forNode(nodeIndex).set(SpecNumber);
    10051006        break;
     
    10071008    case ArrayPop:
    10081009        node.setCanExit(true);
     1010        clobberWorld(node.codeOrigin, indexInBlock);
    10091011        forNode(nodeIndex).makeTop();
    10101012        break;

  • trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

    r129316 r129588  
    15681568       
    15691569        Array::Mode arrayMode = getArrayMode(m_currentInstruction[5].u.arrayProfile);
    1570         if (!modeIsJSArray(arrayMode))
     1570        switch (arrayMode) {
     1571        case Array::ArrayWithArrayStorageToHole:
     1572            ASSERT_NOT_REACHED();
     1573           
     1574        case Array::ArrayWithArrayStorage:
     1575        case Array::ArrayWithArrayStorageOutOfBounds: {
     1576            NodeIndex arrayPush = addToGraph(ArrayPush, OpInfo(arrayMode), OpInfo(prediction), get(registerOffset + argumentToOperand(0)), get(registerOffset + argumentToOperand(1)));
     1577            if (usesResult)
     1578                set(resultOperand, arrayPush);
     1579           
     1580            return true;
     1581        }
     1582           
     1583        default:
    15711584            return false;
    1572         NodeIndex arrayPush = addToGraph(ArrayPush, OpInfo(arrayMode), OpInfo(prediction), get(registerOffset + argumentToOperand(0)), get(registerOffset + argumentToOperand(1)));
    1573         if (usesResult)
    1574             set(resultOperand, arrayPush);
    1575        
    1576         return true;
     1585        }
    15771586    }
    15781587       
     
    15821591       
    15831592        Array::Mode arrayMode = getArrayMode(m_currentInstruction[5].u.arrayProfile);
    1584         if (!modeIsJSArray(arrayMode))
     1593        switch (arrayMode) {
     1594        case Array::ArrayWithArrayStorageToHole:
     1595            ASSERT_NOT_REACHED();
     1596           
     1597        case Array::ArrayWithArrayStorage:
     1598        case Array::ArrayWithArrayStorageOutOfBounds: {
     1599            NodeIndex arrayPop = addToGraph(ArrayPop, OpInfo(arrayMode), OpInfo(prediction), get(registerOffset + argumentToOperand(0)));
     1600            if (usesResult)
     1601                set(resultOperand, arrayPop);
     1602            return true;
     1603        }
     1604           
     1605        default:
    15851606            return false;
    1586         NodeIndex arrayPop = addToGraph(ArrayPop, OpInfo(arrayMode), OpInfo(prediction), get(registerOffset + argumentToOperand(0)));
    1587         if (usesResult)
    1588             set(resultOperand, arrayPop);
    1589         return true;
     1607        }
    15901608    }
    15911609

  • trunk/Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp

    r129553 r129588  
    316316                case ResolveBaseStrictPut:
    317317                case ResolveGlobal:
     318                case ArrayPush:
     319                case ArrayPop:
    318320                case Arrayify:
    319321                    clobber(live);
Note: See TracChangeset for help on using the changeset viewer.