Changeset 129588 in webkit for trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

Timestamp:

Sep 25, 2012, 7:56:19 PM (13 years ago)

Author:

[email protected]

Message:

DFG ArrayPush, ArrayPop don't handle clobbering or having a bad time correctly
​https://bugs.webkit.org/show_bug.cgi?id=97535

Source/JavaScriptCore:

Reviewed by Oliver Hunt.

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleIntrinsic):

• dfg/DFGStructureCheckHoistingPhase.cpp:

(JSC::DFG::StructureCheckHoistingPhase::run):

LayoutTests:

Rubber stamped by Oliver Hunt.

• fast/js/dfg-array-pop-side-effects-expected.txt: Added.
• fast/js/dfg-array-pop-side-effects.html: Added.
• fast/js/dfg-array-push-bad-time-expected.txt: Added.
• fast/js/dfg-array-push-bad-time.html: Added.
• fast/js/dfg-array-push-slow-put-expected.txt: Added.
• fast/js/dfg-array-push-slow-put.html: Added.
• fast/js/jsc-test-list:
• fast/js/script-tests/dfg-array-pop-side-effects.js: Added.

(foo):
(.b):

• fast/js/script-tests/dfg-array-push-bad-time.js: Added.
• fast/js/script-tests/dfg-array-push-slow-put.js: Added.

(foo):

File:

• trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -1002 +1002 @@
     case ArrayPush:
         node.setCanExit(true);
+        clobberWorld(node.codeOrigin, indexInBlock);
         forNode(nodeIndex).set(SpecNumber);
         break;
@@ -1007 +1008 @@
     case ArrayPop:
         node.setCanExit(true);
+        clobberWorld(node.codeOrigin, indexInBlock);
         forNode(nodeIndex).makeTop();
         break;