Changeset 172401 in webkit for trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

Timestamp:

Aug 11, 2014, 11:59:44 AM (11 years ago)

Author:

[email protected]

Message:

for-in optimization should also make sure the base matches the object being iterated
​https://bugs.webkit.org/show_bug.cgi?id=135782

Reviewed by Geoffrey Garen.

If we access a different base object with the same index, we shouldn't try to randomly
load from that object's backing store.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):

• bytecompiler/BytecodeGenerator.h:

(JSC::ForInContext::ForInContext):
(JSC::ForInContext::base):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):

• bytecompiler/NodesCodegen.cpp:

(JSC::ForInNode::emitMultiLoopBytecode):

• tests/stress/for-in-tests.js:

File:

• trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -2045 +2045 @@
         this->emitLoopHeader(generator, propertyName.get());
 
-        generator.pushIndexedForInScope(local.get(), i.get());
+        generator.pushIndexedForInScope(base.get(), local.get(), i.get());
         generator.emitNode(dst, m_statement);
         generator.popIndexedForInScope(local.get());
@@ -2079 +2079 @@
         this->emitLoopHeader(generator, propertyName.get());
 
-        generator.pushStructureForInScope(local.get(), i.get(), propertyName.get(), structureEnumerator.get());
+        generator.pushStructureForInScope(base.get(), local.get(), i.get(), propertyName.get(), structureEnumerator.get());
         generator.emitNode(dst, m_statement);
         generator.popStructureForInScope(local.get());