Changeset 172401 in webkit for trunk/Source/JavaScriptCore/tests

Timestamp:

Aug 11, 2014, 11:59:44 AM (11 years ago)

Author:

[email protected]

Message:

for-in optimization should also make sure the base matches the object being iterated
​https://bugs.webkit.org/show_bug.cgi?id=135782

Reviewed by Geoffrey Garen.

If we access a different base object with the same index, we shouldn't try to randomly
load from that object's backing store.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):

• bytecompiler/BytecodeGenerator.h:

(JSC::ForInContext::ForInContext):
(JSC::ForInContext::base):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):

• bytecompiler/NodesCodegen.cpp:

(JSC::ForInNode::emitMultiLoopBytecode):

• tests/stress/for-in-tests.js:

File:

• trunk/Source/JavaScriptCore/tests/stress/for-in-tests.js (modified) (1 diff)

trunk/Source/JavaScriptCore/tests/stress/for-in-tests.js

@@ -76 +76 @@
     foo(null);
 })();
+(function() {
+    var foo = function(a, b) {
+        for (var p in a) {
+            var f1 = a[p];
+            var f2 = b[p];
+            if (f1 === f2)
+                continue;
+            a[p] = b[p];
+        }
+    };
+    noInline(foo);
+    for (var i = 0; i < 10000; ++i) {
+        var o1 = {};
+        var o2 = {};
+        o2.x = 42;
+        o2.y = 53;
+        foo(o1, o2);
+        if (o1.x !== o2.x)
+            throw new Error("bad result: " + o1.x + "!==" + o2.x);
+        if (o1.y !== o2.y)
+            throw new Error("bad result: " + o1.y + "!==" + o2.y);
+    }
+})();