Ignore:
Timestamp:
Feb 26, 2015, 2:44:45 PM (10 years ago)
Author:
[email protected]
Message:

Various array access corner cases should take OSR exit feedback
https://bugs.webkit.org/show_bug.cgi?id=142056

Reviewed by Geoffrey Garen.
Source/JavaScriptCore:


Two major changes here:

  • Don't keep converting GetById into GetArrayLength if we exited due to any kind of array type check.


  • Use a generic form of GetByVal/PutByVal if we exited due to any kind of exotic checks, like the Arguments safety checks. We use the "ExoticObjectMode" for out-of-bounds on arguments for now, since it's a convenient way of forcing out-of-bounds to be handled by the Generic array mode.
  • bytecode/ExitKind.cpp:

(JSC::exitKindToString):

  • bytecode/ExitKind.h:
  • dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnArguments):
(JSC::DFG::SpeculativeJIT::compileGetArgumentsLength):

  • tests/stress/array-length-array-storage-plain-object.js: Added.

(foo):

  • tests/stress/array-length-plain-object.js: Added.

(foo):

LayoutTests:

  • js/regress/arguments-out-of-bounds-expected.txt: Added.
  • js/regress/arguments-out-of-bounds.html: Added.
  • js/regress/exit-length-on-plain-object-expected.txt: Added.
  • js/regress/exit-length-on-plain-object.html: Added.
  • js/regress/script-tests/arguments-out-of-bounds.js: Added.

(foo):
(bar):

  • js/regress/script-tests/exit-length-on-plain-object.js: Added.

(foo):

  • js/regress/script-tests/string-out-of-bounds.js: Added.

(bar):

  • js/regress/string-out-of-bounds-expected.txt: Added.
  • js/regress/string-out-of-bounds.html: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

    r171380 r180703  
    11/*
    2  * Copyright (C) 2012, 2013, 2014 Apple Inc. All rights reserved.
     2 * Copyright (C) 2012-2015 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    146146   
    147147    if (!isInt32Speculation(index))
     148        return ArrayMode(Array::Generic);
     149   
     150    // If we had exited because of an exotic object behavior, then don't try to specialize.
     151    if (graph.hasExitSite(node->origin.semantic, ExoticObjectMode))
    148152        return ArrayMode(Array::Generic);
    149153   
Note: See TracChangeset for help on using the changeset viewer.