Changeset 222658 in webkit for trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

Timestamp:

Sep 29, 2017, 11:49:37 AM (8 years ago)

Author:

[email protected]

Message:

Unreviewed, rolling out r222563, r222565, and r222581.
​https://bugs.webkit.org/show_bug.cgi?id=177675

"It causes a crash when playing youtube videos" (Requested by
saamyjoon on #webkit).

Reverted changesets:

"[DFG] Support ArrayPush with multiple args"
​https://bugs.webkit.org/show_bug.cgi?id=175823
​http://trac.webkit.org/changeset/222563

"Unreviewed, build fix after r222563"
​https://bugs.webkit.org/show_bug.cgi?id=175823
​http://trac.webkit.org/changeset/222565

"Unreviewed, fix x86 breaking due to exhausted registers"
​https://bugs.webkit.org/show_bug.cgi?id=175823
​http://trac.webkit.org/changeset/222581

File:

• trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

@@ -870 +870 @@
     NativeCallFrameTracer tracer(vm, exec);
     
-    array->pushInline(exec, JSValue::decode(encodedValue));
+    array->push(exec, JSValue::decode(encodedValue));
     return JSValue::encode(jsNumber(array->length()));
 }
@@ -879 +879 @@
     NativeCallFrameTracer tracer(vm, exec);
     
-    array->pushInline(exec, JSValue(JSValue::EncodeAsDouble, value));
-    return JSValue::encode(jsNumber(array->length()));
-}
-
-EncodedJSValue JIT_OPERATION operationArrayPushMultiple(ExecState* exec, JSArray* array, void* buffer, int32_t elementCount)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    // We assume that multiple JSArray::push calls with ArrayWithInt32/ArrayWithContiguous do not cause JS traps.
-    // If it can cause any JS interactions, we can call the caller JS function of this function and overwrite the
-    // content of ScratchBuffer. If the IndexingType is now ArrayWithInt32/ArrayWithContiguous, we can ensure
-    // that there is no indexed accessors in this object and its prototype chain.
-    //
-    // ArrayWithArrayStorage is also OK. It can have indexed accessors. But if you define an indexed accessor, the array's length
-    // becomes larger than that index. So Array#push never overlaps with this accessor. So accessors are never called unless
-    // the IndexingType is ArrayWithSlowPutArrayStorage which could have an indexed accessor in a prototype chain.
-    RELEASE_ASSERT(!shouldUseSlowPut(array->indexingType()));
-
-    EncodedJSValue* values = static_cast<EncodedJSValue*>(buffer);
-    for (int32_t i = 0; i < elementCount; ++i) {
-        array->pushInline(exec, JSValue::decode(values[i]));
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    }
-    return JSValue::encode(jsNumber(array->length()));
-}
-
-EncodedJSValue JIT_OPERATION operationArrayPushDoubleMultiple(ExecState* exec, JSArray* array, void* buffer, int32_t elementCount)
-{
-    VM& vm = exec->vm();
-    NativeCallFrameTracer tracer(&vm, exec);
-    auto scope = DECLARE_THROW_SCOPE(vm);
-
-    // We assume that multiple JSArray::push calls with ArrayWithDouble do not cause JS traps.
-    // If it can cause any JS interactions, we can call the caller JS function of this function and overwrite the
-    // content of ScratchBuffer. If the IndexingType is now ArrayWithDouble, we can ensure
-    // that there is no indexed accessors in this object and its prototype chain.
-    ASSERT(array->indexingType() == ArrayWithDouble);
-
-    double* values = static_cast<double*>(buffer);
-    for (int32_t i = 0; i < elementCount; ++i) {
-        array->pushInline(exec, JSValue(JSValue::EncodeAsDouble, values[i]));
-        RETURN_IF_EXCEPTION(scope, encodedJSValue());
-    }
+    array->push(exec, JSValue(JSValue::EncodeAsDouble, value));
     return JSValue::encode(jsNumber(array->length()));
 }