[webkit-changes] [259264] trunk/Source/JavaScriptCore

[ysuzuki]

Title: [259264] trunk/Source/_javascript_Core

Revision

259264

Author

ysuz...@apple.com

Date

2020-03-30 18:46:55 -0700 (Mon, 30 Mar 2020)

Log Message

[JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage
https://bugs.webkit.org/show_bug.cgi?id=209791

Reviewed by Saam Barati.

DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition.

* dfg/DFGArrayMode.cpp:
(JSC::DFG::ArrayMode::alreadyChecked const):
* dfg/DFGArrayMode.h:
(JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp
• trunk/Source/_javascript_Core/dfg/DFGArrayMode.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (259263 => 259264)

--- trunk/Source/_javascript_Core/ChangeLog	2020-03-31 01:29:30 UTC (rev 259263)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-03-31 01:46:55 UTC (rev 259264)
@@ -1,3 +1,17 @@
+2020-03-30  Yusuke Suzuki  <ysuz...@apple.com>
+
+        [JSC] DFGArrayMode::alreadyChecked should have NonArray check when ArrayMode is NonArray+SlowPutArrayStorage
+        https://bugs.webkit.org/show_bug.cgi?id=209791
+
+        Reviewed by Saam Barati.
+
+        DFGArrayMode::alreadyChecked with NonArray+SlowPutArrayStorage should check NonArray condition.
+
+        * dfg/DFGArrayMode.cpp:
+        (JSC::DFG::ArrayMode::alreadyChecked const):
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes const):
+
 2020-03-30  Alexey Shvayka  <shvaikal...@gmail.com>
 
         Add support in named capture group identifiers for direct surrogate pairs

Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp (259263 => 259264)

--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp	2020-03-31 01:29:30 UTC (rev 259263)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp	2020-03-31 01:46:55 UTC (rev 259264)
@@ -511,7 +511,8 @@
         
     case Array::SlowPutArrayStorage:
         switch (arrayClass()) {
-        case Array::OriginalArray: {
+        case Array::OriginalArray:
+        case Array::OriginalCopyOnWriteArray: {
             CRASH();
             return false;
         }
@@ -530,8 +531,26 @@
             }
             return true;
         }
-        
-        default: {
+
+        // Array::OriginalNonArray can be shown when the value is a TypedArray with original structure.
+        // But here, we already filtered TypedArrays. So, just handle it like a NonArray.
+        case Array::NonArray:
+        case Array::OriginalNonArray: {
+            if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModesIgnoringTypedArrays(NonArrayWithArrayStorage) | asArrayModesIgnoringTypedArrays(NonArrayWithSlowPutArrayStorage)))
+                return true;
+            if (value.m_structure.isTop())
+                return false;
+            for (unsigned i = value.m_structure.size(); i--;) {
+                RegisteredStructure structure = value.m_structure[i];
+                if (!hasAnyArrayStorage(structure->indexingType()))
+                    return false;
+                if (structure->indexingType() & IsArray)
+                    return false;
+            }
+            return true;
+        }
+
+        case Array::PossiblyArray: {
             if (arrayModesAlreadyChecked(value.m_arrayModes, asArrayModesIgnoringTypedArrays(NonArrayWithArrayStorage) | asArrayModesIgnoringTypedArrays(ArrayWithArrayStorage) | asArrayModesIgnoringTypedArrays(NonArrayWithSlowPutArrayStorage) | asArrayModesIgnoringTypedArrays(ArrayWithSlowPutArrayStorage)))
                 return true;
             if (value.m_structure.isTop())
@@ -542,7 +561,8 @@
                     return false;
             }
             return true;
-        } }
+        }
+        }
         
     case Array::DirectArguments:
         return speculationChecked(value.m_type, SpecDirectArguments);

Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (259263 => 259264)

--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2020-03-31 01:29:30 UTC (rev 259263)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h	2020-03-31 01:46:55 UTC (rev 259264)
@@ -531,10 +531,9 @@
             if (hasInt32(shape) || hasDouble(shape) || hasContiguous(shape))
                 return asArrayModesIgnoringTypedArrays(shape) | asArrayModesIgnoringTypedArrays(shape | IsArray) | asArrayModesIgnoringTypedArrays(shape | IsArray | CopyOnWrite);
             return asArrayModesIgnoringTypedArrays(shape) | asArrayModesIgnoringTypedArrays(shape | IsArray);
-        default:
-            // This is only necessary for C++ compilers that don't understand enums.
-            return 0;
         }
+        // This is only necessary for C++ compilers that don't understand enums.
+        return 0;
     }
     
     template <typename... Args>

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes