Title: [199391] trunk/Source/_javascript_Core
- Revision
- 199391
- Author
- [email protected]
- Date
- 2016-04-12 14:52:08 -0700 (Tue, 12 Apr 2016)
Log Message
AbstractValue should use the result type to filter structures
https://bugs.webkit.org/show_bug.cgi?id=156516
Reviewed by Geoffrey Garen.
When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
filtering out the valid structures (despite what the comment directly above said). This
would cause us to crash if our structure-set was Top and the two speculated types were
different kinds of cells.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::filter):
* tests/stress/ai-consistency-filter-cells.js: Added.
(get value):
(attribute.value.get record):
(attribute.attrs.get this):
(get foo):
(let.thisValue.return.serialize):
(let.thisValue.transformFor):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (199390 => 199391)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-12 21:35:33 UTC (rev 199390)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-12 21:52:08 UTC (rev 199391)
@@ -1,3 +1,25 @@
+2016-04-12 Keith Miller <[email protected]>
+
+ AbstractValue should use the result type to filter structures
+ https://bugs.webkit.org/show_bug.cgi?id=156516
+
+ Reviewed by Geoffrey Garen.
+
+ When filtering an AbstractValue with a SpeculatedType we would not use the merged type when
+ filtering out the valid structures (despite what the comment directly above said). This
+ would cause us to crash if our structure-set was Top and the two speculated types were
+ different kinds of cells.
+
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::filter):
+ * tests/stress/ai-consistency-filter-cells.js: Added.
+ (get value):
+ (attribute.value.get record):
+ (attribute.attrs.get this):
+ (get foo):
+ (let.thisValue.return.serialize):
+ (let.thisValue.transformFor):
+
2016-04-12 Filip Pizlo <[email protected]>
Unreviewed, remove FIXME for https://bugs.webkit.org/show_bug.cgi?id=156457 and replace it
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (199390 => 199391)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2016-04-12 21:35:33 UTC (rev 199390)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp 2016-04-12 21:52:08 UTC (rev 199391)
@@ -328,7 +328,7 @@
// the passed type is Array. At this point we'll have (None, TOP). The best way
// to ensure that the structure filtering does the right thing is to filter on
// the new type (None) rather than the one passed (Array).
- m_structure.filter(type);
+ m_structure.filter(m_type);
filterArrayModesByType();
filterValueByType();
return normalizeClarity();
Added: trunk/Source/_javascript_Core/tests/stress/ai-consistency-filter-cells.js (0 => 199391)
--- trunk/Source/_javascript_Core/tests/stress/ai-consistency-filter-cells.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/ai-consistency-filter-cells.js 2016-04-12 21:52:08 UTC (rev 199391)
@@ -0,0 +1,30 @@
+function get(value, prop) { return value[prop]; }
+noInline(get);
+
+function foo(record, key, attribute) {
+ var attrs = get(this, 'attrs');
+ var value = get(record, key), type = attribute.type;
+
+ if (type) {
+ var transform = this.transformFor(type);
+ value = transform.serialize(value);
+ }
+
+ key = attrs && attrs[key] || (this.keyForAttribute ? this.keyForAttribute(key) : key);
+
+ return {key:key, value:value};
+}
+noInline(foo);
+
+let i = 0;
+let thisValue = {transformFor: function() { return {serialize: function() { return {} }}}};
+let record = {key: "hello"};
+let record2 = {key: true};
+let key = "key";
+let attribute = {type: "type"};
+for (; i < 100000; i++) {
+ if (i % 2 === 0)
+ foo.call(thisValue, record, key, attribute);
+ else
+ foo.call(thisValue, record2, key, attribute);
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
