DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow...
authormark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jun 2018 11:19:46 +0000 (11:19 +0000)
committermark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 27 Jun 2018 11:19:46 +0000 (11:19 +0000)
commit05e568098edce4bbcc82f779bcc8c8ea6b744dd1
tree84d345c55d951837e8d8d5080c4781b99117fd47
parent9a106aa5c6360a7ec6aae431a5759ef98c6698b9
DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties.
https://bugs.webkit.org/show_bug.cgi?id=187091
<rdar://problem/41395624>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/regress-187091.js: Added.

Source/JavaScriptCore:

Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage()
take their slow paths, the slow path would jump back to the fast path right after
the emitted code which clears the unused property values.  As a result, the
unused properties are not initialized.  We've fixed this by adding the slow path
generators before we emit the code to clear the unused properties.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@233253 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/regress-187091.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp