op_in should mark if it sees out of bounds accesses
authorkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 May 2018 23:16:09 +0000 (23:16 +0000)
committerkeith_miller@apple.com <keith_miller@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 May 2018 23:16:09 +0000 (23:16 +0000)
commit62899ec0460447fbe6bff29fc4e254d3aac1c881
tree938f55fe9d22fe1e1f3cd0a54510012abac3a494
parent1c25f0ed460d282c1e69aeb2761f7d8a73337d17
op_in should mark if it sees out of bounds accesses
https://bugs.webkit.org/show_bug.cgi?id=185792

Reviewed by Filip Pizlo.

JSTests:

* stress/has-indexed-property-array-storage-ftl.js:
(test2):
* stress/has-indexed-property-slow-put-array-storage-ftl.js:
(test2):

Source/JavaScriptCore:

This would used to cause us to OSR loop since we would always speculate
we were in bounds in HasIndexedProperty.

* bytecode/ArrayProfile.cpp:
(JSC::ArrayProfile::observeIndexedRead):
* bytecode/ArrayProfile.h:
* runtime/CommonSlowPaths.h:
(JSC::CommonSlowPaths::opIn):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@231990 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/has-indexed-property-array-storage-ftl.js
JSTests/stress/has-indexed-property-slow-put-array-storage-ftl.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/bytecode/ArrayProfile.cpp
Source/JavaScriptCore/bytecode/ArrayProfile.h
Source/JavaScriptCore/runtime/CommonSlowPaths.h