Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should...
authorrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 31 Jan 2019 00:49:26 +0000 (00:49 +0000)
committerrmorisset@apple.com <rmorisset@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 31 Jan 2019 00:49:26 +0000 (00:49 +0000)
commit696238e24a93c5841372acfb903ab5efea159840
tree0a81b130ce01874671e8070cb5ab2723fef89ed0
parentca85ad70764ed873d4c20c874fc61a01a8443c1c
Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
https://bugs.webkit.org/show_bug.cgi?id=194050
<rdar://problem/47595592>

JSTests:

Reviewed by Yusuke Suzuki.

* stress/object-keys-osr-exit.js: Added.
(foo):
(catch):

Source/JavaScriptCore:

Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit.
It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case.

Reviewed by Yusuke Suzuki.

* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240740 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/object-keys-osr-exit.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLOperations.cpp