https://bugs.webkit.org/show_bug.cgi?id=181301
Reviewed by Mark Lam.
I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
* runtime/JSArray.cpp:
(JSC::JSArray::shiftCountWithArrayStorage):
* runtime/JSObject.cpp:
(JSC::JSObject::increaseVectorLength):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@226416
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2018-01-04 Keith Miller <keith_miller@apple.com>
+
+ Array Storage operations sometimes did not update the indexing mask correctly.
+ https://bugs.webkit.org/show_bug.cgi?id=181301
+
+ Reviewed by Mark Lam.
+
+ I will add tests in a follow up patch. See: https://bugs.webkit.org/show_bug.cgi?id=181303
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::shiftCountWithArrayStorage):
+ * runtime/JSObject.cpp:
+ (JSC::JSObject::increaseVectorLength):
+
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Define defs for MapSet/SetAdd to participate in CSE
2018-01-04 Yusuke Suzuki <utatane.tea@gmail.com>
[DFG] Define defs for MapSet/SetAdd to participate in CSE
// the start of the Butterfly, which needs to point at the first indexed property in the used
// portion of the vector.
Butterfly* butterfly = this->butterfly()->shift(structure(), count);
// the start of the Butterfly, which needs to point at the first indexed property in the used
// portion of the vector.
Butterfly* butterfly = this->butterfly()->shift(structure(), count);
- setButterfly(vm, butterfly);
storage = butterfly->arrayStorage();
storage->m_indexBias += count;
// Since we're consuming part of the vector by moving its beginning to the left,
// we need to modify the vector length appropriately.
storage->setVectorLength(vectorLength - count);
storage = butterfly->arrayStorage();
storage->m_indexBias += count;
// Since we're consuming part of the vector by moving its beginning to the left,
// we need to modify the vector length appropriately.
storage->setVectorLength(vectorLength - count);
+ setButterfly(vm, butterfly);
} else {
// The number of elements before the shift region is greater than or equal to the number
// of elements after the shift region, so we move the elements after the shift region to the left.
} else {
// The number of elements before the shift region is greater than or equal to the number
// of elements after the shift region, so we move the elements after the shift region to the left.
for (unsigned i = vectorLength; i < availableVectorLength; ++i)
storage->m_vector[i].clear();
storage->setVectorLength(availableVectorLength);
for (unsigned i = vectorLength; i < availableVectorLength; ++i)
storage->m_vector[i].clear();
storage->setVectorLength(availableVectorLength);
+ m_butterflyIndexingMask = storage->butterfly()->computeIndexingMask();
git://git.webkit.org / WebKit-https.git / commitdiff