DFG del_by_id support forgets to set()
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Apr 2016 02:35:29 +0000 (02:35 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 21 Apr 2016 02:35:29 +0000 (02:35 +0000)
https://bugs.webkit.org/show_bug.cgi?id=156830

Reviewed by Saam Barati.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* tests/stress/dfg-del-by-id.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199801 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/tests/stress/dfg-del-by-id.js [new file with mode: 0644]

index 125782d..d00e035 100644 (file)
@@ -1,3 +1,14 @@
+2016-04-20  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG del_by_id support forgets to set()
+        https://bugs.webkit.org/show_bug.cgi?id=156830
+
+        Reviewed by Saam Barati.
+
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * tests/stress/dfg-del-by-id.js: Added.
+
 2016-04-20  Saam barati  <sbarati@apple.com>
 
         Improve sampling profiler CLI JSC tool
index b777243..311257a 100644 (file)
@@ -4044,7 +4044,8 @@ bool ByteCodeParser::parseBlock(unsigned limit)
         case op_del_by_id: {
             Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
             unsigned identifierNumber = m_inlineStackTop->m_identifierRemap[currentInstruction[3].u.operand];
-            addToGraph(DeleteById, OpInfo(identifierNumber), base);
+            set(VirtualRegister(currentInstruction[1].u.operand),
+                addToGraph(DeleteById, OpInfo(identifierNumber), base));
             NEXT_OPCODE(op_del_by_id);
         }
 
diff --git a/Source/JavaScriptCore/tests/stress/dfg-del-by-id.js b/Source/JavaScriptCore/tests/stress/dfg-del-by-id.js
new file mode 100644 (file)
index 0000000..66f2f0b
--- /dev/null
@@ -0,0 +1,14 @@
+function foo(o) {
+    return delete o.f;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+    var o = {f:42};
+    var result = foo(o);
+    if (result !== true)
+        throw "Error: bad result: " + result;
+    if ("f" in o)
+        throw "Error: \"f\" still in ok";
+}