GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Oct 2019 00:42:25 +0000 (00:42 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 18 Oct 2019 00:42:25 +0000 (00:42 +0000)
https://bugs.webkit.org/show_bug.cgi?id=203124
<rdar://problem/55988183>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/licm-array-storage-get-and-put-by-val.js: Added.
(assert):
(foo):

Source/JavaScriptCore:

* dfg/DFGAbstractHeap.h:
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@251271 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/licm-array-storage-get-and-put-by-val.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractHeap.h
Source/JavaScriptCore/dfg/DFGClobberize.h

index 3b589f8..59b0cc8 100644 (file)
@@ -1,3 +1,15 @@
+2019-10-17  Saam Barati  <sbarati@apple.com>
+
+        GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
+        https://bugs.webkit.org/show_bug.cgi?id=203124
+        <rdar://problem/55988183>
+
+        Reviewed by Yusuke Suzuki.
+
+        * stress/licm-array-storage-get-and-put-by-val.js: Added.
+        (assert):
+        (foo):
+
 2019-10-16  Keith Miller  <keith_miller@apple.com>
 
         Move assert in Wasm::Plan::fail.
diff --git a/JSTests/stress/licm-array-storage-get-and-put-by-val.js b/JSTests/stress/licm-array-storage-get-and-put-by-val.js
new file mode 100644 (file)
index 0000000..0679f8f
--- /dev/null
@@ -0,0 +1,25 @@
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+function foo(a) {
+    a[1] = 1;
+    let b = 0;
+    for (let j = 0; j < 10; j++) {
+        a[1] = 2;
+        b = a[1];
+    }
+    return b;
+}
+noInline(foo);
+
+let arr = new Array(5);
+for (let i = 0; i < 0x1000; i++) {
+    arr[i] = i;
+}
+arr[100000] = 1;
+
+for (let i = 0; i < 20000; i++){
+    arr[1] = 1;
+    assert(foo(arr) === 2);
+}
index 0bdb54b..d50a5d6 100644 (file)
@@ -1,3 +1,15 @@
+2019-10-17  Saam Barati  <sbarati@apple.com>
+
+        GetByVal and PutByVal on ArrayStorage need to use the same AbstractHeap
+        https://bugs.webkit.org/show_bug.cgi?id=203124
+        <rdar://problem/55988183>
+
+        Reviewed by Yusuke Suzuki.
+
+        * dfg/DFGAbstractHeap.h:
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2019-10-17  Mark Lam  <mark.lam@apple.com>
 
         Harden capacity checks in DFG::LocalCSEPhase::SmallMap.
index bcc1998..a30929d 100644 (file)
@@ -65,7 +65,6 @@ namespace JSC { namespace DFG {
     macro(IndexedDoubleProperties) \
     macro(IndexedContiguousProperties) \
     macro(IndexedArrayStorageProperties) \
-    macro(ArrayStorageProperties) \
     macro(DirectArgumentsProperties) \
     macro(ScopeProperties) \
     macro(TypedArrayProperties) \
index 0c23552..b89c03c 100644 (file)
@@ -1023,8 +1023,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
             }
             read(Butterfly_publicLength);
             read(Butterfly_vectorLength);
-            read(ArrayStorageProperties);
-            write(ArrayStorageProperties);
+            read(IndexedArrayStorageProperties);
+            write(IndexedArrayStorageProperties);
             if (node->arrayMode().mayStoreToHole())
                 write(Butterfly_publicLength);
             return;
@@ -1037,8 +1037,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
             }
             read(Butterfly_publicLength);
             read(Butterfly_vectorLength);
-            read(ArrayStorageProperties);
-            write(ArrayStorageProperties);
+            read(IndexedArrayStorageProperties);
+            write(IndexedArrayStorageProperties);
             return;
 
         case Array::Int8Array: