[webkit-changes] [WebKit/WebKit] 1b4792: [JSC] Use storage node in ArrayPush for SlowPutArray
Yusuke Suzuki
noreply at github.com
Wed Oct 12 14:49:49 PDT 2022
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: 1b4792d4d3661bcde4d66b7be0d02f9b0d506392
https://github.com/WebKit/WebKit/commit/1b4792d4d3661bcde4d66b7be0d02f9b0d506392
Author: Yusuke Suzuki <ysuzuki at apple.com>
Date: 2022-10-12 (Wed, 12 Oct 2022)
Changed paths:
A JSTests/stress/slow-put-array-empty-push.js
M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
Log Message:
-----------
[JSC] Use storage node in ArrayPush for SlowPutArray
https://bugs.webkit.org/show_bug.cgi?id=246405
rdar://problem/101081844
Reviewed by Justin Michaud.
This patch fixes a bug that GetArrayLength gets nullptr crash when we convert
ArrayPush+SlowPutArray with empty arguments to GetArrayLength because we are discarding
butterfly storage for that case. But since SlowPutArray's ArrayPush is slow anyway, let's simplify
our code and always get butterfly storage even for SlowPutArray case.
* JSTests/stress/slow-put-array-empty-push.js: Added.
(runNearStackLimit):
(__f_6):
(__f_32):
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileArrayPush):
Canonical link: https://commits.webkit.org/255454@main
More information about the webkit-changes
mailing list