[webkit-changes] [WebKit/WebKit] c9e7ab: [JSC] Bracket compound assignment should resolve p...

Ross Kirsling noreply at github.com
Mon Mar 11 18:28:42 PDT 2024 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: c9e7ab3bddef8b9423dc407026b91312ba46a72d
      https://github.com/WebKit/WebKit/commit/c9e7ab3bddef8b9423dc407026b91312ba46a72d
  Author: Ross Kirsling <ross.kirsling at sony.com>
  Date:   2024-03-11 (Mon, 11 Mar 2024)

  Changed paths:
    M JSTests/test262/expectations.yaml
    M Source/JavaScriptCore/bytecode/BytecodeList.rb
    M Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp
    M Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h
    M Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/dfg/DFGClobberize.h
    M Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGDoesGC.cpp
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGNode.h
    M Source/JavaScriptCore/dfg/DFGNodeType.h
    M Source/JavaScriptCore/dfg/DFGOperations.cpp
    M Source/JavaScriptCore/dfg/DFGOperations.h
    M Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGSafeToExecute.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
    M Source/JavaScriptCore/ftl/FTLCapabilities.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
    M Source/JavaScriptCore/jit/JIT.cpp
    M Source/JavaScriptCore/jit/JIT.h
    M Source/JavaScriptCore/jit/JITOpcodes.cpp
    M Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm
    M Source/JavaScriptCore/llint/LowLevelInterpreter64.asm
    M Source/JavaScriptCore/runtime/CommonSlowPaths.cpp
    M Source/JavaScriptCore/runtime/CommonSlowPaths.h

  Log Message:
  -----------
  [JSC] Bracket compound assignment should resolve property key at most once
https://bugs.webkit.org/show_bug.cgi?id=270563

Reviewed by Yusuke Suzuki.

Just as we did for `obj[prop]++` (275531 at main), we need to make sure `obj[prop] += 1;` doesn't double-evaluate `prop`.

The existing solution, however, is not of reasonable performance when `prop` is a Number value -- it is, of course,
unacceptable for `arr[i]++` to be slow. To this end, this patch also introduces OpToPropertyKeyOrNumber, which will
return numbers unchanged, just as it does with strings and symbols.

* JSTests/test262/expectations.yaml: Mark 22 test cases as passing.
* Source/JavaScriptCore/bytecode/BytecodeList.rb:
* Source/JavaScriptCore/bytecode/BytecodeUseDef.cpp:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:
* Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h:
* Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:
(JSC::PostfixNode::emitBracket):
(JSC::PrefixNode::emitBracket):
(JSC::ReadModifyBracketNode::emitBytecode):
(JSC::ShortCircuitReadModifyBracketNode::emitBytecode):
(JSC::ObjectPatternNode::bindValue const):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
* Source/JavaScriptCore/dfg/DFGClobberize.h:
* Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGDoesGC.cpp:
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
* Source/JavaScriptCore/dfg/DFGNode.h:
* Source/JavaScriptCore/dfg/DFGNodeType.h:
* Source/JavaScriptCore/dfg/DFGOperations.cpp:
* Source/JavaScriptCore/dfg/DFGOperations.h:
* Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGSafeToExecute.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:
* Source/JavaScriptCore/ftl/FTLCapabilities.cpp:
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
* Source/JavaScriptCore/jit/JIT.cpp:
* Source/JavaScriptCore/jit/JIT.h:
* Source/JavaScriptCore/jit/JITOpcodes.cpp:
* Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:
* Source/JavaScriptCore/llint/LowLevelInterpreter64.asm:
* Source/JavaScriptCore/runtime/CommonSlowPaths.cpp:
* Source/JavaScriptCore/runtime/CommonSlowPaths.h:

Canonical link: https://commits.webkit.org/275944@main



To unsubscribe from these emails, change your notification settings at https://github.com/WebKit/WebKit/settings/notifications

More information about the webkit-changes mailing list