<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[182498] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/182498">182498</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2015-04-07 15:09:15 -0700 (Tue, 07 Apr 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Constant folding of typed array properties should be handled by AI rather than strength reduction
https://bugs.webkit.org/show_bug.cgi?id=143496
Reviewed by Geoffrey Garen.
Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
phase and whatever other phase did the folding in order to find all constants.
This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
directly.
This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
found because all of the tests for it involved the property getting constant folded. I found that
the codegen was bad because an earlier version of the patch broke that constant folding. This
adds a new test for that node type, which makes constant folding impossible by allocating a new
typed array every type. The lesson here is: if you write a test for something, run the test with
full IR dumps to make sure it's actually testing the thing you want it to test.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::tryGetFoldableView):
(JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGNode.h:
(JSC::DFG::Node::hasTypedArray): Deleted.
(JSC::DFG::Node::typedArray): Deleted.
* dfg/DFGNodeType.h:
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
(JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
* dfg/DFGWatchpointCollectionPhase.cpp:
(JSC::DFG::WatchpointCollectionPhase::handle):
(JSC::DFG::WatchpointCollectionPhase::addLazily):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileNode):
(JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
(JSC::FTL::LowerDFGToLLVM::typedArrayLength):
* tests/stress/fold-typed-array-properties.js:
(foo):
* tests/stress/typed-array-byte-offset.js: Added.
(foo):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeh">trunk/Source/JavaScriptCore/dfg/DFGNode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGWatchpointCollectionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressfoldtypedarraypropertiesjs">trunk/Source/JavaScriptCore/tests/stress/fold-typed-array-properties.js</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstresstypedarraybyteoffsetjs">trunk/Source/JavaScriptCore/tests/stress/typed-array-byte-offset.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -1,3 +1,70 @@
</span><ins>+2015-04-07 Filip Pizlo <fpizlo@apple.com>
+
+ Constant folding of typed array properties should be handled by AI rather than strength reduction
+ https://bugs.webkit.org/show_bug.cgi?id=143496
+
+ Reviewed by Geoffrey Garen.
+
+ Handling constant folding in AI is better because it precludes us from having to fixpoint the CFA
+ phase and whatever other phase did the folding in order to find all constants.
+
+ This also removes the TypedArrayWatchpoint node type because we can just set the watchpoint
+ directly.
+
+ This also fixes a bug in FTL lowering of GetTypedArrayByteOffset. The bug was previously not
+ found because all of the tests for it involved the property getting constant folded. I found that
+ the codegen was bad because an earlier version of the patch broke that constant folding. This
+ adds a new test for that node type, which makes constant folding impossible by allocating a new
+ typed array every type. The lesson here is: if you write a test for something, run the test with
+ full IR dumps to make sure it's actually testing the thing you want it to test.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::tryGetFoldableView):
+ (JSC::DFG::Graph::tryGetFoldableViewForChild1): Deleted.
+ * dfg/DFGGraph.h:
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::hasTypedArray): Deleted.
+ (JSC::DFG::Node::typedArray): Deleted.
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::jumpForTypedArrayOutOfBounds):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+ (JSC::DFG::StrengthReductionPhase::foldTypedArrayPropertyToConstant): Deleted.
+ (JSC::DFG::StrengthReductionPhase::prepareToFoldTypedArray): Deleted.
+ * dfg/DFGWatchpointCollectionPhase.cpp:
+ (JSC::DFG::WatchpointCollectionPhase::handle):
+ (JSC::DFG::WatchpointCollectionPhase::addLazily):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compileGetTypedArrayByteOffset):
+ (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
+ * tests/stress/fold-typed-array-properties.js:
+ (foo):
+ * tests/stress/typed-array-byte-offset.js: Added.
+ (foo):
+
</ins><span class="cx"> 2015-04-07 Matthew Mirman <mmirman@apple.com>
</span><span class="cx">
</span><span class="cx"> Source and stack information should get appended only to native errors
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -1383,9 +1383,6 @@
</span><span class="cx"> m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->activationStructure());
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case TypedArrayWatchpoint:
- break;
-
</del><span class="cx"> case CreateDirectArguments:
</span><span class="cx"> forNode(node).set(m_graph, m_codeBlock->globalObjectFor(node->origin.semantic)->directArgumentsStructure());
</span><span class="cx"> break;
</span><span class="lines">@@ -1520,9 +1517,16 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case GetArrayLength:
</del><ins>+ case GetArrayLength: {
+ JSArrayBufferView* view = m_graph.tryGetFoldableView(
+ forNode(node->child1()).m_value, node->arrayMode());
+ if (view) {
+ setConstant(node, jsNumber(view->length()));
+ break;
+ }
</ins><span class="cx"> forNode(node).setType(SpecInt32);
</span><span class="cx"> break;
</span><ins>+ }
</ins><span class="cx">
</span><span class="cx"> case CheckStructure: {
</span><span class="cx"> AbstractValue& value = forNode(node->child1());
</span><span class="lines">@@ -1705,13 +1709,25 @@
</span><span class="cx"> value.set(m_graph, node->structure());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- case GetIndexedPropertyStorage:
</del><ins>+ case GetIndexedPropertyStorage: {
+ JSArrayBufferView* view = m_graph.tryGetFoldableView(
+ forNode(node->child1()).m_value, node->arrayMode());
+ if (view)
+ m_state.setFoundConstants(true);
+ forNode(node).clear();
+ break;
+ }
</ins><span class="cx"> case ConstantStoragePointer: {
</span><span class="cx"> forNode(node).clear();
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetTypedArrayByteOffset: {
</span><ins>+ JSArrayBufferView* view = m_graph.tryGetFoldableView(forNode(node->child1()).m_value);
+ if (view) {
+ setConstant(node, jsNumber(view->byteOffset()));
+ break;
+ }
</ins><span class="cx"> forNode(node).setType(SpecInt32);
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -306,11 +306,6 @@
</span><span class="cx"> write(SideState);
</span><span class="cx"> return;
</span><span class="cx">
</span><del>- case TypedArrayWatchpoint:
- read(Watchpoint_fire);
- write(SideState);
- return;
-
</del><span class="cx"> case NotifyWrite:
</span><span class="cx"> write(Watchpoint_fire);
</span><span class="cx"> write(SideState);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -115,6 +115,30 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ case GetIndexedPropertyStorage: {
+ JSArrayBufferView* view = m_graph.tryGetFoldableView(
+ m_state.forNode(node->child1()).m_value, node->arrayMode());
+ if (!view)
+ break;
+
+ if (view->mode() == FastTypedArray) {
+ // FIXME: It would be awesome to be able to fold the property storage for
+ // these GC-allocated typed arrays. For now it doesn't matter because the
+ // most common use-cases for constant typed arrays involve large arrays with
+ // aliased buffer views.
+ // https://bugs.webkit.org/show_bug.cgi?id=125425
+ break;
+ }
+
+ m_interpreter.execute(indexInBlock);
+ eliminated = true;
+
+ m_insertionSet.insertNode(
+ indexInBlock, SpecNone, Phantom, node->origin, node->children);
+ node->convertToConstantStoragePointer(view->vector());
+ break;
+ }
+
</ins><span class="cx"> case CheckStructureImmediate: {
</span><span class="cx"> AbstractValue& value = m_state.forNode(node->child1());
</span><span class="cx"> StructureSet& set = node->structureSet();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -164,7 +164,6 @@
</span><span class="cx"> case StoreBarrierWithNullCheck:
</span><span class="cx"> case InvalidationPoint:
</span><span class="cx"> case NotifyWrite:
</span><del>- case TypedArrayWatchpoint:
</del><span class="cx"> case CheckInBounds:
</span><span class="cx"> case ConstantStoragePointer:
</span><span class="cx"> case Check:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -1238,7 +1238,6 @@
</span><span class="cx"> case LoopHint:
</span><span class="cx"> case StoreBarrier:
</span><span class="cx"> case StoreBarrierWithNullCheck:
</span><del>- case TypedArrayWatchpoint:
</del><span class="cx"> case MovHint:
</span><span class="cx"> case ZombieHint:
</span><span class="cx"> case BottomValue:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -313,8 +313,6 @@
</span><span class="cx"> out.print(comma, RawPointer(node->executionCounter()));
</span><span class="cx"> if (node->hasVariableWatchpointSet())
</span><span class="cx"> out.print(comma, RawPointer(node->variableWatchpointSet()));
</span><del>- if (node->hasTypedArray())
- out.print(comma, inContext(JSValue(node->typedArray()), context));
</del><span class="cx"> if (node->hasStoragePointer())
</span><span class="cx"> out.print(comma, RawPointer(node->storagePointer()));
</span><span class="cx"> if (node->hasObjectMaterializationData())
</span><span class="lines">@@ -1071,29 +1069,27 @@
</span><span class="cx"> return tryGetConstantClosureVar(node->asJSValue(), offset);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JSArrayBufferView* Graph::tryGetFoldableView(Node* node)
</del><ins>+JSArrayBufferView* Graph::tryGetFoldableView(JSValue value)
</ins><span class="cx"> {
</span><del>- JSArrayBufferView* view = node->dynamicCastConstant<JSArrayBufferView*>();
- if (!view)
</del><ins>+ if (!value)
</ins><span class="cx"> return nullptr;
</span><ins>+ JSArrayBufferView* view = jsDynamicCast<JSArrayBufferView*>(value);
+ if (!value)
+ return nullptr;
</ins><span class="cx"> if (!view->length())
</span><span class="cx"> return nullptr;
</span><span class="cx"> WTF::loadLoadFence();
</span><ins>+ watchpoints().addLazily(view);
</ins><span class="cx"> return view;
</span><span class="cx"> }
</span><span class="cx">
</span><del>-JSArrayBufferView* Graph::tryGetFoldableView(Node* node, ArrayMode arrayMode)
</del><ins>+JSArrayBufferView* Graph::tryGetFoldableView(JSValue value, ArrayMode arrayMode)
</ins><span class="cx"> {
</span><span class="cx"> if (arrayMode.typedArrayType() == NotTypedArray)
</span><del>- return 0;
- return tryGetFoldableView(node);
</del><ins>+ return nullptr;
+ return tryGetFoldableView(value);
</ins><span class="cx"> }
</span><span class="cx">
</span><del>-JSArrayBufferView* Graph::tryGetFoldableViewForChild1(Node* node)
-{
- return tryGetFoldableView(child(node, 0).node(), node->arrayMode());
-}
-
</del><span class="cx"> void Graph::registerFrozenValues()
</span><span class="cx"> {
</span><span class="cx"> m_codeBlock->constants().resize(0);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -692,9 +692,8 @@
</span><span class="cx"> JSValue tryGetConstantClosureVar(const AbstractValue&, ScopeOffset);
</span><span class="cx"> JSValue tryGetConstantClosureVar(Node*, ScopeOffset);
</span><span class="cx">
</span><del>- JSArrayBufferView* tryGetFoldableView(Node*);
- JSArrayBufferView* tryGetFoldableView(Node*, ArrayMode);
- JSArrayBufferView* tryGetFoldableViewForChild1(Node*);
</del><ins>+ JSArrayBufferView* tryGetFoldableView(JSValue);
+ JSArrayBufferView* tryGetFoldableView(JSValue, ArrayMode arrayMode);
</ins><span class="cx">
</span><span class="cx"> void registerFrozenValues();
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNode.h (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNode.h 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGNode.h 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -1229,16 +1229,6 @@
</span><span class="cx"> return reinterpret_cast<VariableWatchpointSet*>(m_opInfo);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- bool hasTypedArray()
- {
- return op() == TypedArrayWatchpoint;
- }
-
- JSArrayBufferView* typedArray()
- {
- return reinterpret_cast<JSArrayBufferView*>(m_opInfo);
- }
-
</del><span class="cx"> bool hasStoragePointer()
</span><span class="cx"> {
</span><span class="cx"> return op() == ConstantStoragePointer;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -174,7 +174,6 @@
</span><span class="cx"> macro(ArrayifyToStructure, NodeMustGenerate) \
</span><span class="cx"> macro(GetIndexedPropertyStorage, NodeResultStorage) \
</span><span class="cx"> macro(ConstantStoragePointer, NodeResultStorage) \
</span><del>- macro(TypedArrayWatchpoint, NodeMustGenerate) \
</del><span class="cx"> macro(GetGetter, NodeResultJS) \
</span><span class="cx"> macro(GetSetter, NodeResultJS) \
</span><span class="cx"> macro(GetByOffset, NodeResultJS) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -645,7 +645,6 @@
</span><span class="cx"> case Unreachable:
</span><span class="cx"> case LoopHint:
</span><span class="cx"> case NotifyWrite:
</span><del>- case TypedArrayWatchpoint:
</del><span class="cx"> case ConstantStoragePointer:
</span><span class="cx"> case MovHint:
</span><span class="cx"> case ZombieHint:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -251,7 +251,6 @@
</span><span class="cx"> case StoreBarrierWithNullCheck:
</span><span class="cx"> case InvalidationPoint:
</span><span class="cx"> case NotifyWrite:
</span><del>- case TypedArrayWatchpoint:
</del><span class="cx"> case CheckInBounds:
</span><span class="cx"> case ConstantStoragePointer:
</span><span class="cx"> case Check:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -2268,7 +2268,9 @@
</span><span class="cx"> {
</span><span class="cx"> if (node->op() == PutByValAlias)
</span><span class="cx"> return JITCompiler::Jump();
</span><del>- if (JSArrayBufferView* view = m_jit.graph().tryGetFoldableViewForChild1(node)) {
</del><ins>+ JSArrayBufferView* view = m_jit.graph().tryGetFoldableView(
+ m_state.forNode(m_jit.graph().child(node, 0)).m_value, node->arrayMode());
+ if (view) {
</ins><span class="cx"> uint32_t length = view->length();
</span><span class="cx"> Node* indexNode = m_jit.graph().child(node, 1).node();
</span><span class="cx"> if (indexNode->isInt32Constant() && indexNode->asUInt32() < length)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -3533,8 +3533,7 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case AllocationProfileWatchpoint:
- case TypedArrayWatchpoint: {
</del><ins>+ case AllocationProfileWatchpoint: {
</ins><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -3608,8 +3608,7 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case AllocationProfileWatchpoint:
- case TypedArrayWatchpoint: {
</del><ins>+ case AllocationProfileWatchpoint: {
</ins><span class="cx"> noResult(node);
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStrengthReductionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -146,33 +146,6 @@
</span><span class="cx"> }
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case GetArrayLength:
- if (JSArrayBufferView* view = m_graph.tryGetFoldableViewForChild1(m_node))
- foldTypedArrayPropertyToConstant(view, jsNumber(view->length()));
- break;
-
- case GetTypedArrayByteOffset:
- if (JSArrayBufferView* view = m_graph.tryGetFoldableView(m_node->child1().node()))
- foldTypedArrayPropertyToConstant(view, jsNumber(view->byteOffset()));
- break;
-
- case GetIndexedPropertyStorage:
- if (JSArrayBufferView* view = m_graph.tryGetFoldableViewForChild1(m_node)) {
- if (view->mode() != FastTypedArray) {
- prepareToFoldTypedArray(view);
- m_node->convertToConstantStoragePointer(view->vector());
- m_changed = true;
- break;
- } else {
- // FIXME: It would be awesome to be able to fold the property storage for
- // these GC-allocated typed arrays. For now it doesn't matter because the
- // most common use-cases for constant typed arrays involve large arrays with
- // aliased buffer views.
- // https://bugs.webkit.org/show_bug.cgi?id=125425
- }
- }
- break;
-
</del><span class="cx"> case ValueRep:
</span><span class="cx"> case Int52Rep:
</span><span class="cx"> case DoubleRep: {
</span><span class="lines">@@ -283,22 +256,6 @@
</span><span class="cx"> convertToIdentityOverChild(1);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void foldTypedArrayPropertyToConstant(JSArrayBufferView* view, JSValue constant)
- {
- prepareToFoldTypedArray(view);
- m_graph.convertToConstant(m_node, constant);
- m_changed = true;
- }
-
- void prepareToFoldTypedArray(JSArrayBufferView* view)
- {
- m_insertionSet.insertNode(
- m_nodeIndex, SpecNone, TypedArrayWatchpoint, m_node->origin,
- OpInfo(view));
- m_insertionSet.insertNode(
- m_nodeIndex, SpecNone, Phantom, m_node->origin, m_node->children);
- }
-
</del><span class="cx"> void handleCommutativity()
</span><span class="cx"> {
</span><span class="cx"> // If the right side is a constant then there is nothing left to do.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGWatchpointCollectionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/dfg/DFGWatchpointCollectionPhase.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -92,16 +92,8 @@
</span><span class="cx">
</span><span class="cx"> if (m_node->arrayMode().type() == Array::String)
</span><span class="cx"> handleStringGetByVal();
</span><del>-
- if (JSArrayBufferView* view = m_graph.tryGetFoldableViewForChild1(m_node))
- addLazily(view);
</del><span class="cx"> break;
</span><span class="cx">
</span><del>- case PutByVal:
- if (JSArrayBufferView* view = m_graph.tryGetFoldableViewForChild1(m_node))
- addLazily(view);
- break;
-
</del><span class="cx"> case StringCharAt:
</span><span class="cx"> handleStringGetByVal();
</span><span class="cx"> break;
</span><span class="lines">@@ -121,10 +113,6 @@
</span><span class="cx"> addLazily(globalObject()->varInjectionWatchpoint());
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case TypedArrayWatchpoint:
- addLazily(m_node->typedArray());
- break;
-
</del><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="lines">@@ -154,10 +142,6 @@
</span><span class="cx"> {
</span><span class="cx"> m_graph.watchpoints().addLazily(set);
</span><span class="cx"> }
</span><del>- void addLazily(JSArrayBufferView* view)
- {
- m_graph.watchpoints().addLazily(view);
- }
</del><span class="cx">
</span><span class="cx"> JSGlobalObject* globalObject()
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -119,7 +119,6 @@
</span><span class="cx"> case StringCharCodeAt:
</span><span class="cx"> case AllocatePropertyStorage:
</span><span class="cx"> case ReallocatePropertyStorage:
</span><del>- case TypedArrayWatchpoint:
</del><span class="cx"> case GetTypedArrayByteOffset:
</span><span class="cx"> case NotifyWrite:
</span><span class="cx"> case StoreBarrier:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -846,7 +846,6 @@
</span><span class="cx">
</span><span class="cx"> case PhantomLocal:
</span><span class="cx"> case LoopHint:
</span><del>- case TypedArrayWatchpoint:
</del><span class="cx"> case AllocationProfileWatchpoint:
</span><span class="cx"> case MovHint:
</span><span class="cx"> case ZombieHint:
</span><span class="lines">@@ -2105,9 +2104,9 @@
</span><span class="cx"> LBasicBlock wastefulCase = FTL_NEW_BLOCK(m_out, ("wasteful typed array"));
</span><span class="cx"> LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("continuation branch"));
</span><span class="cx">
</span><del>- LValue baseAddress = m_out.addPtr(basePtr, JSArrayBufferView::offsetOfMode());
</del><ins>+ LValue mode = m_out.load32(basePtr, m_heaps.JSArrayBufferView_mode);
</ins><span class="cx"> m_out.branch(
</span><del>- m_out.notEqual(baseAddress , m_out.constIntPtr(WastefulTypedArray)),
</del><ins>+ m_out.notEqual(mode, m_out.constInt32(WastefulTypedArray)),
</ins><span class="cx"> unsure(simpleCase), unsure(wastefulCase));
</span><span class="cx">
</span><span class="cx"> // begin simple case
</span><span class="lines">@@ -2125,7 +2124,7 @@
</span><span class="cx"> LValue arrayBufferPtr = m_out.loadPtr(butterflyPtr, m_heaps.Butterfly_arrayBuffer);
</span><span class="cx"> LValue dataPtr = m_out.loadPtr(arrayBufferPtr, m_heaps.ArrayBuffer_data);
</span><span class="cx">
</span><del>- ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(dataPtr, vectorPtr));
</del><ins>+ ValueFromBlock wastefulOut = m_out.anchor(m_out.sub(vectorPtr, dataPtr));
</ins><span class="cx">
</span><span class="cx"> m_out.jump(continuation);
</span><span class="cx"> m_out.appendTo(continuation, lastNext);
</span><span class="lines">@@ -5785,7 +5784,9 @@
</span><span class="cx">
</span><span class="cx"> LValue typedArrayLength(Edge baseEdge, ArrayMode arrayMode, LValue base)
</span><span class="cx"> {
</span><del>- if (JSArrayBufferView* view = m_graph.tryGetFoldableView(baseEdge.node(), arrayMode))
</del><ins>+ JSArrayBufferView* view = m_graph.tryGetFoldableView(
+ m_state.forNode(baseEdge).m_value, arrayMode);
+ if (view)
</ins><span class="cx"> return m_out.constInt32(view->length());
</span><span class="cx"> return m_out.load32NonNegative(base, m_heaps.JSArrayBufferView_length);
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressfoldtypedarraypropertiesjs"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/tests/stress/fold-typed-array-properties.js (182497 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/fold-typed-array-properties.js 2015-04-07 21:42:38 UTC (rev 182497)
+++ trunk/Source/JavaScriptCore/tests/stress/fold-typed-array-properties.js 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -1,29 +1,32 @@
</span><span class="cx"> var a = new Int32Array(new ArrayBuffer(100), 4, 1);
</span><span class="cx">
</span><span class="cx"> if (a.length != 1)
</span><del>- throw "Error: bad length: " + a.length;
</del><ins>+ throw "Error: bad length (start): " + a.length;
</ins><span class="cx"> if (a.byteOffset != 4)
</span><del>- throw "Error: bad offset: " + a.byteOffset;
</del><ins>+ throw "Error: bad offset (start): " + a.byteOffset;
</ins><span class="cx"> if (a.byteLength != 4)
</span><del>- throw "Error: bad byte length: " + a.byteLength;
</del><ins>+ throw "Error: bad byte length (start): " + a.byteLength;
</ins><span class="cx">
</span><del>-function foo() {
- if (a.length != 1)
- throw "Error: bad length: " + a.length;
- if (a.byteOffset != 4)
- throw "Error: bad offset: " + a.byteOffset;
- if (a.byteLength != 4)
- throw "Error: bad byte length: " + a.byteLength;
</del><ins>+function foo(when) {
+ var tmp = a.length;
+ if (tmp != 1)
+ throw "Error: bad length (" + when + "): " + tmp;
+ tmp = a.byteOffset;
+ if (tmp != 4)
+ throw "Error: bad offset (" + when + "): " + tmp;
+ tmp = a.byteLength;
+ if (tmp != 4)
+ throw "Error: bad byte length (" + when + "): " + tmp;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> for (var i = 0; i < 1000000; ++i)
</span><del>- foo();
</del><ins>+ foo("loop");
</ins><span class="cx">
</span><span class="cx"> transferArrayBuffer(a.buffer);
</span><span class="cx">
</span><span class="cx"> var didThrow = false;
</span><span class="cx"> try {
</span><del>- foo();
</del><ins>+ foo("after transfer");
</ins><span class="cx"> } catch (e) {
</span><span class="cx"> didThrow = true;
</span><span class="cx"> }
</span><span class="lines">@@ -32,8 +35,8 @@
</span><span class="cx"> throw "Should have thrown.";
</span><span class="cx">
</span><span class="cx"> if (a.length != 0)
</span><del>- throw "Error: bad length: " + a.length;
</del><ins>+ throw "Error: bad length (end): " + a.length;
</ins><span class="cx"> if (a.byteOffset != 0)
</span><del>- throw "Error: bad offset: " + a.byteOffset;
</del><ins>+ throw "Error: bad offset (end): " + a.byteOffset;
</ins><span class="cx"> if (a.byteLength != 0)
</span><del>- throw "Error: bad byte length: " + a.byteLength;
</del><ins>+ throw "Error: bad byte length (end): " + a.byteLength;
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstresstypedarraybyteoffsetjs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/typed-array-byte-offset.js (0 => 182498)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/typed-array-byte-offset.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/typed-array-byte-offset.js 2015-04-07 22:09:15 UTC (rev 182498)
</span><span class="lines">@@ -0,0 +1,17 @@
</span><ins>+function foo(array) {
+ return array.byteOffset;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 10000; ++i) {
+ var result = foo(new Int32Array(100));
+ if (result != 0)
+ throw "Error: bad result for fast typed array: " + result;
+ result = foo(new Int32Array(100000));
+ if (result != 0)
+ throw "Error: bad result for big typed array: " + result;
+ result = foo(new Int32Array(new ArrayBuffer(100), 4, 1));
+ if (result != 4)
+ throw "Error: bad result for wasteful typed array: " + result;
+}
</ins></span></pre>
</div>
</div>
</body>
</html>