<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[241457] branches/safari-607-branch/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/241457">241457</a></dd>
<dt>Author</dt> <dd>alancoon@apple.com</dd>
<dt>Date</dt> <dd>2019-02-13 13:11:28 -0800 (Wed, 13 Feb 2019)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/241210">r241210</a>. rdar://problem/47971573

    Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
    https://bugs.webkit.org/show_bug.cgi?id=194446
    <rdar://problem/47926792>

    Reviewed by Saam Barati.

    Fix doesGC() for the following nodes:

        CheckTierUpAtReturn:
            Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
            which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.

        CheckTierUpInLoop:
            Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
            Worklist::completeAllReadyPlansForVM(), which uses DeferGC.

        CheckTierUpAndOSREnter:
            Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
            Worklist::completeAllReadyPlansForVM(), which uses DeferGC.

        GetByVal:
            case Array::String calls operationSingleCharacterString(), which calls
            jsSingleCharacterString(), which can allocate a string.

        PutByValDirect:
        PutByVal:
        PutByValAlias:
            For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
            which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
            operationPutByValStrict(), or operationPutByValNonStrict().  All of these
            slow paths call putByValInternal(), which may create exception objects, or
            call the generic JSValue::put() which may execute arbitrary code.

        StringCharAt:
            Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
            which can allocate a string.

    Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
    to use the maxSingleCharacterString constant instead of a literal constant.

    * dfg/DFGDoesGC.cpp:
    (JSC::DFG::doesGC):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
    * dfg/DFGSpeculativeJIT64.cpp:
    (JSC::DFG::SpeculativeJIT::compile):
    * ftl/FTLLowerDFGToB3.cpp:
    (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
    (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
    (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241210 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari607branchSourceJavaScriptCoreChangeLog">branches/safari-607-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari607branchSourceJavaScriptCoredfgDFGDoesGCcpp">branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#branchessafari607branchSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#branchessafari607branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">branches/safari-607-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari607branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-607-branch/Source/JavaScriptCore/ChangeLog (241456 => 241457)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-607-branch/Source/JavaScriptCore/ChangeLog       2019-02-13 21:11:25 UTC (rev 241456)
+++ branches/safari-607-branch/Source/JavaScriptCore/ChangeLog  2019-02-13 21:11:28 UTC (rev 241457)
</span><span class="lines">@@ -1,3 +1,115 @@
</span><ins>+2019-02-13  Alan Coon  <alancoon@apple.com>
+
+        Cherry-pick r241210. rdar://problem/47971573
+
+    Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
+    https://bugs.webkit.org/show_bug.cgi?id=194446
+    <rdar://problem/47926792>
+    
+    Reviewed by Saam Barati.
+    
+    Fix doesGC() for the following nodes:
+    
+        CheckTierUpAtReturn:
+            Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
+            which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
+    
+        CheckTierUpInLoop:
+            Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
+            Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
+    
+        CheckTierUpAndOSREnter:
+            Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
+            Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
+    
+        GetByVal:
+            case Array::String calls operationSingleCharacterString(), which calls
+            jsSingleCharacterString(), which can allocate a string.
+    
+        PutByValDirect:
+        PutByVal:
+        PutByValAlias:
+            For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
+            which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
+            operationPutByValStrict(), or operationPutByValNonStrict().  All of these
+            slow paths call putByValInternal(), which may create exception objects, or
+            call the generic JSValue::put() which may execute arbitrary code.
+    
+        StringCharAt:
+            Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
+            which can allocate a string.
+    
+    Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
+    to use the maxSingleCharacterString constant instead of a literal constant.
+    
+    * dfg/DFGDoesGC.cpp:
+    (JSC::DFG::doesGC):
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+    * dfg/DFGSpeculativeJIT64.cpp:
+    (JSC::DFG::SpeculativeJIT::compile):
+    * ftl/FTLLowerDFGToB3.cpp:
+    (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+    (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+    (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@241210 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2019-02-08  Mark Lam  <mark.lam@apple.com>
+
+            Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes.
+            https://bugs.webkit.org/show_bug.cgi?id=194446
+            <rdar://problem/47926792>
+
+            Reviewed by Saam Barati.
+
+            Fix doesGC() for the following nodes:
+
+                CheckTierUpAtReturn:
+                    Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(),
+                    which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
+
+                CheckTierUpInLoop:
+                    Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls
+                    Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
+
+                CheckTierUpAndOSREnter:
+                    Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls
+                    Worklist::completeAllReadyPlansForVM(), which uses DeferGC.
+
+                GetByVal:
+                    case Array::String calls operationSingleCharacterString(), which calls
+                    jsSingleCharacterString(), which can allocate a string.
+
+                PutByValDirect:
+                PutByVal:
+                PutByValAlias:
+                    For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(),
+                    which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(),
+                    operationPutByValStrict(), or operationPutByValNonStrict().  All of these
+                    slow paths call putByValInternal(), which may create exception objects, or
+                    call the generic JSValue::put() which may execute arbitrary code.
+
+                StringCharAt:
+                    Can call operationSingleCharacterString(), which calls jsSingleCharacterString(),
+                    which can allocate a string.
+
+            Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt()
+            to use the maxSingleCharacterString constant instead of a literal constant.
+
+            * dfg/DFGDoesGC.cpp:
+            (JSC::DFG::doesGC):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
+            * dfg/DFGSpeculativeJIT64.cpp:
+            (JSC::DFG::SpeculativeJIT::compile):
+            * ftl/FTLLowerDFGToB3.cpp:
+            (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
+            (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal):
+            (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
+
</ins><span class="cx"> 2019-02-07  Alan Coon  <alancoon@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Cherry-pick r241140. rdar://problem/47893590
</span></span></pre></div>
<a id="branchessafari607branchSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (241456 => 241457)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGDoesGC.cpp       2019-02-13 21:11:25 UTC (rev 241456)
+++ branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGDoesGC.cpp  2019-02-13 21:11:28 UTC (rev 241457)
</span><span class="lines">@@ -53,6 +53,7 @@
</span><span class="cx">     //        unless it is a known transition between previously allocated structures
</span><span class="cx">     //        such as between Array types.
</span><span class="cx">     //     5. Calls to a JS function, which can execute arbitrary code including allocating objects.
</span><ins>+    //     6. Calls operations that uses DeferGC, because it may GC in its destructor.
</ins><span class="cx"> 
</span><span class="cx">     switch (node->op()) {
</span><span class="cx">     case JSConstant:
</span><span class="lines">@@ -183,9 +184,6 @@
</span><span class="cx">     case ExtractOSREntryLocal:
</span><span class="cx">     case ExtractCatchLocal:
</span><span class="cx">     case ClearCatchLocals:
</span><del>-    case CheckTierUpInLoop:
-    case CheckTierUpAtReturn:
-    case CheckTierUpAndOSREnter:
</del><span class="cx">     case LoopHint:
</span><span class="cx">     case StoreBarrier:
</span><span class="cx">     case FencedStoreBarrier:
</span><span class="lines">@@ -202,16 +200,11 @@
</span><span class="cx">     case Int52Rep:
</span><span class="cx">     case GetGetter:
</span><span class="cx">     case GetSetter:
</span><del>-    case GetByVal:
</del><span class="cx">     case GetArrayLength:
</span><span class="cx">     case GetVectorLength:
</span><del>-    case StringCharAt:
</del><span class="cx">     case StringCharCodeAt:
</span><span class="cx">     case GetTypedArrayByteOffset:
</span><span class="cx">     case GetPrototypeOf:
</span><del>-    case PutByValDirect:
-    case PutByVal:
-    case PutByValAlias:
</del><span class="cx">     case PutStructure:
</span><span class="cx">     case GetByOffset:
</span><span class="cx">     case GetGetterSetterByOffset:
</span><span class="lines">@@ -278,6 +271,9 @@
</span><span class="cx">     case CallForwardVarargs:
</span><span class="cx">     case CallObjectConstructor:
</span><span class="cx">     case CallVarargs:
</span><ins>+    case CheckTierUpAndOSREnter:
+    case CheckTierUpAtReturn:
+    case CheckTierUpInLoop:
</ins><span class="cx">     case Construct:
</span><span class="cx">     case ConstructForwardVarargs:
</span><span class="cx">     case ConstructVarargs:
</span><span class="lines">@@ -331,6 +327,7 @@
</span><span class="cx">     case ResolveScope:
</span><span class="cx">     case ResolveScopeForHoistingFuncDeclInEval:
</span><span class="cx">     case Return:
</span><ins>+    case StringCharAt:
</ins><span class="cx">     case TailCall:
</span><span class="cx">     case TailCallForwardVarargs:
</span><span class="cx">     case TailCallForwardVarargsInlinedCaller:
</span><span class="lines">@@ -411,10 +408,30 @@
</span><span class="cx">         return true;
</span><span class="cx"> 
</span><span class="cx">     case GetIndexedPropertyStorage:
</span><ins>+    case GetByVal:
</ins><span class="cx">         if (node->arrayMode().type() == Array::String)
</span><span class="cx">             return true;
</span><span class="cx">         return false;
</span><span class="cx"> 
</span><ins>+    case PutByValDirect:
+    case PutByVal:
+    case PutByValAlias:
+        if (!graph.m_plan.isFTL()) {
+            switch (node->arrayMode().modeForPut().type()) {
+            case Array::Int8Array:
+            case Array::Int16Array:
+            case Array::Int32Array:
+            case Array::Uint8Array:
+            case Array::Uint8ClampedArray:
+            case Array::Uint16Array:
+            case Array::Uint32Array:
+                return true;
+            default:
+                break;
+            }
+        }
+        return false;
+
</ins><span class="cx">     case MapHash:
</span><span class="cx">         switch (node->child1().useKind()) {
</span><span class="cx">         case BooleanUse:
</span></span></pre></div>
<a id="branchessafari607branchSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (241456 => 241457)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp     2019-02-13 21:11:25 UTC (rev 241456)
+++ branches/safari-607-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp        2019-02-13 21:11:28 UTC (rev 241457)
</span><span class="lines">@@ -2344,8 +2344,11 @@
</span><span class="cx"> 
</span><span class="cx">     case GetByVal: {
</span><span class="cx">         switch (node->arrayMode().type()) {
</span><ins>+        case Array::AnyTypedArray:
+        case Array::ForceExit:
+        case Array::SelectUsingArguments:
</ins><span class="cx">         case Array::SelectUsingPredictions:
</span><del>-        case Array::ForceExit:
</del><ins>+        case Array::Unprofiled:
</ins><span class="cx">             DFG_CRASH(m_jit.graph(), node, "Bad array mode type");
</span><span class="cx">             break;
</span><span class="cx">         case Array::Undecided: {
</span><span class="lines">@@ -2566,7 +2569,15 @@
</span><span class="cx">         case Array::ScopedArguments:
</span><span class="cx">             compileGetByValOnScopedArguments(node);
</span><span class="cx">             break;
</span><del>-        default: {
</del><ins>+        case Array::Int8Array:
+        case Array::Int16Array:
+        case Array::Int32Array:
+        case Array::Uint8Array:
+        case Array::Uint8ClampedArray:
+        case Array::Uint16Array:
+        case Array::Uint32Array:
+        case Array::Float32Array:
+        case Array::Float64Array: {
</ins><span class="cx">             TypedArrayType type = node->arrayMode().typedArrayType();
</span><span class="cx">             if (isInt(type))
</span><span class="cx">                 compileGetByValOnIntTypedArray(node, type);
</span><span class="lines">@@ -2800,14 +2811,35 @@
</span><span class="cx">             break;
</span><span class="cx">         }
</span><span class="cx">             
</span><del>-        default: {
</del><ins>+        case Array::Int8Array:
+        case Array::Int16Array:
+        case Array::Int32Array:
+        case Array::Uint8Array:
+        case Array::Uint8ClampedArray:
+        case Array::Uint16Array:
+        case Array::Uint32Array:
+        case Array::Float32Array:
+        case Array::Float64Array: {
</ins><span class="cx">             TypedArrayType type = arrayMode.typedArrayType();
</span><span class="cx">             if (isInt(type))
</span><span class="cx">                 compilePutByValForIntTypedArray(base.gpr(), property.gpr(), node, type);
</span><span class="cx">             else
</span><span class="cx">                 compilePutByValForFloatTypedArray(base.gpr(), property.gpr(), node, type);
</span><del>-        } }
</del><ins>+            break;
+        }
</ins><span class="cx"> 
</span><ins>+        case Array::AnyTypedArray:
+        case Array::String:
+        case Array::DirectArguments:
+        case Array::ForceExit:
+        case Array::Generic:
+        case Array::ScopedArguments:
+        case Array::SelectUsingArguments:
+        case Array::SelectUsingPredictions:
+        case Array::Undecided:
+        case Array::Unprofiled:
+            RELEASE_ASSERT_NOT_REACHED();
+        }
</ins><span class="cx">         break;
</span><span class="cx">     }
</span><span class="cx">         
</span></span></pre></div>
<a id="branchessafari607branchSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: branches/safari-607-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (241456 => 241457)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-607-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2019-02-13 21:11:25 UTC (rev 241456)
+++ branches/safari-607-branch/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp    2019-02-13 21:11:28 UTC (rev 241457)
</span><span class="lines">@@ -4159,13 +4159,21 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">             
</span><del>-        default: {
</del><ins>+        case Array::Int8Array:
+        case Array::Int16Array:
+        case Array::Int32Array:
+        case Array::Uint8Array:
+        case Array::Uint8ClampedArray:
+        case Array::Uint16Array:
+        case Array::Uint32Array:
+        case Array::Float32Array:
+        case Array::Float64Array: {
</ins><span class="cx">             LValue index = lowInt32(m_graph.varArgChild(m_node, 1));
</span><span class="cx">             LValue storage = lowStorage(m_graph.varArgChild(m_node, 2));
</span><span class="cx">             
</span><span class="cx">             TypedArrayType type = m_node->arrayMode().typedArrayType();
</span><del>-            
-            if (isTypedView(type)) {
</del><ins>+            ASSERT(isTypedView(type));
+            {
</ins><span class="cx">                 TypedPointer pointer = pointerIntoTypedArray(storage, index, type);
</span><span class="cx">                 
</span><span class="cx">                 if (isInt(type)) {
</span><span class="lines">@@ -4192,10 +4200,16 @@
</span><span class="cx">                 setDouble(result);
</span><span class="cx">                 return;
</span><span class="cx">             }
</span><del>-            
</del><ins>+        }
+
+        case Array::AnyTypedArray:
+        case Array::ForceExit:
+        case Array::SelectUsingArguments:
+        case Array::SelectUsingPredictions:
+        case Array::Unprofiled:
</ins><span class="cx">             DFG_CRASH(m_graph, m_node, "Bad array type");
</span><span class="cx">             return;
</span><del>-        } }
</del><ins>+        }
</ins><span class="cx">     }
</span><span class="cx">     
</span><span class="cx">     void compileGetMyArgumentByVal()
</span><span class="lines">@@ -4484,10 +4498,19 @@
</span><span class="cx">             return;
</span><span class="cx">         }
</span><span class="cx">             
</span><del>-        default: {
</del><ins>+        case Array::Int8Array:
+        case Array::Int16Array:
+        case Array::Int32Array:
+        case Array::Uint8Array:
+        case Array::Uint8ClampedArray:
+        case Array::Uint16Array:
+        case Array::Uint32Array:
+        case Array::Float32Array:
+        case Array::Float64Array: {
</ins><span class="cx">             TypedArrayType type = arrayMode.typedArrayType();
</span><span class="cx">             
</span><del>-            if (isTypedView(type)) {
</del><ins>+            ASSERT(isTypedView(type));
+            {
</ins><span class="cx">                 TypedPointer pointer = TypedPointer(
</span><span class="cx">                     m_heaps.typedArrayProperties,
</span><span class="cx">                     m_out.add(
</span><span class="lines">@@ -4540,11 +4563,21 @@
</span><span class="cx">                 
</span><span class="cx">                 return;
</span><span class="cx">             }
</span><ins>+        }
</ins><span class="cx"> 
</span><ins>+        case Array::AnyTypedArray:
+        case Array::String:
+        case Array::DirectArguments:
+        case Array::ForceExit:
+        case Array::Generic:
+        case Array::ScopedArguments:
+        case Array::SelectUsingArguments:
+        case Array::SelectUsingPredictions:
+        case Array::Undecided:
+        case Array::Unprofiled:
</ins><span class="cx">             DFG_CRASH(m_graph, m_node, "Bad array type");
</span><span class="cx">             break;
</span><span class="cx">         }
</span><del>-        }
</del><span class="cx">     }
</span><span class="cx"> 
</span><span class="cx">     void compilePutAccessorById()
</span></span></pre>
</div>
</div>

</body>
</html>