[webkit-reviews] review granted: [Bug 182965] [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage) : [Attachment 334592] Patch

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Feb 26 12:35:22 PST 2018 

Saam Barati <sbarati at apple.com> has granted Yusuke Suzuki
<utatane.tea at gmail.com>'s request for review:
Bug 182965: [FTL] Support PutByVal(ArrayStorage/SlowPutArrayStorage)
https://bugs.webkit.org/show_bug.cgi?id=182965

Attachment 334592: Patch

https://bugs.webkit.org/attachment.cgi?id=334592&action=review




--- Comment #10 from Saam Barati <sbarati at apple.com> ---
Comment on attachment 334592
  --> https://bugs.webkit.org/attachment.cgi?id=334592
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=334592&action=review

r=me

> Source/JavaScriptCore/dfg/DFGOperations.cpp:810
> +void JIT_OPERATION
operationPutDoubleByValDirectBeyondArrayBoundsStrict(ExecState* exec, JSObject*
array, int32_t index, double value)

Is this actually guaranteed to be a JSArray* here? If so, I'd give it that
type. Otherwise, perhaps just name the variable "object".

> Source/JavaScriptCore/dfg/DFGOperations.cpp:826
> +void JIT_OPERATION
operationPutDoubleByValDirectBeyondArrayBoundsNonStrict(ExecState* exec,
JSObject* array, int32_t index, double value)

ditto

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2084
> +		   m_jit.codeBlock()->isStrictMode()
> +		       ? (node->op() == PutByValDirect ?
operationPutDoubleByValDirectBeyondArrayBoundsStrict :
operationPutDoubleByValBeyondArrayBoundsStrict)
> +		       : (node->op() == PutByValDirect ?
operationPutDoubleByValDirectBeyondArrayBoundsNonStrict :
operationPutDoubleByValBeyondArrayBoundsNonStrict),

Was this doing the wrong thing before?

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4274
> +	       LBasicBlock notHoleCase = m_out.newBlock();

nit: This isn't really "notHoleCase" since the hole case may jump here. I'd
call this "doStoreCase" or something like that

> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4300
> +			   index, m_out.load32NonNegative(storage,
m_heaps.Butterfly_publicLength)),

Is it worth defining an ArrayStorage_publicLength just in case someone changes
the memory layout to not be the same as Butterfly?

More information about the webkit-reviews mailing list