Merge r228401 - DFG::emitCodeToGetArgumentsArrayLength needs to handl…

…e NewArrayBuffer/PhantomNewArrayBuffer https://bugs.webkit.org/show_bug.cgi?id=182706 <rdar://problem/36833681> Reviewed by Filip Pizlo. JSTests: * stress/get-array-length-phantom-new-array-buffer.js: Added. (effects): (foo): Source/JavaScriptCore: When we added support for PhantomNewArrayBuffer, we forgot to update the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer. This patch adds that support. It's trivial to generate the length for a PhantomNewArrayBuffer node since it's a constant buffer, with a constant length. * dfg/DFGArgumentsUtilities.cpp: (JSC::DFG::emitCodeToGetArgumentsArrayLength):
WebKit · Feb 20, 2018 · 3c984f5 · 3c984f5
1 parent c8be3d9
commit 3c984f5
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 2 deletions.
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
@@ -1,3 +1,15 @@
+2018-02-12  Saam Barati  <sbarati@apple.com>
+
+        DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=182706
+        <rdar://problem/36833681>
+
+        Reviewed by Filip Pizlo.
+
+        * stress/get-array-length-phantom-new-array-buffer.js: Added.
+        (effects):
+        (foo):
+
 2018-02-06  Keith Miller  <keith_miller@apple.com>
 
         put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object

diff --git a/JSTests/stress/get-array-length-phantom-new-array-buffer.js b/JSTests/stress/get-array-length-phantom-new-array-buffer.js
@@ -0,0 +1,14 @@
+function effects() {}
+noInline(effects);
+
+function foo() {
+    let x = [1,2,3];
+    effects();
+    return x.length;
+}
+noInline(foo);
+
+for (let i = 0; i < 100000; ++i) {
+    if (foo() !== 3)
+        throw new Error();
+}
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,20 @@
+2018-02-12  Saam Barati  <sbarati@apple.com>
+
+        DFG::emitCodeToGetArgumentsArrayLength needs to handle NewArrayBuffer/PhantomNewArrayBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=182706
+        <rdar://problem/36833681>
+
+        Reviewed by Filip Pizlo.
+
+        When we added support for PhantomNewArrayBuffer, we forgot to update
+        the emitCodeToGetArgumentsArrayLength function to handle PhantomNewArrayBuffer.
+        This patch adds that support. It's trivial to generate the length for
+        a PhantomNewArrayBuffer node since it's a constant buffer, with a constant
+        length.
+
+        * dfg/DFGArgumentsUtilities.cpp:
+        (JSC::DFG::emitCodeToGetArgumentsArrayLength):
+
 2018-02-12  Mark Lam  <mark.lam@apple.com>
 
         Add more support for pointer preparations.

diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsUtilities.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsUtilities.cpp
@@ -65,9 +65,15 @@ Node* emitCodeToGetArgumentsArrayLength(
     DFG_ASSERT(
         graph, arguments,
         arguments->op() == CreateDirectArguments || arguments->op() == CreateScopedArguments
-        || arguments->op() == CreateClonedArguments || arguments->op() == CreateRest
-        || arguments->op() == PhantomDirectArguments || arguments->op() == PhantomClonedArguments || arguments->op() == PhantomCreateRest,
+        || arguments->op() == CreateClonedArguments || arguments->op() == CreateRest || arguments->op() == NewArrayBuffer
+        || arguments->op() == PhantomDirectArguments || arguments->op() == PhantomClonedArguments
+        || arguments->op() == PhantomCreateRest || arguments->op() == PhantomNewArrayBuffer,
         arguments->op());
+
+    if (arguments->op() == NewArrayBuffer || arguments->op() == PhantomNewArrayBuffer) {
+        return insertionSet.insertConstant(
+            nodeIndex, origin, jsNumber(arguments->castOperand<JSFixedArray*>()->length()));
+    }
 
     InlineCallFrame* inlineCallFrame = arguments->origin.semantic.inlineCallFrame;