CFA wrongly assumes that a speculation for SlowPutArrayStorageShape d…

…isallows ArrayStorageShape arrays. <https://webkit.org/b/139327> Reviewed by Michael Saboff. Source/JavaScriptCore: The code generator and runtime slow paths expects otherwise. This patch fixes CFA to match the code generator's expectation. * dfg/DFGArrayMode.h: (JSC::DFG::ArrayMode::arrayModesThatPassFiltering): (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes): LayoutTests: * js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt: Added. * js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html: Added. * js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js: Added. (foo): (test): Canonical link: https://commits.webkit.org/157257@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@176972 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Dec 8, 2014 · 7731c48 · 7731c48
1 parent 97d97b0
commit 7731c48
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 1 deletion.
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2014-12-08  Mark Lam  <mark.lam@apple.com>
+
+        CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
+        <https://webkit.org/b/139327>
+
+        Reviewed by Michael Saboff.
+
+        * js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt: Added.
+        * js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html: Added.
+        * js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js: Added.
+        (foo):
+        (test):
+
 2014-12-08  Myles C. Maxfield  <mmaxfield@apple.com>
 
         [iOS] Narrow non-breaking space does not fall back to a correct font

diff --git a/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt b/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage-expected.txt
@@ -0,0 +1,9 @@
+This tests that DFG generated code speculating SlowPutArrayStorageShape doesn't crash when seeing fast ArrayStorageShapes.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html b/LayoutTests/js/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.html
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js"></script>
+<script src="../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/...tTests/js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js b/...tTests/js/script-tests/dfg-slow-put-array-storage-spec-should-allow-fast-array-storage.js
@@ -0,0 +1,38 @@
+description(
+"This tests that DFG generated code speculating SlowPutArrayStorageShape doesn't crash when seeing fast ArrayStorageShapes."
+);
+
+var slowPutArrayStorageArray = [ "slow" ];
+var fastArrayStorageArray = [ "fast" ];
+fastArrayStorageArray[1000] = 50;
+
+var o = { a: 10 };
+Object.defineProperties(o, {
+    "0": {
+        set: function(x) { this.a = x; },
+    },
+});    
+
+slowPutArrayStorageArray.__proto__ = o;
+
+function foo(a, isFast) {
+    var result = 10;
+    if (!a)
+        return result;
+
+    var doStuff = a[0] && isFast;
+    if (doStuff)
+        result = a[0] + 10;
+    return result;
+}
+
+function test() {
+    for (var k = 0; k < 5000; k++) {
+        foo(slowPutArrayStorageArray, false);
+        foo(fastArrayStorageArray, true);
+    }
+}
+
+test();
+
+var successfullyParsed = true;
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,17 @@
+2014-12-08  Mark Lam  <mark.lam@apple.com>
+
+        CFA wrongly assumes that a speculation for SlowPutArrayStorageShape disallows ArrayStorageShape arrays.
+        <https://webkit.org/b/139327>
+
+        Reviewed by Michael Saboff.
+
+        The code generator and runtime slow paths expects otherwise.  This patch fixes
+        CFA to match the code generator's expectation.
+
+        * dfg/DFGArrayMode.h:
+        (JSC::DFG::ArrayMode::arrayModesThatPassFiltering):
+        (JSC::DFG::ArrayMode::arrayModesWithIndexingShapes):
+
 2014-12-08  Chris Dumez  <cdumez@apple.com>
 
         Revert r176293 & r176275

diff --git a/Source/JavaScriptCore/dfg/DFGArrayMode.h b/Source/JavaScriptCore/dfg/DFGArrayMode.h
@@ -406,7 +406,7 @@ class ArrayMode {
         case Array::ArrayStorage:
             return arrayModesWithIndexingShape(ArrayStorageShape);
         case Array::SlowPutArrayStorage:
-            return arrayModesWithIndexingShape(SlowPutArrayStorageShape);
+            return arrayModesWithIndexingShapes(SlowPutArrayStorageShape, ArrayStorageShape);
         default:
             return asArrayModes(NonArray);
         }
@@ -462,6 +462,13 @@ class ArrayMode {
         }
     }
 
+    ArrayModes arrayModesWithIndexingShapes(IndexingType shape1, IndexingType shape2) const
+    {
+        ArrayModes arrayMode1 = arrayModesWithIndexingShape(shape1);
+        ArrayModes arrayMode2 = arrayModesWithIndexingShape(shape2);
+        return arrayMode1 | arrayMode2;
+    }
+
     bool alreadyChecked(Graph&, Node*, AbstractValue&, IndexingType shape) const;
 
     union {