WebKit Bugzilla
Attachment 357466 Details for
Bug 192770
: Fix stale assertion in attemptToForceStringArrayModeByToStringConversion().
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
proposed patch.
bug-192770.patch (text/plain), 2.70 KB, created by
Mark Lam
on 2018-12-17 12:22:47 PST
(
hide
)
Description:
proposed patch.
Filename:
MIME Type:
Creator:
Mark Lam
Created:
2018-12-17 12:22:47 PST
Size:
2.70 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 239280) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,13 @@ >+2018-12-17 Mark Lam <mark.lam@apple.com> >+ >+ Fix stale assertion in attemptToForceStringArrayModeByToStringConversion(). >+ https://bugs.webkit.org/show_bug.cgi?id=192770 >+ <rdar://problem/46449037> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/regress-192770.js: Added. >+ > 2018-12-14 Mark Lam <mark.lam@apple.com> > > CallFrame::convertToStackOverflowFrame() needs to keep the top CodeBlock alive. >Index: JSTests/stress/regress-192770.js >=================================================================== >--- JSTests/stress/regress-192770.js (nonexistent) >+++ JSTests/stress/regress-192770.js (working copy) >@@ -0,0 +1,16 @@ >+//@ requireOptions("--jitPolicyScale=0.1") >+ >+function foo(a) { >+ a.length; >+} >+ >+for (let i = 0; i < 100; i++) { >+ let a = i % 2 ? new Uint8Array() : new Uint16Array(); >+ >+ for (let j = 0; j < 2; j++) >+ foo(a); >+ >+ gc(); >+ foo(''); >+ foo(a); >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 239243) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,17 @@ >+2018-12-17 Mark Lam <mark.lam@apple.com> >+ >+ Fix stale assertion in attemptToForceStringArrayModeByToStringConversion(). >+ https://bugs.webkit.org/show_bug.cgi?id=192770 >+ <rdar://problem/46449037> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ This assertion was added before Array::OriginalNonArray was introduced. It just >+ needs to be updated to allow for Array::OriginalNonArray. >+ >+ * dfg/DFGFixupPhase.cpp: >+ (JSC::DFG::FixupPhase::attemptToForceStringArrayModeByToStringConversion): >+ > 2018-12-14 David Kilzer <ddkilzer@apple.com> > > clang-tidy: Fix unnecessary copy of objects for operator==() methods >Index: Source/JavaScriptCore/dfg/DFGFixupPhase.cpp >=================================================================== >--- Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (revision 239243) >+++ Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (working copy) >@@ -2432,7 +2432,7 @@ private: > template<UseKind useKind> > void attemptToForceStringArrayModeByToStringConversion(ArrayMode& arrayMode, Node* node) > { >- ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read)); >+ ASSERT(arrayMode == ArrayMode(Array::Generic, Array::Read) || arrayMode == ArrayMode(Array::Generic, Array::OriginalNonArray, Array::Read)); > > if (!m_graph.canOptimizeStringObjectAccess(node->origin.semantic)) > return;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=357466">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Flags:
keith_miller
:
review+
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 192770
: 357466