Google Git
Sign in
webkit / WebKit / 163e4775848dbba55a541ed62015566a0f3d7088^! / . / Source / JavaScriptCore / dfg / DFGAbstractState.cpp
commit163e4775848dbba55a541ed62015566a0f3d7088[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Sep 04 21:15:02 2012 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Tue Sep 04 21:15:02 2012 +0000
tree481922b1544f6120891b1b02c5a782c741615bcc
parent94cb8dd803a6f75db89be75c40192def22ab272d [diff] [blame]
DFG GetByVal for JSArrays shouldn't OSR exit every time that the index is out of bound
https://bugs.webkit.org/show_bug.cgi?id=95717

Reviewed by Oliver Hunt.

Make GetByVal for JSArrayOutOfBounds do meaningful things. The profiling was already
there so we should just use it!

* bytecode/DFGExitProfile.h:
(JSC::DFG::exitKindToString):
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGSpeculativeJIT.h:
(JSC::DFG::SpeculativeJIT::callOperation):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@127503 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
index e63bed3..5f79f66 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
+++ b/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -853,12 +853,14 @@
             forNode(nodeIndex).makeTop();
             break;
         case Array::JSArray:
-        case Array::JSArrayOutOfBounds:
-            // FIXME: We should have more conservative handling of the out-of-bounds
-            // case.
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).makeTop();
             break;
+        case Array::JSArrayOutOfBounds:
+            forNode(node.child2()).filter(SpecInt32);
+            clobberWorld(node.codeOrigin, indexInBlock);
+            forNode(nodeIndex).makeTop();
+            break;
         case Array::Int8Array:
             forNode(node.child2()).filter(SpecInt32);
             forNode(nodeIndex).set(SpecInt32);