JSArray::fastSlice() should not convert the source from CoW
https://bugs.webkit.org/show_bug.cgi?id=234990
Patch by Alexey Shvayka <ashvayka@apple.com> on 2022-01-14
Reviewed by Yusuke Suzuki.
JSTests:
* stress/array-slice-cow.js:
Source/JavaScriptCore:
Since we aren't modifying the source array in fastSlice() nor its slow path,
there is no reason to convert it from CopyOnWrite.
* runtime/JSArray.cpp:
(JSC::JSArray::fastSlice):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@288036 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/JSTests/ChangeLog b/JSTests/ChangeLog
index 49024cd..2c0c502 100644
--- a/JSTests/ChangeLog
+++ b/JSTests/ChangeLog
@@ -1,3 +1,12 @@
+2022-01-14 Alexey Shvayka <ashvayka@apple.com>
+
+ JSArray::fastSlice() should not convert the source from CoW
+ https://bugs.webkit.org/show_bug.cgi?id=234990
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/array-slice-cow.js:
+
2022-01-14 Justin Michaud <justin_michaud@apple.com>
Update libWABT
diff --git a/JSTests/stress/array-slice-cow.js b/JSTests/stress/array-slice-cow.js
index 57f1ccf..76cc6d7 100644
--- a/JSTests/stress/array-slice-cow.js
+++ b/JSTests/stress/array-slice-cow.js
@@ -6,21 +6,30 @@
function testInt32()
{
var array = [0, 1, 2, 3];
- return array.slice(1);
+ var slice = array.slice(1);
+ shouldBe($vm.indexingMode(array), "CopyOnWriteArrayWithInt32");
+ shouldBe($vm.indexingMode(slice), "ArrayWithInt32");
+ return slice;
}
noInline(testInt32);
function testDouble()
{
var array = [0.1, 1.1, 2.1, 3.1];
- return array.slice(1);
+ var slice = array.slice(1);
+ shouldBe($vm.indexingMode(array), "CopyOnWriteArrayWithDouble");
+ shouldBe($vm.indexingMode(slice), "ArrayWithDouble");
+ return slice;
}
noInline(testDouble);
function testContiguous()
{
var array = [true, false, true, false];
- return array.slice(1);
+ var slice = array.slice(1);
+ shouldBe($vm.indexingMode(array), "CopyOnWriteArrayWithContiguous");
+ shouldBe($vm.indexingMode(slice), "ArrayWithContiguous");
+ return slice;
}
noInline(testContiguous);
diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 96fc5e2..d1e7f26 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog
@@ -1,3 +1,16 @@
+2022-01-14 Alexey Shvayka <ashvayka@apple.com>
+
+ JSArray::fastSlice() should not convert the source from CoW
+ https://bugs.webkit.org/show_bug.cgi?id=234990
+
+ Reviewed by Yusuke Suzuki.
+
+ Since we aren't modifying the source array in fastSlice() nor its slow path,
+ there is no reason to convert it from CopyOnWrite.
+
+ * runtime/JSArray.cpp:
+ (JSC::JSArray::fastSlice):
+
2022-01-14 Saam Barati <sbarati@apple.com>
Make isJITPC fast
diff --git a/Source/JavaScriptCore/runtime/JSArray.cpp b/Source/JavaScriptCore/runtime/JSArray.cpp
index 53dfd3c..220e0438 100644
--- a/Source/JavaScriptCore/runtime/JSArray.cpp
+++ b/Source/JavaScriptCore/runtime/JSArray.cpp
@@ -729,15 +729,11 @@
{
VM& vm = globalObject->vm();
- // FIXME: Avoid converting the source from CoW since we aren't modifying it.
- // https://bugs.webkit.org/show_bug.cgi?id=234990
- source->ensureWritable(vm);
-
Structure* sourceStructure = source->structure(vm);
if (sourceStructure->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
return nullptr;
- auto arrayType = source->indexingMode() | IsArray;
+ auto arrayType = source->indexingType() | IsArray;
switch (arrayType) {
case ArrayWithDouble:
case ArrayWithInt32:
