| Summary: | Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | ews-watchlist, keith_miller, mark.lam, msaboff, tzagallo, webkit-bug-importer, ysuzuki | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Nightly Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
|
Description
Saam Barati
2021-08-31 12:16:30 PDT
Created attachment 436926 [details]
patch
Comment on attachment 436926 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=436926&action=review r=me too > Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1519 > emitArrayProfilingSiteWithCell(regT0, profile, regT2); Can you also ensure that AccessCase IC code for InByVal / InById reserves the above registers if we go to the slow path? (In reply to Yusuke Suzuki from comment #2) > Comment on attachment 436926 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=436926&action=review > > r=me too > > > Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1519 > > emitArrayProfilingSiteWithCell(regT0, profile, regT2); > > Can you also ensure that AccessCase IC code for InByVal / InById reserves > the above registers if we go to the slow path? Confirmed that they do not clobber these registers. Committed r281826 (241160@main): <https://commits.webkit.org/241160@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436926 [details]. |