Like https://bugs.webkit.org/show_bug.cgi?id=198229, but for putByVal.
Created attachment 370689 [details] Patch
Comment on attachment 370689 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370689&action=review > Source/JavaScriptCore/jit/JITOperations.cpp:665 > +putProperty: Alternatively, you could have an “else if (subscript.isInt32() && baseValue.isObject()))” then mark as out of bounds
Comment on attachment 370689 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370689&action=review >> Source/JavaScriptCore/jit/JITOperations.cpp:665 >> +putProperty: > > Alternatively, you could have an “else if (subscript.isInt32() && baseValue.isObject()))” then mark as out of bounds What about `tookSlowPath`, do I also need to set it if it's int32 but not an object? I guess I don't get why don't we unconditionally set `tookSlowPath`.
Comment on attachment 370689 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=370689&action=review >>> Source/JavaScriptCore/jit/JITOperations.cpp:665 >>> +putProperty: >> >> Alternatively, you could have an “else if (subscript.isInt32() && baseValue.isObject()))” then mark as out of bounds > > What about `tookSlowPath`, do I also need to set it if it's int32 but not an object? I guess I don't get why don't we unconditionally set `tookSlowPath`. I'm also not sure. It probably has to do with normal indexed lookups, but you should look at the code in the DFG (I'm assuming) that reads it
Maybe it affects how we speculate.
Created attachment 370745 [details] Patch for landing
Comment on attachment 370745 [details] Patch for landing Clearing flags on attachment: 370745 Committed r245813: <https://trac.webkit.org/changeset/245813>
All reviewed patches have been landed. Closing bug.
<rdar://problem/51180527>