<rdar://82020767>

Created attachment 436214 [details] patch

Comment on attachment 436214 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=436214&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13723 > + addSlowPathGenerator(slowPathCall(slowCase, this, slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyNameRegs, indexGPR, modeGPR)); I don't think this is really a slow path. For example, in an indexed for-in loop you'll always take this call. Maybe this should be a silent spill/fill or flush? If you do change it to silent spill/fill can you also fix compileEnumeratorNextUpdatePropertyName to do the same.

Created attachment 436221 [details] patch

Comment on attachment 436221 [details] patch r=me

Committed r281473 (240852@main): <https://commits.webkit.org/240852@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436221 [details].

It looks like the new tests added in https://trac.webkit.org/changeset/281473/webkit are constant failing on Debug History example: https://results.webkit.org/?suite=javascriptcore-tests&test=stress%2Ffor-in-in-by-val-shouldnt-flush-registers.js.no-llint build: https://build.webkit.org/#/builders/100/builds/736

(In reply to Truitt Savell from comment #7) > It looks like the new tests added in > https://trac.webkit.org/changeset/281473/webkit > are constant failing on Debug > > History example: > https://results.webkit.org/?suite=javascriptcore-tests&test=stress%2Ffor-in- > in-by-val-shouldnt-flush-registers.js.no-llint > > build: > https://build.webkit.org/#/builders/100/builds/736 Seems like a missing exception check. I'll fix.