RESOLVED FIXED 229725
Baseline JIT's in_by_val and emitHasPrivate should load the property before branching on if the base is a cell 
https://bugs.webkit.org/show_bug.cgi?id=229725
Summary Baseline JIT's in_by_val and emitHasPrivate should load the property before b...
Saam Barati
Reported 2021-08-31 12:16:30 PDT
Just for our own sanity when reasoning about what the slow paths do, we don't want a random value in property when the base isn't a cell.
Attachments
patch (2.23 KB, patch)
2021-08-31 12:21 PDT, Saam Barati 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2021-08-31 12:21:42 PDT
Created attachment 436926 [details] patch
Yusuke Suzuki
Comment 2 2021-08-31 12:24:24 PDT
Comment on attachment 436926 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=436926&action=review r=me too > Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1519 > emitArrayProfilingSiteWithCell(regT0, profile, regT2); Can you also ensure that AccessCase IC code for InByVal / InById reserves the above registers if we go to the slow path?
Saam Barati
Comment 3 2021-08-31 12:32:21 PDT
(In reply to Yusuke Suzuki from comment #2) > Comment on attachment 436926 [details] > patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=436926&action=review > > r=me too > > > Source/JavaScriptCore/jit/JITPropertyAccess.cpp:1519 > > emitArrayProfilingSiteWithCell(regT0, profile, regT2); > > Can you also ensure that AccessCase IC code for InByVal / InById reserves > the above registers if we go to the slow path? Confirmed that they do not clobber these registers.
EWS
Comment 4 2021-08-31 15:46:14 PDT
Committed r281826 (241160@main): <https://commits.webkit.org/241160@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 436926 [details].
Radar WebKit Bug Importer
Comment 5 2021-08-31 15:47:19 PDT
<rdar://problem/82600217>
Note You need to log in before you can comment on or make changes to this bug.