[webkit-changes] [212146] trunk/Source/JavaScriptCore

Fri, 10 Feb 2017 13:34:04 -0800

Title: [212146] trunk/Source/_javascript_Core
Revision
212146
Author
mark....@apple.com
Date
2017-02-10 13:34:27 -0800 (Fri, 10 Feb 2017)

Log Message

StructureStubInfo::considerCaching() should write barrier its owner CodeBlock when buffering a new Structure.
https://bugs.webkit.org/show_bug.cgi?id=168137
<rdar://problem/28656664>

Reviewed by Filip Pizlo.

If we're adding a new structure to StructureStubInfo's bufferedStructures, we
should write barrier the StubInfo's owner CodeBlock because that structure may be
collected during the next GC.  Write barrier-ing the owner CodeBlock ensures that
CodeBlock::finalizeBaselineJITInlineCaches() is called on it during the GC,
which, in turn, gives the StructureStubInfo the opportunity to filter out the
dead structure.

* bytecode/StructureStubInfo.h:
(JSC::StructureStubInfo::considerCaching):
* jit/JITOperations.cpp:

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (212145 => 212146)


--- trunk/Source/_javascript_Core/ChangeLog	2017-02-10 21:31:28 UTC (rev 212145)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-02-10 21:34:27 UTC (rev 212146)
@@ -1,3 +1,22 @@
+2017-02-10  Mark Lam  <mark....@apple.com>
+
+        StructureStubInfo::considerCaching() should write barrier its owner CodeBlock when buffering a new Structure.
+        https://bugs.webkit.org/show_bug.cgi?id=168137
+        <rdar://problem/28656664>
+
+        Reviewed by Filip Pizlo.
+
+        If we're adding a new structure to StructureStubInfo's bufferedStructures, we
+        should write barrier the StubInfo's owner CodeBlock because that structure may be
+        collected during the next GC.  Write barrier-ing the owner CodeBlock ensures that
+        CodeBlock::finalizeBaselineJITInlineCaches() is called on it during the GC,
+        which, in turn, gives the StructureStubInfo the opportunity to filter out the
+        dead structure.
+
+        * bytecode/StructureStubInfo.h:
+        (JSC::StructureStubInfo::considerCaching):
+        * jit/JITOperations.cpp:
+
 2017-02-10  Brian Burg  <bb...@apple.com>
 
         [Cocoa] Web Inspector: generate an NS_ENUM containing platforms supported by the protocol code generator

Modified: trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h (212145 => 212146)


--- trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h	2017-02-10 21:31:28 UTC (rev 212145)
+++ trunk/Source/_javascript_Core/bytecode/StructureStubInfo.h	2017-02-10 21:34:27 UTC (rev 212146)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008, 2012-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2008-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -25,6 +25,7 @@
 
 #pragma once
 
+#include "CodeBlock.h"
 #include "CodeOrigin.h"
 #include "Instruction.h"
 #include "JITStubRoutine.h"
@@ -85,7 +86,7 @@
     // This returns true if it has marked everything that it will ever mark.
     bool propagateTransitions(SlotVisitor&);
         
-    ALWAYS_INLINE bool considerCaching(Structure* structure)
+    ALWAYS_INLINE bool considerCaching(CodeBlock* codeBlock, Structure* structure)
     {
         // We never cache non-cells.
         if (!structure)
@@ -137,7 +138,12 @@
             // we don't already have a case buffered for. Note that if this returns true but the
             // bufferingCountdown is not zero then we will buffer the access case for later without
             // immediately generating code for it.
-            return bufferedStructures.add(structure);
+            bool isNewlyAdded = bufferedStructures.add(structure);
+            if (isNewlyAdded) {
+                VM& vm = *codeBlock->vm();
+                vm.heap.writeBarrier(codeBlock);
+            }
+            return isNewlyAdded;
         }
         countdown--;
         return false;

Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (212145 => 212146)


--- trunk/Source/_javascript_Core/jit/JITOperations.cpp	2017-02-10 21:31:28 UTC (rev 212145)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp	2017-02-10 21:34:27 UTC (rev 212146)
@@ -210,7 +210,7 @@
     baseValue.getPropertySlot(exec, ident, slot);
     RETURN_IF_EXCEPTION(scope, encodedJSValue());
 
-    if (stubInfo->considerCaching(baseValue.structureOrNull()) && !slot.isTaintedByOpaqueObject() && (slot.isCacheableValue() || slot.isCacheableGetter() || slot.isUnset()))
+    if (stubInfo->considerCaching(exec->codeBlock(), baseValue.structureOrNull()) && !slot.isTaintedByOpaqueObject() && (slot.isCacheableValue() || slot.isCacheableGetter() || slot.isUnset()))
         repatchGetByID(exec, baseValue, ident, slot, *stubInfo, GetByIDKind::Pure);
 
     return JSValue::encode(slot.getPureResult());
@@ -259,7 +259,7 @@
     LOG_IC((ICEvent::OperationGetByIdOptimize, baseValue.classInfoOrNull(*vm), ident));
 
     return JSValue::encode(baseValue.getPropertySlot(exec, ident, [&] (bool found, PropertySlot& slot) -> JSValue {
-        if (stubInfo->considerCaching(baseValue.structureOrNull()))
+        if (stubInfo->considerCaching(exec->codeBlock(), baseValue.structureOrNull()))
             repatchGetByID(exec, baseValue, ident, slot, *stubInfo, GetByIDKind::Normal);
         return found ? slot.getValue(exec, ident) : jsUndefined();
     }));
@@ -288,7 +288,7 @@
     
     RELEASE_ASSERT(accessType == stubInfo->accessType);
     
-    if (stubInfo->considerCaching(asObject(base)->structure()))
+    if (stubInfo->considerCaching(exec->codeBlock(), asObject(base)->structure()))
         repatchIn(exec, base, ident, result, slot, *stubInfo);
     
     return JSValue::encode(jsBoolean(result));
@@ -403,7 +403,8 @@
     JSValue value = JSValue::decode(encodedValue);
     JSValue baseValue = JSValue::decode(encodedBase);
     LOG_IC((ICEvent::OperationPutByIdStrictOptimize, baseValue.classInfoOrNull(*vm), ident));
-    PutPropertySlot slot(baseValue, true, exec->codeBlock()->putByIdContext());
+    CodeBlock* codeBlock = exec->codeBlock();
+    PutPropertySlot slot(baseValue, true, codeBlock->putByIdContext());
 
     Structure* structure = baseValue.isCell() ? baseValue.asCell()->structure(*vm) : nullptr;
     baseValue.putInline(exec, ident, value, slot);
@@ -412,7 +413,7 @@
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    if (stubInfo->considerCaching(structure))
+    if (stubInfo->considerCaching(codeBlock, structure))
         repatchPutByID(exec, baseValue, structure, ident, slot, *stubInfo, NotDirect);
 }
 
@@ -430,7 +431,8 @@
     JSValue value = JSValue::decode(encodedValue);
     JSValue baseValue = JSValue::decode(encodedBase);
     LOG_IC((ICEvent::OperationPutByIdNonStrictOptimize, baseValue.classInfoOrNull(*vm), ident));
-    PutPropertySlot slot(baseValue, false, exec->codeBlock()->putByIdContext());
+    CodeBlock* codeBlock = exec->codeBlock();
+    PutPropertySlot slot(baseValue, false, codeBlock->putByIdContext());
 
     Structure* structure = baseValue.isCell() ? baseValue.asCell()->structure(*vm) : nullptr;    
     baseValue.putInline(exec, ident, value, slot);
@@ -439,7 +441,7 @@
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    if (stubInfo->considerCaching(structure))
+    if (stubInfo->considerCaching(codeBlock, structure))
         repatchPutByID(exec, baseValue, structure, ident, slot, *stubInfo, NotDirect);
 }
 
@@ -456,7 +458,8 @@
     JSValue value = JSValue::decode(encodedValue);
     JSObject* baseObject = asObject(JSValue::decode(encodedBase));
     LOG_IC((ICEvent::OperationPutByIdDirectStrictOptimize, baseObject->classInfo(*vm), ident));
-    PutPropertySlot slot(baseObject, true, exec->codeBlock()->putByIdContext());
+    CodeBlock* codeBlock = exec->codeBlock();
+    PutPropertySlot slot(baseObject, true, codeBlock->putByIdContext());
     
     Structure* structure = baseObject->structure(*vm);
     baseObject->putDirect(exec->vm(), ident, value, slot);
@@ -464,7 +467,7 @@
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    if (stubInfo->considerCaching(structure))
+    if (stubInfo->considerCaching(codeBlock, structure))
         repatchPutByID(exec, baseObject, structure, ident, slot, *stubInfo, Direct);
 }
 
@@ -481,7 +484,8 @@
     JSValue value = JSValue::decode(encodedValue);
     JSObject* baseObject = asObject(JSValue::decode(encodedBase));
     LOG_IC((ICEvent::OperationPutByIdDirectNonStrictOptimize, baseObject->classInfo(*vm), ident));
-    PutPropertySlot slot(baseObject, false, exec->codeBlock()->putByIdContext());
+    CodeBlock* codeBlock = exec->codeBlock();
+    PutPropertySlot slot(baseObject, false, codeBlock->putByIdContext());
     
     Structure* structure = baseObject->structure(*vm);
     baseObject->putDirect(exec->vm(), ident, value, slot);
@@ -489,7 +493,7 @@
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    if (stubInfo->considerCaching(structure))
+    if (stubInfo->considerCaching(codeBlock, structure))
         repatchPutByID(exec, baseObject, structure, ident, slot, *stubInfo, Direct);
 }
 
@@ -612,7 +616,7 @@
                 ConcurrentJSLocker locker(codeBlock->m_lock);
                 byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
 
-                JIT::compilePutByVal(&vm, exec->codeBlock(), byValInfo, returnAddress, arrayMode);
+                JIT::compilePutByVal(&vm, codeBlock, byValInfo, returnAddress, arrayMode);
                 optimizationResult = OptimizationResult::Optimized;
             }
         }
@@ -696,7 +700,7 @@
                 ConcurrentJSLocker locker(codeBlock->m_lock);
                 byValInfo->arrayProfile->computeUpdatedPrediction(locker, codeBlock, structure);
 
-                JIT::compileDirectPutByVal(&vm, exec->codeBlock(), byValInfo, returnAddress, arrayMode);
+                JIT::compileDirectPutByVal(&vm, codeBlock, byValInfo, returnAddress, arrayMode);
                 optimizationResult = OptimizationResult::Optimized;
             }
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to