[webkit-changes] [214754] releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore

[carlosgc]

Title: [214754] releases/WebKitGTK/webkit-2.16/Source/_javascript_Core

Revision

214754

Author

carlo...@webkit.org

Date

2017-04-03 02:59:48 -0700 (Mon, 03 Apr 2017)

Log Message

Merge r214040 - Unreviewed, fix numParameter() - 1 OSRExit materialization
https://bugs.webkit.org/show_bug.cgi?id=164582

When materializing rest parameters, we rely on that numParameter() - 1 equals to
the numberOfArgumentsToSkip. But this assumption is broken in r214029.

* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::finishCreation):
* bytecode/CodeBlock.h:
(JSC::CodeBlock::numberOfArgumentsToSkip):
* ftl/FTLOperations.cpp:
(JSC::FTL::operationMaterializeObjectInOSR):

Modified Paths

• releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.cpp
• releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.h
• releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLOperations.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (214753 => 214754)

--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-04-03 09:59:33 UTC (rev 214753)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-04-03 09:59:48 UTC (rev 214754)
@@ -1,3 +1,18 @@
+2017-03-16  Yusuke Suzuki  <utatane....@gmail.com>
+
+        Unreviewed, fix numParameter() - 1 OSRExit materialization
+        https://bugs.webkit.org/show_bug.cgi?id=164582
+
+        When materializing rest parameters, we rely on that numParameter() - 1 equals to
+        the numberOfArgumentsToSkip. But this assumption is broken in r214029.
+
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::finishCreation):
+        * bytecode/CodeBlock.h:
+        (JSC::CodeBlock::numberOfArgumentsToSkip):
+        * ftl/FTLOperations.cpp:
+        (JSC::FTL::operationMaterializeObjectInOSR):
+
 2017-03-15  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.cpp (214753 => 214754)

--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.cpp	2017-04-03 09:59:33 UTC (rev 214753)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.cpp	2017-04-03 09:59:48 UTC (rev 214754)
@@ -2327,7 +2327,8 @@
         case op_create_rest: {
             int numberOfArgumentsToSkip = instructions[i + 3].u.operand;
             ASSERT_UNUSED(numberOfArgumentsToSkip, numberOfArgumentsToSkip >= 0);
-            ASSERT_WITH_MESSAGE(numberOfArgumentsToSkip == numParameters() - 1, "We assume that this is true when rematerializing the rest parameter during OSR exit in the FTL JIT.");
+            // This is used when rematerializing the rest parameter during OSR exit in the FTL JIT.");
+            m_numberOfArgumentsToSkip = numberOfArgumentsToSkip;
             break;
         }
 

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.h (214753 => 214754)

--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.h	2017-04-03 09:59:33 UTC (rev 214753)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/bytecode/CodeBlock.h	2017-04-03 09:59:48 UTC (rev 214754)
@@ -143,6 +143,8 @@
     int numParameters() const { return m_numParameters; }
     void setNumParameters(int newValue);
 
+    int numberOfArgumentsToSkip() const { return m_numberOfArgumentsToSkip; }
+
     int numCalleeLocals() const { return m_numCalleeLocals; }
 
     int* addressOfNumParameters() { return &m_numParameters; }
@@ -968,6 +970,7 @@
 
     WriteBarrier<UnlinkedCodeBlock> m_unlinkedCode;
     int m_numParameters;
+    int m_numberOfArgumentsToSkip { 0 };
     union {
         unsigned m_debuggerRequests;
         struct {

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLOperations.cpp (214753 => 214754)

--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLOperations.cpp	2017-04-03 09:59:33 UTC (rev 214753)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ftl/FTLOperations.cpp	2017-04-03 09:59:48 UTC (rev 214754)
@@ -264,7 +264,7 @@
                 CodeBlock* codeBlock = baselineCodeBlockForOriginAndBaselineCodeBlock(
                     materialization->origin(), exec->codeBlock());
 
-                unsigned numberOfArgumentsToSkip = codeBlock->numParameters() - 1;
+                unsigned numberOfArgumentsToSkip = codeBlock->numberOfArgumentsToSkip();
                 JSGlobalObject* globalObject = codeBlock->globalObject();
                 Structure* structure = globalObject->restParameterStructure();
                 JSValue* argumentsToCopyRegion = exec->addressOfArgumentsStart() + numberOfArgumentsToSkip;
@@ -358,7 +358,7 @@
             return result;
         }
         case PhantomCreateRest: {
-            unsigned numberOfArgumentsToSkip = codeBlock->numParameters() - 1;
+            unsigned numberOfArgumentsToSkip = codeBlock->numberOfArgumentsToSkip();
             JSGlobalObject* globalObject = codeBlock->globalObject();
             Structure* structure = globalObject->restParameterStructure();
             ASSERT(argumentCount > 0);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes