Skip to site navigation (Press enter)

[webkit-changes] [240917] trunk/Source/JavaScriptCore

mark . lam Mon, 04 Feb 2019 00:16:41 -0800

Title: [240917] trunk/Source/_javascript_Core

Revision: 240917
Author: mark....@apple.com
Date: 2019-02-04 00:15:46 -0800 (Mon, 04 Feb 2019)

Log Message

DFG's doesGC() is incorrect about the SameValue node's behavior.
https://bugs.webkit.org/show_bug.cgi?id=194211
<rdar://problem/47608913>


Reviewed by Saam Barati.

Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
it calls operationSameValue() which may allocate memory for resolving ropes.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (240916 => 240917)


--- trunk/Source/_javascript_Core/ChangeLog	2019-02-04 07:49:33 UTC (rev 240916)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-02-04 08:15:46 UTC (rev 240917)
@@ -1,3 +1,17 @@
+2019-02-04  Mark Lam  <mark....@apple.com>
+
+        DFG's doesGC() is incorrect about the SameValue node's behavior.
+        https://bugs.webkit.org/show_bug.cgi?id=194211
+        <rdar://problem/47608913>
+
+        Reviewed by Saam Barati.
+
+        Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
+        it calls operationSameValue() which may allocate memory for resolving ropes.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
 2019-02-03  Yusuke Suzuki  <ysuz...@apple.com>
 
         [JSC] UnlinkedMetadataTable assumes that MetadataTable is destroyed before it is destructed, but order of destruction of JS heap cells are not guaranteed

Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (240916 => 240917)


--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2019-02-04 07:49:33 UTC (rev 240916)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2019-02-04 08:15:46 UTC (rev 240917)
@@ -155,7 +155,6 @@
     case CompareEq:
     case CompareStrictEq:
     case CompareEqPtr:
-    case SameValue:
     case Call:
     case DirectCall:
     case TailCallInlinedCaller:
@@ -413,6 +412,11 @@
     case MultiPutByOffset:
         return node->multiPutByOffsetData().reallocatesStorage();
 
+    case SameValue:
+        if (node->isBinaryUseKind(DoubleRepUse))
+            return false;
+        return true;
+
     case LastNodeType:
         RELEASE_ASSERT_NOT_REACHED();
         return true;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes