Skip to site navigation (Press enter)

[webkit-changes] [217944] trunk

fpizlo Thu, 08 Jun 2017 13:09:06 -0700

Title: [217944] trunk

Revision: 217944
Author: [email protected]
Date: 2017-06-08 13:08:24 -0700 (Thu, 08 Jun 2017)

Log Message

REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
https://bugs.webkit.org/show_bug.cgi?id=161156


Reviewed by Saam Barati.
        
Source/_javascript_Core:

Since LLInt does not register impure property watchpoints for self property accesses, it
shouldn't try to cache accesses that require a watchpoint.
        
This manifested as a flaky failure because the test would fire the watchpoint after we had
usually already tiered up. Without concurrent JIT, we would have always tiered up before
getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
also adds a test that deterministically failed in LLInt without this change; it does so by just
running a lot shorter.

* llint/LLIntSlowPaths.cpp:
(JSC::LLInt::LLINT_SLOW_PATH_DECL):

LayoutTests:

Add a version of the test that's guaranteed to fail if the problem it's testing for manifests
in the LLInt.

* js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp

Added Paths

trunk/LayoutTests/js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html

Diff

Modified: trunk/LayoutTests/ChangeLog (217943 => 217944)


--- trunk/LayoutTests/ChangeLog	2017-06-08 20:06:44 UTC (rev 217943)
+++ trunk/LayoutTests/ChangeLog	2017-06-08 20:08:24 UTC (rev 217944)
@@ -1,3 +1,15 @@
+2017-06-08  Filip Pizlo  <[email protected]>
+
+        REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
+        https://bugs.webkit.org/show_bug.cgi?id=161156
+
+        Reviewed by Saam Barati.
+        
+        Add a version of the test that's guaranteed to fail if the problem it's testing for manifests
+        in the LLInt.
+
+        * js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html: Added.
+
 2017-06-07  Dave Hyatt  <[email protected]>
 
         Laili restaurant menu page does not display full menu

Added: trunk/LayoutTests/js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html (0 => 217944)


--- trunk/LayoutTests/js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html	                        (rev 0)
+++ trunk/LayoutTests/js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5-short.html	2017-06-08 20:08:24 UTC (rev 217944)
@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+<body>
+<script src=""
+<script>
+
+description("Tests what happens when you make prototype chain accesses with impure GetOwnPropertySlot traps in the way.");
+
+document.foo = function () {};
+
+function f() {
+    return document.foo;
+}
+
+var expected = "\"function\"";
+for (var i = 0; i < 10; ++i) {
+    if (i == 5) {
+        var img = new Image();
+        img.name = "foo";
+        document.body.appendChild(img);
+        expected = "\"object\"";
+    }
+    v = f();
+    shouldBe("typeof f()", expected);
+}
+
+</script>
+<script src=""
+</body>
+</html>

Modified: trunk/Source/_javascript_Core/ChangeLog (217943 => 217944)


--- trunk/Source/_javascript_Core/ChangeLog	2017-06-08 20:06:44 UTC (rev 217943)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-06-08 20:08:24 UTC (rev 217944)
@@ -1,3 +1,22 @@
+2017-06-08  Filip Pizlo  <[email protected]>
+
+        REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
+        https://bugs.webkit.org/show_bug.cgi?id=161156
+
+        Reviewed by Saam Barati.
+        
+        Since LLInt does not register impure property watchpoints for self property accesses, it
+        shouldn't try to cache accesses that require a watchpoint.
+        
+        This manifested as a flaky failure because the test would fire the watchpoint after we had
+        usually already tiered up. Without concurrent JIT, we would have always tiered up before
+        getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
+        also adds a test that deterministically failed in LLInt without this change; it does so by just
+        running a lot shorter.
+
+        * llint/LLIntSlowPaths.cpp:
+        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
+
 2017-06-08  Keith Miller  <[email protected]>
 
         WebAssembly: We should only create wrappers for functions that can be exported

Modified: trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp (217943 => 217944)


--- trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2017-06-08 20:06:44 UTC (rev 217943)
+++ trunk/Source/_javascript_Core/llint/LLIntSlowPaths.cpp	2017-06-08 20:08:24 UTC (rev 217944)
@@ -673,7 +673,8 @@
             // Prevent the prototype cache from ever happening.
             pc[7].u.operand = 0;
         
-            if (structure->propertyAccessesAreCacheable()) {
+            if (structure->propertyAccessesAreCacheable()
+                && !structure->needImpurePropertyWatchpoint()) {
                 vm.heap.writeBarrier(codeBlock);
                 
                 ConcurrentJSLocker locker(codeBlock->m_lock);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes