Skip to site navigation (Press enter)

[webkit-changes] [241944] releases/WebKitGTK/webkit-2.22/Source/JavaScriptCore

aperez Fri, 22 Feb 2019 05:44:35 -0800

Title: [241944] releases/WebKitGTK/webkit-2.22/Source/_javascript_Core

Revision: 241944
Author: [email protected]
Date: 2019-02-22 05:43:10 -0800 (Fri, 22 Feb 2019)

Log Message

Merged r241753 - Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
https://bugs.webkit.org/show_bug.cgi?id=194800
<rdar://problem/48183773>


Reviewed by Yusuke Suzuki.

Fix doesGC() for the following nodes:

    CompareEq:
    CompareLess:
    CompareLessEq:
    CompareGreater:
    CompareGreaterEq:
    CompareStrictEq:
        Only return false (i.e. does not GC) for child node use kinds that have
        been vetted to not do anything that can GC.  For all other use kinds
        (including StringUse and BigIntUse), we return true (i.e. does GC).

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):

Modified Paths

releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog
releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp

Diff

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (241943 => 241944)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2019-02-22 13:35:04 UTC (rev 241943)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog	2019-02-22 13:43:10 UTC (rev 241944)
@@ -1,3 +1,26 @@
+2019-02-18  Mark Lam  <[email protected]>
+
+        Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq and CompareStrictEq nodes.
+        https://bugs.webkit.org/show_bug.cgi?id=194800
+        <rdar://problem/48183773>
+
+        Reviewed by Yusuke Suzuki.
+
+        Fix doesGC() for the following nodes:
+
+            CompareEq:
+            CompareLess:
+            CompareLessEq:
+            CompareGreater:
+            CompareGreaterEq:
+            CompareStrictEq:
+                Only return false (i.e. does not GC) for child node use kinds that have
+                been vetted to not do anything that can GC.  For all other use kinds
+                (including StringUse and BigIntUse), we return true (i.e. does GC).
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
 2019-01-09  Mark Lam  <[email protected]>
 
         Gigacage disabling checks should handle the GIGACAGE_ALLOCATION_CAN_FAIL case properly.

Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp (241943 => 241944)


--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2019-02-22 13:35:04 UTC (rev 241943)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2019-02-22 13:43:10 UTC (rev 241944)
@@ -146,14 +146,8 @@
     case RegExpTest:
     case RegExpMatchFast:
     case RegExpMatchFastGlobal:
-    case CompareLess:
-    case CompareLessEq:
-    case CompareGreater:
-    case CompareGreaterEq:
     case CompareBelow:
     case CompareBelowEq:
-    case CompareEq:
-    case CompareStrictEq:
     case CompareEqPtr:
     case SameValue:
     case Call:
@@ -374,6 +368,46 @@
     case MapSet:
         return true;
 
+    case CompareEq:
+    case CompareLess:
+    case CompareLessEq:
+    case CompareGreater:
+    case CompareGreaterEq:
+        if (node->isBinaryUseKind(Int32Use)
+#if USE(JSVALUE64)
+            || node->isBinaryUseKind(Int52RepUse)
+#endif
+            || node->isBinaryUseKind(DoubleRepUse)
+            || node->isBinaryUseKind(StringIdentUse)
+            )
+            return false;
+        if (node->op() == CompareEq) {
+            if (node->isBinaryUseKind(BooleanUse)
+                || node->isBinaryUseKind(SymbolUse)
+                || node->isBinaryUseKind(ObjectUse)
+                || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse))
+                return false;
+        }
+        return true;
+
+    case CompareStrictEq:
+        if (node->isBinaryUseKind(BooleanUse)
+            || node->isBinaryUseKind(Int32Use)
+#if USE(JSVALUE64)
+            || node->isBinaryUseKind(Int52RepUse)
+#endif
+            || node->isBinaryUseKind(DoubleRepUse)
+            || node->isBinaryUseKind(SymbolUse)
+            || node->isBinaryUseKind(SymbolUse, UntypedUse)
+            || node->isBinaryUseKind(UntypedUse, SymbolUse)
+            || node->isBinaryUseKind(StringIdentUse)
+            || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse)
+            || node->isBinaryUseKind(ObjectUse)
+            || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse)
+            || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse))
+            return false;
+        return true;
+
     case GetIndexedPropertyStorage:
         if (node->arrayMode().type() == Array::String)
             return true;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes