Skip to site navigation (Press enter)

[webkit-changes] [255539] trunk/Source/JavaScriptCore

sbarati Fri, 31 Jan 2020 18:11:03 -0800

Title: [255539] trunk/Source/_javascript_Core

Revision: 255539
Author: sbar...@apple.com
Date: 2020-01-31 18:09:42 -0800 (Fri, 31 Jan 2020)

Log Message

GetButterfly should check if the input value is an object in safe to execute
https://bugs.webkit.org/show_bug.cgi?id=207082


Reviewed by Mark Lam.

We can only hoist GetButterfly when we know the incoming value is an object.
We might want to reconsider making GetButterfly use ObjectUse as its edge
kind, but that's out of the scope of this patch. Currently, we use CellUse
for GetButterfly node's child1.

* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (255538 => 255539)


--- trunk/Source/_javascript_Core/ChangeLog	2020-02-01 01:47:42 UTC (rev 255538)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-02-01 02:09:42 UTC (rev 255539)
@@ -1,5 +1,20 @@
 2020-01-31  Saam Barati  <sbar...@apple.com>
 
+        GetButterfly should check if the input value is an object in safe to execute
+        https://bugs.webkit.org/show_bug.cgi?id=207082
+
+        Reviewed by Mark Lam.
+
+        We can only hoist GetButterfly when we know the incoming value is an object.
+        We might want to reconsider making GetButterfly use ObjectUse as its edge
+        kind, but that's out of the scope of this patch. Currently, we use CellUse
+        for GetButterfly node's child1.
+
+        * dfg/DFGSafeToExecute.h:
+        (JSC::DFG::safeToExecute):
+
+2020-01-31  Saam Barati  <sbar...@apple.com>
+
         safe to execute should return false when we know code won't be moved
         https://bugs.webkit.org/show_bug.cgi?id=207074

Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (255538 => 255539)


--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h	2020-02-01 01:47:42 UTC (rev 255538)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h	2020-02-01 02:09:42 UTC (rev 255539)
@@ -229,7 +229,6 @@
     case CheckStructure:
     case CheckStructureOrEmpty:
     case GetExecutable:
-    case GetButterfly:
     case CallDOMGetter:
     case CallDOM:
     case CheckSubClass:
@@ -321,6 +320,9 @@
     case DataViewGetFloat:
         return true;
 
+    case GetButterfly:
+        return state.forNode(node->child1()).isType(SpecObject);
+
     case ArraySlice:
     case ArrayIndexOf: {
         // You could plausibly move this code around as long as you proved the

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes