Diff
Modified: trunk/Source/_javascript_Core/CMakeLists.txt (258343 => 258344)
--- trunk/Source/_javascript_Core/CMakeLists.txt 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/CMakeLists.txt 2020-03-12 18:33:40 UTC (rev 258344)
@@ -488,7 +488,6 @@
bytecode/ArrayAllocationProfile.h
bytecode/ArrayProfile.h
- bytecode/ByValInfo.h
bytecode/BytecodeConventions.h
bytecode/BytecodeIndex.h
bytecode/BytecodeIntrinsicRegistry.h
Modified: trunk/Source/_javascript_Core/ChangeLog (258343 => 258344)
--- trunk/Source/_javascript_Core/ChangeLog 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-03-12 18:33:40 UTC (rev 258344)
@@ -1,3 +1,39 @@
+2020-03-12 Yusuke Suzuki <[email protected]>
+
+ [JSC] Use CacheableIdentifier in ByValInfo
+ https://bugs.webkit.org/show_bug.cgi?id=208978
+
+ Reviewed by Saam Barati.
+
+ CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValInfo, which holds Identifier.
+ However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked
+ in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys
+ AtomStringImpl, which fails to unregister itself from the table.
+
+ In this patch,
+
+ 1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase.
+ 2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally.
+
+ * CMakeLists.txt:
+ * _javascript_Core.xcodeproj/project.pbxproj:
+ * Sources.txt:
+ * bytecode/ByValInfo.cpp: Added.
+ (JSC::ByValInfo::visitAggregate):
+ * bytecode/ByValInfo.h:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::stronglyVisitStrongReferences):
+ * bytecode/CodeBlock.h:
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handlePutByVal):
+ * heap/Heap.cpp:
+ (JSC::Heap::runEndPhase):
+ * jit/JIT.h:
+ * jit/JITOperations.cpp:
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::emitByValIdentifierCheck):
+ * runtime/CacheableIdentifier.h:
+
2020-03-11 Keith Miller <[email protected]>
Test262-runner should always consider crashes as new failures
Modified: trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (258343 => 258344)
--- trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2020-03-12 18:33:40 UTC (rev 258344)
@@ -456,7 +456,7 @@
0F7DF13C1E2971130095951B /* JSDestructibleObjectHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13A1E29710E0095951B /* JSDestructibleObjectHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F7DF1461E2BEF6A0095951B /* BlockDirectoryInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1451E2BEF680095951B /* BlockDirectoryInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F7F988C1D9596C800F4F12E /* DFGStoreBarrierClusteringPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7F988A1D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.h */; };
- 0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; };
0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F8364B7164B0C110053329A /* DFGBranchDirection.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8364B5164B0C0E0053329A /* DFGBranchDirection.h */; };
0F86A26F1D6F7B3300CB0C92 /* GCTypeMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F86A26E1D6F7B3100CB0C92 /* GCTypeMap.h */; };
@@ -4951,6 +4951,7 @@
E355D38E2244686C008F1AD6 /* GlobalExecutable.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = GlobalExecutable.cpp; sourceTree = "<group>"; };
E356987122841183008CDCCB /* PackedCellPtr.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = PackedCellPtr.h; sourceTree = "<group>"; };
E35A0B9C220AD87A00AC4474 /* ExecutableBaseInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExecutableBaseInlines.h; sourceTree = "<group>"; };
+ E35BA2C0241A0E8C00B67086 /* ByValInfo.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = ByValInfo.cpp; sourceTree = "<group>"; };
E35CA14F1DBC3A5600F83516 /* DOMJITAbstractHeap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITAbstractHeap.cpp; sourceTree = "<group>"; };
E35CA1501DBC3A5600F83516 /* DOMJITAbstractHeap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITAbstractHeap.h; sourceTree = "<group>"; };
E35CA1511DBC3A5600F83516 /* DOMJITHeapRange.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITHeapRange.cpp; sourceTree = "<group>"; };
@@ -8208,6 +8209,7 @@
E3D264291D38C042000BE174 /* BytecodeRewriter.cpp */,
E3D2642A1D38C042000BE174 /* BytecodeRewriter.h */,
0F885E101849A3BE00F1E3FA /* BytecodeUseDef.h */,
+ E35BA2C0241A0E8C00B67086 /* ByValInfo.cpp */,
0F8023E91613832300A0BA45 /* ByValInfo.h */,
0F64B2771A7957B2006E4E66 /* CallEdge.cpp */,
0F64B2781A7957B2006E4E66 /* CallEdge.h */,
Modified: trunk/Source/_javascript_Core/Sources.txt (258343 => 258344)
--- trunk/Source/_javascript_Core/Sources.txt 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/Sources.txt 2020-03-12 18:33:40 UTC (rev 258344)
@@ -195,6 +195,7 @@
bytecode/ArithProfile.cpp
bytecode/ArrayAllocationProfile.cpp
bytecode/ArrayProfile.cpp
+bytecode/ByValInfo.cpp
bytecode/BytecodeBasicBlock.cpp
bytecode/BytecodeDumper.cpp
bytecode/BytecodeGeneratorification.cpp
Added: trunk/Source/_javascript_Core/bytecode/ByValInfo.cpp (0 => 258344)
--- trunk/Source/_javascript_Core/bytecode/ByValInfo.cpp (rev 0)
+++ trunk/Source/_javascript_Core/bytecode/ByValInfo.cpp 2020-03-12 18:33:40 UTC (rev 258344)
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ByValInfo.h"
+
+#include "CacheableIdentifierInlines.h"
+#include "JSCInlines.h"
+
+namespace JSC {
+
+#if ENABLE(JIT)
+
+void ByValInfo::visitAggregate(SlotVisitor& visitor)
+{
+ cachedId.visitAggregate(visitor);
+}
+
+#endif // ENABLE(JIT)
+
+} // namespace JSC
Modified: trunk/Source/_javascript_Core/bytecode/ByValInfo.h (258343 => 258344)
--- trunk/Source/_javascript_Core/bytecode/ByValInfo.h 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/bytecode/ByValInfo.h 2020-03-12 18:33:40 UTC (rev 258344)
@@ -25,6 +25,7 @@
#pragma once
+#include "CacheableIdentifier.h"
#include "ClassInfo.h"
#include "CodeLocation.h"
#include "IndexingType.h"
@@ -37,6 +38,7 @@
#if ENABLE(JIT)
+class ArrayProfile;
class StructureStubInfo;
enum JITArrayMode : uint8_t {
@@ -242,6 +244,8 @@
{
}
+ void visitAggregate(SlotVisitor&);
+
CodeLocationJump<JSInternalPtrTag> notIndexJump;
CodeLocationJump<JSInternalPtrTag> badTypeJump;
CodeLocationLabel<ExceptionHandlerPtrTag> exceptionHandler;
@@ -252,8 +256,7 @@
BytecodeIndex bytecodeIndex;
unsigned slowPathCount;
RefPtr<JITStubRoutine> stubRoutine;
- Identifier cachedId;
- WriteBarrier<Symbol> cachedSymbol;
+ CacheableIdentifier cachedId; // Once we set cachedId, we must not change the value. JIT code relies on that configured cachedId is marked and retained by CodeBlock through ByValInfo.
StructureStubInfo* stubInfo;
JITArrayMode arrayMode; // The array mode that was baked into the inline JIT code.
bool tookSlowPath : 1;
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp (258343 => 258344)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.cpp 2020-03-12 18:33:40 UTC (rev 258344)
@@ -32,6 +32,7 @@
#include "ArithProfile.h"
#include "BasicBlockLocation.h"
+#include "ByValInfo.h"
#include "BytecodeDumper.h"
#include "BytecodeGenerator.h"
#include "BytecodeLivenessAnalysis.h"
@@ -1688,7 +1689,7 @@
#if ENABLE(JIT)
if (auto* jitData = m_jitData.get()) {
for (ByValInfo* byValInfo : jitData->m_byValInfos)
- visitor.append(byValInfo->cachedSymbol);
+ byValInfo->visitAggregate(visitor);
for (StructureStubInfo* stubInfo : jitData->m_stubInfos)
stubInfo->visitAggregate(visitor);
}
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (258343 => 258344)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2020-03-12 18:33:40 UTC (rev 258344)
@@ -30,7 +30,6 @@
#pragma once
#include "ArrayProfile.h"
-#include "ByValInfo.h"
#include "BytecodeConventions.h"
#include "CallLinkInfo.h"
#include "CodeBlockHash.h"
@@ -95,6 +94,7 @@
class PCToCodeOriginMap;
class RegisterAtOffsetList;
class StructureStubInfo;
+struct ByValInfo;
DECLARE_ALLOCATOR_WITH_HEAP_IDENTIFIER(CodeBlockRareData);
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (258343 => 258344)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2020-03-12 18:33:40 UTC (rev 258344)
@@ -32,6 +32,7 @@
#include "ArrayConstructor.h"
#include "BasicBlockLocation.h"
#include "BuiltinNames.h"
+#include "ByValInfo.h"
#include "BytecodeGenerator.h"
#include "BytecodeUseDef.h"
#include "CacheableIdentifierInlines.h"
@@ -7576,13 +7577,15 @@
&& !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
&& !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCell)) {
compiledAsPutById = true;
- identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
+ identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.uid());
UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
+ FrozenValue* frozen = nullptr;
+ if (byValInfo->cachedId.isCell())
+ frozen = m_graph.freezeStrong(byValInfo->cachedId.cell());
- if (Symbol* symbol = byValInfo->cachedSymbol.get()) {
- FrozenValue* frozen = m_graph.freezeStrong(symbol);
+ if (byValInfo->cachedId.isSymbolCell())
addToGraph(CheckCell, OpInfo(frozen), property);
- } else {
+ else {
ASSERT(!uid->isSymbol());
addToGraph(CheckIdent, OpInfo(uid), property);
}
Modified: trunk/Source/_javascript_Core/heap/Heap.cpp (258343 => 258344)
--- trunk/Source/_javascript_Core/heap/Heap.cpp 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/heap/Heap.cpp 2020-03-12 18:33:40 UTC (rev 258344)
@@ -86,6 +86,7 @@
#include <wtf/ParallelVectorIterator.h>
#include <wtf/ProcessID.h>
#include <wtf/RAMSize.h>
+#include <wtf/Scope.h>
#include <wtf/SimpleStats.h>
#include <wtf/Threading.h>
@@ -1494,23 +1495,31 @@
updateObjectCounts();
endMarking();
-
+
if (UNLIKELY(m_verifier)) {
m_verifier->gatherLiveCells(HeapVerifier::Phase::AfterMarking);
m_verifier->verify(HeapVerifier::Phase::AfterMarking);
}
- if (vm().typeProfiler())
- vm().typeProfiler()->invalidateTypeSetCache(vm());
+ {
+ auto* previous = Thread::current().setCurrentAtomStringTable(nullptr);
+ auto scopeExit = makeScopeExit([&] {
+ Thread::current().setCurrentAtomStringTable(previous);
+ });
- m_structureIDTable.flushOldTables();
+ if (vm().typeProfiler())
+ vm().typeProfiler()->invalidateTypeSetCache(vm());
- reapWeakHandles();
- pruneStaleEntriesFromWeakGCMaps();
- sweepArrayBuffers();
- snapshotUnswept();
- finalizeUnconditionalFinalizers(); // We rely on these unconditional finalizers running before clearCurrentlyExecuting since CodeBlock's finalizer relies on querying currently executing.
- removeDeadCompilerWorklistEntries();
+ m_structureIDTable.flushOldTables();
+
+ reapWeakHandles();
+ pruneStaleEntriesFromWeakGCMaps();
+ sweepArrayBuffers();
+ snapshotUnswept();
+ finalizeUnconditionalFinalizers(); // We rely on these unconditional finalizers running before clearCurrentlyExecuting since CodeBlock's finalizer relies on querying currently executing.
+ removeDeadCompilerWorklistEntries();
+ }
+
notifyIncrementalSweeper();
m_codeBlocks->iterateCurrentlyExecuting(
Modified: trunk/Source/_javascript_Core/jit/JIT.h (258343 => 258344)
--- trunk/Source/_javascript_Core/jit/JIT.h 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/jit/JIT.h 2020-03-12 18:33:40 UTC (rev 258344)
@@ -37,6 +37,7 @@
#define ASSERT_JIT_OFFSET(actual, expected) ASSERT_WITH_MESSAGE(actual == expected, "JIT Offset \"%s\" should be %d, not %d.\n", #expected, static_cast<int>(expected), static_cast<int>(actual));
+#include "ByValInfo.h"
#include "CodeBlock.h"
#include "CommonSlowPaths.h"
#include "JITDisassembler.h"
Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (258343 => 258344)
--- trunk/Source/_javascript_Core/jit/JITOperations.cpp 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp 2020-03-12 18:33:40 UTC (rev 258344)
@@ -678,11 +678,6 @@
repatchPutByID(globalObject, codeBlock, baseObject, structure, ident, slot, *stubInfo, Direct);
}
-ALWAYS_INLINE static bool isStringOrSymbol(JSValue value)
-{
- return value.isString() || value.isSymbol();
-}
-
static void putByVal(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, JSValue subscript, JSValue value, ByValInfo* byValInfo)
{
VM& vm = globalObject->vm();
@@ -716,7 +711,7 @@
// Don't put to an object if toString threw an exception.
RETURN_IF_EXCEPTION(scope, void());
- if (byValInfo->stubInfo && (!isStringOrSymbol(subscript) || byValInfo->cachedId != property))
+ if (byValInfo->stubInfo && (!CacheableIdentifier::isCacheableIdentifierCell(subscript) || byValInfo->cachedId.uid() != property))
byValInfo->tookSlowPath = true;
scope.release();
@@ -776,7 +771,7 @@
return;
}
- if (byValInfo->stubInfo && (!isStringOrSymbol(subscript) || byValInfo->cachedId != property))
+ if (byValInfo->stubInfo && (!CacheableIdentifier::isCacheableIdentifierCell(subscript) || byValInfo->cachedId.uid() != property))
byValInfo->tookSlowPath = true;
scope.release();
@@ -827,7 +822,7 @@
optimizationResult = OptimizationResult::GiveUp;
}
- if (baseValue.isObject() && isStringOrSymbol(subscript)) {
+ if (baseValue.isObject() && CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
const Identifier propertyName = subscript.toPropertyKey(globalObject);
RETURN_IF_EXCEPTION(scope, OptimizationResult::GiveUp);
if (subscript.isSymbol() || !parseIndex(propertyName)) {
@@ -834,7 +829,7 @@
ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
ASSERT(!byValInfo->stubRoutine);
if (byValInfo->seen) {
- if (byValInfo->cachedId == propertyName) {
+ if (byValInfo->cachedId.uid() == propertyName) {
JIT::compilePutByValWithCachedId<OpPutByVal>(vm, codeBlock, byValInfo, returnAddress, NotDirect, propertyName);
optimizationResult = OptimizationResult::Optimized;
} else {
@@ -842,12 +837,13 @@
optimizationResult = OptimizationResult::GiveUp;
}
} else {
- ConcurrentJSLocker locker(codeBlock->m_lock);
- byValInfo->seen = true;
- byValInfo->cachedId = propertyName;
- if (subscript.isSymbol())
- byValInfo->cachedSymbol.set(vm, codeBlock, asSymbol(subscript));
- optimizationResult = OptimizationResult::SeenOnce;
+ {
+ ConcurrentJSLocker locker(codeBlock->m_lock);
+ byValInfo->seen = true;
+ byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
+ optimizationResult = OptimizationResult::SeenOnce;
+ }
+ vm.heap.writeBarrier(codeBlock, subscript.asCell());
}
}
}
@@ -916,7 +912,7 @@
// If we failed to patch and we have some object that intercepts indexed get, then don't even wait until 10 times.
if (optimizationResult != OptimizationResult::Optimized && object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
optimizationResult = OptimizationResult::GiveUp;
- } else if (isStringOrSymbol(subscript)) {
+ } else if (CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
const Identifier propertyName = subscript.toPropertyKey(globalObject);
RETURN_IF_EXCEPTION(scope, OptimizationResult::GiveUp);
if (subscript.isSymbol() || !parseIndex(propertyName)) {
@@ -923,7 +919,7 @@
ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
ASSERT(!byValInfo->stubRoutine);
if (byValInfo->seen) {
- if (byValInfo->cachedId == propertyName) {
+ if (byValInfo->cachedId.uid() == propertyName) {
JIT::compilePutByValWithCachedId<OpPutByValDirect>(vm, codeBlock, byValInfo, returnAddress, Direct, propertyName);
optimizationResult = OptimizationResult::Optimized;
} else {
@@ -931,12 +927,13 @@
optimizationResult = OptimizationResult::GiveUp;
}
} else {
- ConcurrentJSLocker locker(codeBlock->m_lock);
- byValInfo->seen = true;
- byValInfo->cachedId = propertyName;
- if (subscript.isSymbol())
- byValInfo->cachedSymbol.set(vm, codeBlock, asSymbol(subscript));
- optimizationResult = OptimizationResult::SeenOnce;
+ {
+ ConcurrentJSLocker locker(codeBlock->m_lock);
+ byValInfo->seen = true;
+ byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
+ optimizationResult = OptimizationResult::SeenOnce;
+ }
+ vm.heap.writeBarrier(codeBlock, subscript.asCell());
}
}
}
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (258343 => 258344)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2020-03-12 18:33:40 UTC (rev 258344)
@@ -1285,14 +1285,14 @@
ownerIsRememberedOrInEden.link(this);
}
-void JIT::emitByValIdentifierCheck(ByValInfo* byValInfo, RegisterID cell, RegisterID scratch, const Identifier& propertyName, JumpList& slowCases)
+void JIT::emitByValIdentifierCheck(ByValInfo* byValInfo, RegisterID cell, RegisterID scratch, const Identifier&, JumpList& slowCases)
{
- if (propertyName.isSymbol())
- slowCases.append(branchPtr(NotEqual, cell, TrustedImmPtr(byValInfo->cachedSymbol.get())));
+ if (byValInfo->cachedId.isSymbolCell())
+ slowCases.append(branchPtr(NotEqual, cell, TrustedImmPtr(byValInfo->cachedId.cell())));
else {
slowCases.append(branchIfNotString(cell));
loadPtr(Address(cell, JSString::offsetOfValue()), scratch);
- slowCases.append(branchPtr(NotEqual, scratch, TrustedImmPtr(propertyName.impl())));
+ slowCases.append(branchPtr(NotEqual, scratch, TrustedImmPtr(byValInfo->cachedId.uid())));
}
}
Modified: trunk/Source/_javascript_Core/runtime/CacheableIdentifier.h (258343 => 258344)
--- trunk/Source/_javascript_Core/runtime/CacheableIdentifier.h 2020-03-12 18:28:40 UTC (rev 258343)
+++ trunk/Source/_javascript_Core/runtime/CacheableIdentifier.h 2020-03-12 18:33:40 UTC (rev 258344)
@@ -96,7 +96,7 @@
// unpolluted, and therefore, it can be scanned by our conservative GC to keep the
// cell alive when the CacheableIdentifier is on the stack.
static constexpr uintptr_t s_uidTag = 1;
- uintptr_t m_bits;
+ uintptr_t m_bits { 0 };
};
} // namespace JSC
