Diff
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/CMakeLists.txt (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/CMakeLists.txt 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/CMakeLists.txt 2020-03-30 20:56:41 UTC (rev 259223)
@@ -488,7 +488,6 @@
bytecode/ArrayAllocationProfile.h
bytecode/ArrayProfile.h
- bytecode/ByValInfo.h
bytecode/BytecodeConventions.h
bytecode/BytecodeIndex.h
bytecode/BytecodeIntrinsicRegistry.h
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/ChangeLog (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/ChangeLog 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/ChangeLog 2020-03-30 20:56:41 UTC (rev 259223)
@@ -1,4 +1,4 @@
-2020-03-08 Brady Eidson <[email protected]>
+b'2020-03-30 Alan Coon <[email protected]>\n\n Cherry-pick r258344. rdar://problem/60289819\n\n [JSC] Use CacheableIdentifier in ByValInfo\n https://bugs.webkit.org/show_bug.cgi?id=208978\n \n Reviewed by Saam Barati.\n \n CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValInfo, which holds Identifier.\n However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked\n in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys\n AtomStringImpl, which fails to unregister itself from the table.\n \n In this patch,\n \n 1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase.\n 2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally.\n \n * CMakeLists.txt:\n * _javascript_Core.xcodeproj/project.pbxproj:\n * Sources.txt:\n * bytecode/ByValInfo.cpp: Added.\n (JSC::ByValInfo::visitAggregate):\n * bytecode/ByValInfo.h:\n * bytecode/CodeBlock.cpp:\n (JSC::CodeBlock::stronglyVisitStrongReferences):\n * bytecode/CodeBlock.h:\n * dfg/DFGByteCodeParser.cpp:\n (JSC::DFG::ByteCodeParser::handlePutByVal):\n * heap/Heap.cpp:\n (JSC::Heap::runEndPhase):\n * jit/JIT.h:\n * jit/JITOperations.cpp:\n * jit/JITPropertyAccess.cpp:\n (JSC::JIT::emitByValIdentifierCheck):\n * runtime/CacheableIdentifier.h:\n \n git-svn-id: https://svn.webkit.org/repository/webkit/trunk@258344 268f45cc-cd09-0410-ab3c-d52691b4dbfc\n\n 2020-03-12 Yusuke Suzuki <[email protected]>\n\n [JSC] Use CacheableIdentifier in ByValInfo\n https://bugs.webkit.org/show_bug.cgi?id=208978\n\n Reviewed by Saam Barati.\n\n CodeBlock::finalizeUnconditionally discards JITData. And this includes ByValIn
fo, which holds Identifier.\n However, finalizeUnconditionally is only guaranteeing that the main thread is not working. It can be invoked\n in the heap thread, and it is not not setting the AtomStringTable for this heap thread. If Identifier destroys\n AtomStringImpl, which fails to unregister itself from the table.\n\n In this patch,\n\n 1. We explicitly set nullptr for the current AtomStringTable to catch the bug as soon as possible in GC end phase.\n 2. We use CacheableIdentifier in ByValInfo to avoid destroying Identifier in CodeBlock::finalizeUnconditionally.\n\n * CMakeLists.txt:\n * _javascript_Core.xcodeproj/project.pbxproj:\n * Sources.txt:\n * bytecode/ByValInfo.cpp: Added.\n (JSC::ByValInfo::visitAggregate):\n * bytecode/ByValInfo.h:\n * bytecode/CodeBlock.cpp:\n (JSC::CodeBlock::stronglyVisitStrongReferences):\n
* bytecode/CodeBlock.h:\n * dfg/DFGByteCodeParser.cpp:\n (JSC::DFG::ByteCodeParser::handlePutByVal):\n * heap/Heap.cpp:\n (JSC::Heap::runEndPhase):\n * jit/JIT.h:\n * jit/JITOperations.cpp:\n * jit/JITPropertyAccess.cpp:\n (JSC::JIT::emitByValIdentifierCheck):\n * runtime/CacheableIdentifier.h:\n\n'2020-03-08 Brady Eidson <[email protected]>
Remember completed subranges during incremental PDF loading.
https://bugs.webkit.org/show_bug.cgi?id=208785
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/_javascript_Core.xcodeproj/project.pbxproj 2020-03-30 20:56:41 UTC (rev 259223)
@@ -456,7 +456,7 @@
0F7DF13C1E2971130095951B /* JSDestructibleObjectHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF13A1E29710E0095951B /* JSDestructibleObjectHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F7DF1461E2BEF6A0095951B /* BlockDirectoryInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7DF1451E2BEF680095951B /* BlockDirectoryInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F7F988C1D9596C800F4F12E /* DFGStoreBarrierClusteringPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F7F988A1D9596C300F4F12E /* DFGStoreBarrierClusteringPhase.h */; };
- 0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; settings = {ATTRIBUTES = (Private, ); }; };
+ 0F8023EA1613832B00A0BA45 /* ByValInfo.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8023E91613832300A0BA45 /* ByValInfo.h */; };
0F8335B81639C1EA001443B5 /* ArrayAllocationProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8335B51639C1E3001443B5 /* ArrayAllocationProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
0F8364B7164B0C110053329A /* DFGBranchDirection.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F8364B5164B0C0E0053329A /* DFGBranchDirection.h */; };
0F86A26F1D6F7B3300CB0C92 /* GCTypeMap.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F86A26E1D6F7B3100CB0C92 /* GCTypeMap.h */; };
@@ -4951,6 +4951,7 @@
E355D38E2244686C008F1AD6 /* GlobalExecutable.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = GlobalExecutable.cpp; sourceTree = "<group>"; };
E356987122841183008CDCCB /* PackedCellPtr.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = PackedCellPtr.h; sourceTree = "<group>"; };
E35A0B9C220AD87A00AC4474 /* ExecutableBaseInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ExecutableBaseInlines.h; sourceTree = "<group>"; };
+ E35BA2C0241A0E8C00B67086 /* ByValInfo.cpp */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.cpp.cpp; path = ByValInfo.cpp; sourceTree = "<group>"; };
E35CA14F1DBC3A5600F83516 /* DOMJITAbstractHeap.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITAbstractHeap.cpp; sourceTree = "<group>"; };
E35CA1501DBC3A5600F83516 /* DOMJITAbstractHeap.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DOMJITAbstractHeap.h; sourceTree = "<group>"; };
E35CA1511DBC3A5600F83516 /* DOMJITHeapRange.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = DOMJITHeapRange.cpp; sourceTree = "<group>"; };
@@ -8208,6 +8209,7 @@
E3D264291D38C042000BE174 /* BytecodeRewriter.cpp */,
E3D2642A1D38C042000BE174 /* BytecodeRewriter.h */,
0F885E101849A3BE00F1E3FA /* BytecodeUseDef.h */,
+ E35BA2C0241A0E8C00B67086 /* ByValInfo.cpp */,
0F8023E91613832300A0BA45 /* ByValInfo.h */,
0F64B2771A7957B2006E4E66 /* CallEdge.cpp */,
0F64B2781A7957B2006E4E66 /* CallEdge.h */,
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/Sources.txt (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/Sources.txt 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/Sources.txt 2020-03-30 20:56:41 UTC (rev 259223)
@@ -195,6 +195,7 @@
bytecode/ArithProfile.cpp
bytecode/ArrayAllocationProfile.cpp
bytecode/ArrayProfile.cpp
+bytecode/ByValInfo.cpp
bytecode/BytecodeBasicBlock.cpp
bytecode/BytecodeDumper.cpp
bytecode/BytecodeGeneratorification.cpp
Added: branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/ByValInfo.cpp (0 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/ByValInfo.cpp (rev 0)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/ByValInfo.cpp 2020-03-30 20:56:41 UTC (rev 259223)
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) 2020 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "ByValInfo.h"
+
+#include "CacheableIdentifierInlines.h"
+#include "JSCInlines.h"
+
+namespace JSC {
+
+#if ENABLE(JIT)
+
+void ByValInfo::visitAggregate(SlotVisitor& visitor)
+{
+ cachedId.visitAggregate(visitor);
+}
+
+#endif // ENABLE(JIT)
+
+} // namespace JSC
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/ByValInfo.h (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/ByValInfo.h 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/ByValInfo.h 2020-03-30 20:56:41 UTC (rev 259223)
@@ -25,6 +25,7 @@
#pragma once
+#include "CacheableIdentifier.h"
#include "ClassInfo.h"
#include "CodeLocation.h"
#include "IndexingType.h"
@@ -37,6 +38,7 @@
#if ENABLE(JIT)
+class ArrayProfile;
class StructureStubInfo;
enum JITArrayMode : uint8_t {
@@ -242,6 +244,8 @@
{
}
+ void visitAggregate(SlotVisitor&);
+
CodeLocationJump<JSInternalPtrTag> notIndexJump;
CodeLocationJump<JSInternalPtrTag> badTypeJump;
CodeLocationLabel<ExceptionHandlerPtrTag> exceptionHandler;
@@ -252,8 +256,7 @@
BytecodeIndex bytecodeIndex;
unsigned slowPathCount;
RefPtr<JITStubRoutine> stubRoutine;
- Identifier cachedId;
- WriteBarrier<Symbol> cachedSymbol;
+ CacheableIdentifier cachedId; // Once we set cachedId, we must not change the value. JIT code relies on that configured cachedId is marked and retained by CodeBlock through ByValInfo.
StructureStubInfo* stubInfo;
JITArrayMode arrayMode; // The array mode that was baked into the inline JIT code.
bool tookSlowPath : 1;
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/CodeBlock.cpp 2020-03-30 20:56:41 UTC (rev 259223)
@@ -32,6 +32,7 @@
#include "ArithProfile.h"
#include "BasicBlockLocation.h"
+#include "ByValInfo.h"
#include "BytecodeDumper.h"
#include "BytecodeGenerator.h"
#include "BytecodeLivenessAnalysis.h"
@@ -1688,7 +1689,7 @@
#if ENABLE(JIT)
if (auto* jitData = m_jitData.get()) {
for (ByValInfo* byValInfo : jitData->m_byValInfos)
- visitor.append(byValInfo->cachedSymbol);
+ byValInfo->visitAggregate(visitor);
for (StructureStubInfo* stubInfo : jitData->m_stubInfos)
stubInfo->visitAggregate(visitor);
}
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/CodeBlock.h (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/CodeBlock.h 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/bytecode/CodeBlock.h 2020-03-30 20:56:41 UTC (rev 259223)
@@ -30,7 +30,6 @@
#pragma once
#include "ArrayProfile.h"
-#include "ByValInfo.h"
#include "BytecodeConventions.h"
#include "CallLinkInfo.h"
#include "CodeBlockHash.h"
@@ -95,6 +94,7 @@
class PCToCodeOriginMap;
class RegisterAtOffsetList;
class StructureStubInfo;
+struct ByValInfo;
DECLARE_ALLOCATOR_WITH_HEAP_IDENTIFIER(CodeBlockRareData);
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2020-03-30 20:56:41 UTC (rev 259223)
@@ -32,6 +32,7 @@
#include "ArrayConstructor.h"
#include "BasicBlockLocation.h"
#include "BuiltinNames.h"
+#include "ByValInfo.h"
#include "BytecodeGenerator.h"
#include "BytecodeUseDef.h"
#include "CacheableIdentifierInlines.h"
@@ -7576,13 +7577,15 @@
&& !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadType)
&& !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadCell)) {
compiledAsPutById = true;
- identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
+ identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.uid());
UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
+ FrozenValue* frozen = nullptr;
+ if (byValInfo->cachedId.isCell())
+ frozen = m_graph.freezeStrong(byValInfo->cachedId.cell());
- if (Symbol* symbol = byValInfo->cachedSymbol.get()) {
- FrozenValue* frozen = m_graph.freezeStrong(symbol);
+ if (byValInfo->cachedId.isSymbolCell())
addToGraph(CheckCell, OpInfo(frozen), property);
- } else {
+ else {
ASSERT(!uid->isSymbol());
addToGraph(CheckIdent, OpInfo(uid), property);
}
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/heap/Heap.cpp (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/heap/Heap.cpp 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/heap/Heap.cpp 2020-03-30 20:56:41 UTC (rev 259223)
@@ -86,6 +86,7 @@
#include <wtf/ParallelVectorIterator.h>
#include <wtf/ProcessID.h>
#include <wtf/RAMSize.h>
+#include <wtf/Scope.h>
#include <wtf/SimpleStats.h>
#include <wtf/Threading.h>
@@ -1494,23 +1495,31 @@
updateObjectCounts();
endMarking();
-
+
if (UNLIKELY(m_verifier)) {
m_verifier->gatherLiveCells(HeapVerifier::Phase::AfterMarking);
m_verifier->verify(HeapVerifier::Phase::AfterMarking);
}
- if (vm().typeProfiler())
- vm().typeProfiler()->invalidateTypeSetCache(vm());
+ {
+ auto* previous = Thread::current().setCurrentAtomStringTable(nullptr);
+ auto scopeExit = makeScopeExit([&] {
+ Thread::current().setCurrentAtomStringTable(previous);
+ });
- m_structureIDTable.flushOldTables();
+ if (vm().typeProfiler())
+ vm().typeProfiler()->invalidateTypeSetCache(vm());
- reapWeakHandles();
- pruneStaleEntriesFromWeakGCMaps();
- sweepArrayBuffers();
- snapshotUnswept();
- finalizeUnconditionalFinalizers(); // We rely on these unconditional finalizers running before clearCurrentlyExecuting since CodeBlock's finalizer relies on querying currently executing.
- removeDeadCompilerWorklistEntries();
+ m_structureIDTable.flushOldTables();
+
+ reapWeakHandles();
+ pruneStaleEntriesFromWeakGCMaps();
+ sweepArrayBuffers();
+ snapshotUnswept();
+ finalizeUnconditionalFinalizers(); // We rely on these unconditional finalizers running before clearCurrentlyExecuting since CodeBlock's finalizer relies on querying currently executing.
+ removeDeadCompilerWorklistEntries();
+ }
+
notifyIncrementalSweeper();
m_codeBlocks->iterateCurrentlyExecuting(
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JIT.h (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JIT.h 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JIT.h 2020-03-30 20:56:41 UTC (rev 259223)
@@ -37,6 +37,7 @@
#define ASSERT_JIT_OFFSET(actual, expected) ASSERT_WITH_MESSAGE(actual == expected, "JIT Offset \"%s\" should be %d, not %d.\n", #expected, static_cast<int>(expected), static_cast<int>(actual));
+#include "ByValInfo.h"
#include "CodeBlock.h"
#include "CommonSlowPaths.h"
#include "JITDisassembler.h"
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JITOperations.cpp (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JITOperations.cpp 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JITOperations.cpp 2020-03-30 20:56:41 UTC (rev 259223)
@@ -678,11 +678,6 @@
repatchPutByID(globalObject, codeBlock, baseObject, structure, ident, slot, *stubInfo, Direct);
}
-ALWAYS_INLINE static bool isStringOrSymbol(JSValue value)
-{
- return value.isString() || value.isSymbol();
-}
-
static void putByVal(JSGlobalObject* globalObject, CodeBlock* codeBlock, JSValue baseValue, JSValue subscript, JSValue value, ByValInfo* byValInfo)
{
VM& vm = globalObject->vm();
@@ -716,7 +711,7 @@
// Don't put to an object if toString threw an exception.
RETURN_IF_EXCEPTION(scope, void());
- if (byValInfo->stubInfo && (!isStringOrSymbol(subscript) || byValInfo->cachedId != property))
+ if (byValInfo->stubInfo && (!CacheableIdentifier::isCacheableIdentifierCell(subscript) || byValInfo->cachedId.uid() != property))
byValInfo->tookSlowPath = true;
scope.release();
@@ -776,7 +771,7 @@
return;
}
- if (byValInfo->stubInfo && (!isStringOrSymbol(subscript) || byValInfo->cachedId != property))
+ if (byValInfo->stubInfo && (!CacheableIdentifier::isCacheableIdentifierCell(subscript) || byValInfo->cachedId.uid() != property))
byValInfo->tookSlowPath = true;
scope.release();
@@ -827,7 +822,7 @@
optimizationResult = OptimizationResult::GiveUp;
}
- if (baseValue.isObject() && isStringOrSymbol(subscript)) {
+ if (baseValue.isObject() && CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
const Identifier propertyName = subscript.toPropertyKey(globalObject);
RETURN_IF_EXCEPTION(scope, OptimizationResult::GiveUp);
if (subscript.isSymbol() || !parseIndex(propertyName)) {
@@ -834,7 +829,7 @@
ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
ASSERT(!byValInfo->stubRoutine);
if (byValInfo->seen) {
- if (byValInfo->cachedId == propertyName) {
+ if (byValInfo->cachedId.uid() == propertyName) {
JIT::compilePutByValWithCachedId<OpPutByVal>(vm, codeBlock, byValInfo, returnAddress, NotDirect, propertyName);
optimizationResult = OptimizationResult::Optimized;
} else {
@@ -842,12 +837,13 @@
optimizationResult = OptimizationResult::GiveUp;
}
} else {
- ConcurrentJSLocker locker(codeBlock->m_lock);
- byValInfo->seen = true;
- byValInfo->cachedId = propertyName;
- if (subscript.isSymbol())
- byValInfo->cachedSymbol.set(vm, codeBlock, asSymbol(subscript));
- optimizationResult = OptimizationResult::SeenOnce;
+ {
+ ConcurrentJSLocker locker(codeBlock->m_lock);
+ byValInfo->seen = true;
+ byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
+ optimizationResult = OptimizationResult::SeenOnce;
+ }
+ vm.heap.writeBarrier(codeBlock, subscript.asCell());
}
}
}
@@ -916,7 +912,7 @@
// If we failed to patch and we have some object that intercepts indexed get, then don't even wait until 10 times.
if (optimizationResult != OptimizationResult::Optimized && object->structure(vm)->typeInfo().interceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero())
optimizationResult = OptimizationResult::GiveUp;
- } else if (isStringOrSymbol(subscript)) {
+ } else if (CacheableIdentifier::isCacheableIdentifierCell(subscript)) {
const Identifier propertyName = subscript.toPropertyKey(globalObject);
RETURN_IF_EXCEPTION(scope, OptimizationResult::GiveUp);
if (subscript.isSymbol() || !parseIndex(propertyName)) {
@@ -923,7 +919,7 @@
ASSERT(callFrame->bytecodeIndex() != BytecodeIndex(0));
ASSERT(!byValInfo->stubRoutine);
if (byValInfo->seen) {
- if (byValInfo->cachedId == propertyName) {
+ if (byValInfo->cachedId.uid() == propertyName) {
JIT::compilePutByValWithCachedId<OpPutByValDirect>(vm, codeBlock, byValInfo, returnAddress, Direct, propertyName);
optimizationResult = OptimizationResult::Optimized;
} else {
@@ -931,12 +927,13 @@
optimizationResult = OptimizationResult::GiveUp;
}
} else {
- ConcurrentJSLocker locker(codeBlock->m_lock);
- byValInfo->seen = true;
- byValInfo->cachedId = propertyName;
- if (subscript.isSymbol())
- byValInfo->cachedSymbol.set(vm, codeBlock, asSymbol(subscript));
- optimizationResult = OptimizationResult::SeenOnce;
+ {
+ ConcurrentJSLocker locker(codeBlock->m_lock);
+ byValInfo->seen = true;
+ byValInfo->cachedId = CacheableIdentifier::createFromCell(subscript.asCell());
+ optimizationResult = OptimizationResult::SeenOnce;
+ }
+ vm.heap.writeBarrier(codeBlock, subscript.asCell());
}
}
}
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JITPropertyAccess.cpp (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2020-03-30 20:56:41 UTC (rev 259223)
@@ -1285,14 +1285,14 @@
ownerIsRememberedOrInEden.link(this);
}
-void JIT::emitByValIdentifierCheck(ByValInfo* byValInfo, RegisterID cell, RegisterID scratch, const Identifier& propertyName, JumpList& slowCases)
+void JIT::emitByValIdentifierCheck(ByValInfo* byValInfo, RegisterID cell, RegisterID scratch, const Identifier&, JumpList& slowCases)
{
- if (propertyName.isSymbol())
- slowCases.append(branchPtr(NotEqual, cell, TrustedImmPtr(byValInfo->cachedSymbol.get())));
+ if (byValInfo->cachedId.isSymbolCell())
+ slowCases.append(branchPtr(NotEqual, cell, TrustedImmPtr(byValInfo->cachedId.cell())));
else {
slowCases.append(branchIfNotString(cell));
loadPtr(Address(cell, JSString::offsetOfValue()), scratch);
- slowCases.append(branchPtr(NotEqual, scratch, TrustedImmPtr(propertyName.impl())));
+ slowCases.append(branchPtr(NotEqual, scratch, TrustedImmPtr(byValInfo->cachedId.uid())));
}
}
Modified: branches/safari-610.1.7-branch/Source/_javascript_Core/runtime/CacheableIdentifier.h (259222 => 259223)
--- branches/safari-610.1.7-branch/Source/_javascript_Core/runtime/CacheableIdentifier.h 2020-03-30 20:56:36 UTC (rev 259222)
+++ branches/safari-610.1.7-branch/Source/_javascript_Core/runtime/CacheableIdentifier.h 2020-03-30 20:56:41 UTC (rev 259223)
@@ -96,7 +96,7 @@
// unpolluted, and therefore, it can be scanned by our conservative GC to keep the
// cell alive when the CacheableIdentifier is on the stack.
static constexpr uintptr_t s_uidTag = 1;
- uintptr_t m_bits;
+ uintptr_t m_bits { 0 };
};
} // namespace JSC
