Log Message
Cherry-pick r271034. rdar://problem/72894016
DFG should make sure replacement watchpoint is fired before folding to PutByOffset
https://bugs.webkit.org/show_bug.cgi?id=220031
<rdar://72045350>
Reviewed by Saam Barati.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::presenceConditionIfConsistent):
(JSC::DFG::ByteCodeParser::checkPresence):
(JSC::DFG::ByteCodeParser::checkPresenceForReplace):
(JSC::DFG::ByteCodeParser::load):
(JSC::DFG::ByteCodeParser::store):
(JSC::DFG::ByteCodeParser::presenceLike): Deleted.
(JSC::DFG::ByteCodeParser::checkPresenceLike): Deleted.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
* runtime/Structure.cpp:
(JSC::Structure::dump const):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-610-branch/Source/_javascript_Core/ChangeLog (271245 => 271246)
--- branches/safari-610-branch/Source/_javascript_Core/ChangeLog 2021-01-07 19:49:38 UTC (rev 271245)
+++ branches/safari-610-branch/Source/_javascript_Core/ChangeLog 2021-01-07 19:50:27 UTC (rev 271246)
@@ -1,3 +1,49 @@
+2021-01-07 Alan Coon <[email protected]>
+
+ Cherry-pick r271034. rdar://problem/72894016
+
+ DFG should make sure replacement watchpoint is fired before folding to PutByOffset
+ https://bugs.webkit.org/show_bug.cgi?id=220031
+ <rdar://72045350>
+
+ Reviewed by Saam Barati.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::presenceConditionIfConsistent):
+ (JSC::DFG::ByteCodeParser::checkPresence):
+ (JSC::DFG::ByteCodeParser::checkPresenceForReplace):
+ (JSC::DFG::ByteCodeParser::load):
+ (JSC::DFG::ByteCodeParser::store):
+ (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
+ (JSC::DFG::ByteCodeParser::checkPresenceLike): Deleted.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
+ * runtime/Structure.cpp:
+ (JSC::Structure::dump const):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@271034 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-12-21 Keith Miller <[email protected]>
+
+ DFG should make sure replacement watchpoint is fired before folding to PutByOffset
+ https://bugs.webkit.org/show_bug.cgi?id=220031
+ <rdar://72045350>
+
+ Reviewed by Saam Barati.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::presenceConditionIfConsistent):
+ (JSC::DFG::ByteCodeParser::checkPresence):
+ (JSC::DFG::ByteCodeParser::checkPresenceForReplace):
+ (JSC::DFG::ByteCodeParser::load):
+ (JSC::DFG::ByteCodeParser::store):
+ (JSC::DFG::ByteCodeParser::presenceLike): Deleted.
+ (JSC::DFG::ByteCodeParser::checkPresenceLike): Deleted.
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
+ * runtime/Structure.cpp:
+ (JSC::Structure::dump const):
+
2020-12-16 Mark Lam <[email protected]>
Cherry-pick r270981. rdar://problem/72552976
Modified: branches/safari-610-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (271245 => 271246)
--- branches/safari-610-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2021-01-07 19:49:38 UTC (rev 271245)
+++ branches/safari-610-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2021-01-07 19:50:27 UTC (rev 271246)
@@ -227,14 +227,14 @@
// Create a presence ObjectPropertyCondition based on some known offset and structure set. Does not
// check the validity of the condition, but it may return a null one if it encounters a contradiction.
- ObjectPropertyCondition presenceLike(
+ ObjectPropertyCondition presenceConditionIfConsistent(
JSObject* knownBase, UniquedStringImpl*, PropertyOffset, const StructureSet&);
// Attempt to watch the presence of a property. It will watch that the property is present in the same
// way as in all of the structures in the set. It may emit code instead of just setting a watchpoint.
// Returns true if this all works out.
- bool checkPresenceLike(JSObject* knownBase, UniquedStringImpl*, PropertyOffset, const StructureSet&);
- void checkPresenceLike(Node* base, UniquedStringImpl*, PropertyOffset, const StructureSet&);
+ bool checkPresence(JSObject* knownBase, UniquedStringImpl*, PropertyOffset, const StructureSet&);
+ void checkPresenceForReplace(Node* base, UniquedStringImpl*, PropertyOffset, const StructureSet&);
// Works with both GetByIdVariant and the setter form of PutByIdVariant.
template<typename VariantType>
@@ -4393,7 +4393,7 @@
method, op);
}
-ObjectPropertyCondition ByteCodeParser::presenceLike(
+ObjectPropertyCondition ByteCodeParser::presenceConditionIfConsistent(
JSObject* knownBase, UniquedStringImpl* uid, PropertyOffset offset, const StructureSet& set)
{
if (set.isEmpty())
@@ -4411,18 +4411,24 @@
return ObjectPropertyCondition::presenceWithoutBarrier(knownBase, uid, offset, attributes);
}
-bool ByteCodeParser::checkPresenceLike(
+bool ByteCodeParser::checkPresence(
JSObject* knownBase, UniquedStringImpl* uid, PropertyOffset offset, const StructureSet& set)
{
- return check(presenceLike(knownBase, uid, offset, set));
+ return check(presenceConditionIfConsistent(knownBase, uid, offset, set));
}
-void ByteCodeParser::checkPresenceLike(
+void ByteCodeParser::checkPresenceForReplace(
Node* base, UniquedStringImpl* uid, PropertyOffset offset, const StructureSet& set)
{
if (JSObject* knownBase = base->dynamicCastConstant<JSObject*>(*m_vm)) {
- if (checkPresenceLike(knownBase, uid, offset, set))
+ auto condition = presenceConditionIfConsistent(knownBase, uid, offset, set);
+ if (check(condition)) {
+ auto* watchpointSet = knownBase->structure(*m_vm)->propertyReplacementWatchpointSet(condition.offset());
+ // This means that we probably have a stale cache and we should gather more information.
+ if (!watchpointSet || watchpointSet->isStillValid())
+ addToGraph(ForceOSRExit);
return;
+ }
}
addToGraph(CheckStructure, OpInfo(m_graph.addStructureSet(set)), base);
@@ -4475,7 +4481,7 @@
// property is watchably present, in which case we get rid of the structure check.
ObjectPropertyCondition presenceCondition =
- presenceLike(knownBase, uid, variant.offset(), variant.structureSet());
+ presenceConditionIfConsistent(knownBase, uid, variant.offset(), variant.structureSet());
if (presenceCondition) {
ObjectPropertyCondition equivalenceCondition =
presenceCondition.attemptToMakeEquivalenceWithoutBarrier(*m_vm);
@@ -4532,7 +4538,7 @@
{
RELEASE_ASSERT(variant.kind() == PutByIdVariant::Replace);
- checkPresenceLike(base, m_graph.identifiers()[identifier], variant.offset(), variant.structure());
+ checkPresenceForReplace(base, m_graph.identifiers()[identifier], variant.offset(), variant.structure());
return handlePutByOffset(base, identifier, variant.offset(), value);
}
Modified: branches/safari-610-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (271245 => 271246)
--- branches/safari-610-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2021-01-07 19:49:38 UTC (rev 271245)
+++ branches/safari-610-branch/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2021-01-07 19:50:27 UTC (rev 271246)
@@ -704,6 +704,12 @@
break;
}
+ if (variant.kind() == PutByIdVariant::Replace) {
+ auto* watchpoints = structure->propertyReplacementWatchpointSet(condition.offset());
+ if (!watchpoints || watchpoints->isStillValid())
+ return;
+ }
+
m_insertionSet.insertNode(
indexInBlock, SpecNone, CheckStructure, node->origin,
OpInfo(m_graph.addStructureSet(structure)),
Modified: branches/safari-610-branch/Source/_javascript_Core/runtime/Structure.cpp (271245 => 271246)
--- branches/safari-610-branch/Source/_javascript_Core/runtime/Structure.cpp 2021-01-07 19:49:38 UTC (rev 271245)
+++ branches/safari-610-branch/Source/_javascript_Core/runtime/Structure.cpp 2021-01-07 19:50:27 UTC (rev 271246)
@@ -1358,6 +1358,9 @@
else if (transitionWatchpointIsLikelyToBeFired())
out.print(", Shady leaf");
+ if (transitionWatchpointSet().isBeingWatched())
+ out.print(" (Watched)");
+
out.print("]");
}
_______________________________________________ webkit-changes mailing list [email protected] https://lists.webkit.org/mailman/listinfo/webkit-changes
