Diff
Modified: branches/safari-612.1.24.11-branch/JSTests/ChangeLog (280185 => 280186)
--- branches/safari-612.1.24.11-branch/JSTests/ChangeLog 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/JSTests/ChangeLog 2021-07-22 18:10:43 UTC (rev 280186)
@@ -1,3 +1,48 @@
+2021-07-20 Ruben Turcios <[email protected]>
+
+ Cherry-pick r280050. rdar://problem/80851606
+
+ [JSC] InByStatus / InByVariant should visit CacheableIdentifier
+ https://bugs.webkit.org/show_bug.cgi?id=228088
+ rdar://80794604
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/in-by-variant-should-mark-cacheable-identifier.js: Added.
+ (foo):
+ (let.handler.has):
+
+ Source/_javascript_Core:
+
+ After r278445, InByVariant holds CacheableIdentifier. And this can have
+ String/Symbol cells if this variant is generated by in_by_val. In that
+ case, we must visit this cell as GetByStatus / GetByVariant are doing.
+
+ * bytecode/InByStatus.cpp:
+ (JSC::InByStatus::visitAggregateImpl):
+ * bytecode/InByStatus.h:
+ * bytecode/InByVariant.cpp:
+ (JSC::InByVariant::visitAggregateImpl):
+ * bytecode/InByVariant.h:
+ * bytecode/RecordedStatuses.cpp:
+ (JSC::RecordedStatuses::visitAggregateImpl):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280050 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-07-19 Yusuke Suzuki <[email protected]>
+
+ [JSC] InByStatus / InByVariant should visit CacheableIdentifier
+ https://bugs.webkit.org/show_bug.cgi?id=228088
+ rdar://80794604
+
+ Reviewed by Mark Lam.
+
+ * stress/in-by-variant-should-mark-cacheable-identifier.js: Added.
+ (foo):
+ (let.handler.has):
+
2021-07-14 Keith Miller <[email protected]>
Unreviewed, test gardening.
Added: branches/safari-612.1.24.11-branch/JSTests/stress/in-by-variant-should-mark-cacheable-identifier.js (0 => 280186)
--- branches/safari-612.1.24.11-branch/JSTests/stress/in-by-variant-should-mark-cacheable-identifier.js (rev 0)
+++ branches/safari-612.1.24.11-branch/JSTests/stress/in-by-variant-should-mark-cacheable-identifier.js 2021-07-22 18:10:43 UTC (rev 280186)
@@ -0,0 +1,24 @@
+//@ runDefault("--slowPathAllocsBetweenGCs=13")
+function foo(object) {
+ 'hello' in object;
+}
+
+let handler = {
+ has(_, keyArg) {
+ keyArg in targetObject;
+ }
+};
+let targetObject = {};
+let proxy = new Proxy(targetObject, handler);
+for (let i = 0; i < 10000; ++i) {
+ foo(proxy);
+}
+targetObject.hello = undefined;
+gc();
+for (let i = 0; i < 10000; ++i) {
+ foo(proxy);
+}
+delete targetObject?.hello;
+for (let i = 0; i < 100000; ++i) {
+ foo(proxy);
+}
Modified: branches/safari-612.1.24.11-branch/Source/_javascript_Core/ChangeLog (280185 => 280186)
--- branches/safari-612.1.24.11-branch/Source/_javascript_Core/ChangeLog 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/Source/_javascript_Core/ChangeLog 2021-07-22 18:10:43 UTC (rev 280186)
@@ -1,3 +1,57 @@
+2021-07-20 Ruben Turcios <[email protected]>
+
+ Cherry-pick r280050. rdar://problem/80851606
+
+ [JSC] InByStatus / InByVariant should visit CacheableIdentifier
+ https://bugs.webkit.org/show_bug.cgi?id=228088
+ rdar://80794604
+
+ Reviewed by Mark Lam.
+
+ JSTests:
+
+ * stress/in-by-variant-should-mark-cacheable-identifier.js: Added.
+ (foo):
+ (let.handler.has):
+
+ Source/_javascript_Core:
+
+ After r278445, InByVariant holds CacheableIdentifier. And this can have
+ String/Symbol cells if this variant is generated by in_by_val. In that
+ case, we must visit this cell as GetByStatus / GetByVariant are doing.
+
+ * bytecode/InByStatus.cpp:
+ (JSC::InByStatus::visitAggregateImpl):
+ * bytecode/InByStatus.h:
+ * bytecode/InByVariant.cpp:
+ (JSC::InByVariant::visitAggregateImpl):
+ * bytecode/InByVariant.h:
+ * bytecode/RecordedStatuses.cpp:
+ (JSC::RecordedStatuses::visitAggregateImpl):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280050 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-07-19 Yusuke Suzuki <[email protected]>
+
+ [JSC] InByStatus / InByVariant should visit CacheableIdentifier
+ https://bugs.webkit.org/show_bug.cgi?id=228088
+ rdar://80794604
+
+ Reviewed by Mark Lam.
+
+ After r278445, InByVariant holds CacheableIdentifier. And this can have
+ String/Symbol cells if this variant is generated by in_by_val. In that
+ case, we must visit this cell as GetByStatus / GetByVariant are doing.
+
+ * bytecode/InByStatus.cpp:
+ (JSC::InByStatus::visitAggregateImpl):
+ * bytecode/InByStatus.h:
+ * bytecode/InByVariant.cpp:
+ (JSC::InByVariant::visitAggregateImpl):
+ * bytecode/InByVariant.h:
+ * bytecode/RecordedStatuses.cpp:
+ (JSC::RecordedStatuses::visitAggregateImpl):
+
2021-07-14 Michael Saboff <[email protected]>
[macOS] Add new entitlement to limit process to a single JIT region
Modified: branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByStatus.cpp (280185 => 280186)
--- branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByStatus.cpp 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByStatus.cpp 2021-07-22 18:10:43 UTC (rev 280186)
@@ -262,6 +262,15 @@
}
template<typename Visitor>
+void InByStatus::visitAggregateImpl(Visitor& visitor)
+{
+ for (InByVariant& variant : m_variants)
+ variant.visitAggregate(visitor);
+}
+
+DEFINE_VISIT_AGGREGATE(InByStatus);
+
+template<typename Visitor>
void InByStatus::markIfCheap(Visitor& visitor)
{
for (InByVariant& variant : m_variants)
Modified: branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByStatus.h (280185 => 280186)
--- branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByStatus.h 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByStatus.h 2021-07-22 18:10:43 UTC (rev 280186)
@@ -104,6 +104,7 @@
// Attempts to reduce the set of variants to fit the given structure set. This may be approximate.
void filter(const StructureSet&);
+ DECLARE_VISIT_AGGREGATE;
template<typename Visitor> void markIfCheap(Visitor&);
bool finalize(VM&);
Modified: branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByVariant.cpp (280185 => 280186)
--- branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByVariant.cpp 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByVariant.cpp 2021-07-22 18:10:43 UTC (rev 280186)
@@ -74,6 +74,14 @@
}
template<typename Visitor>
+void InByVariant::visitAggregateImpl(Visitor& visitor)
+{
+ m_identifier.visitAggregate(visitor);
+}
+
+DEFINE_VISIT_AGGREGATE(InByVariant);
+
+template<typename Visitor>
void InByVariant::markIfCheap(Visitor& visitor)
{
m_structureSet.markIfCheap(visitor);
Modified: branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByVariant.h (280185 => 280186)
--- branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByVariant.h 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/InByVariant.h 2021-07-22 18:10:43 UTC (rev 280186)
@@ -58,6 +58,7 @@
bool attemptToMerge(const InByVariant& other);
+ DECLARE_VISIT_AGGREGATE;
template<typename Visitor> void markIfCheap(Visitor&);
bool finalize(VM&);
Modified: branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/RecordedStatuses.cpp (280185 => 280186)
--- branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/RecordedStatuses.cpp 2021-07-22 18:10:39 UTC (rev 280185)
+++ branches/safari-612.1.24.11-branch/Source/_javascript_Core/bytecode/RecordedStatuses.cpp 2021-07-22 18:10:43 UTC (rev 280186)
@@ -107,6 +107,8 @@
{
for (auto& pair : gets)
pair.second->visitAggregate(visitor);
+ for (auto& pair : ins)
+ pair.second->visitAggregate(visitor);
for (auto& pair : deletes)
pair.second->visitAggregate(visitor);
for (auto& pair : checkPrivateBrands)
