Diff
Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (281892 => 281893)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-09-02 01:04:46 UTC (rev 281892)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-09-02 01:04:50 UTC (rev 281893)
@@ -1,5 +1,41 @@
2021-09-01 Russell Epstein <[email protected]>
+ Cherry-pick r281618. rdar://problem/82650928
+
+ [JSC] DataIC should not embed StructureStubInfo pointer
+ https://bugs.webkit.org/show_bug.cgi?id=229541
+
+ Reviewed by Mark Lam.
+
+ We should not embed pointer to StructureStubInfo::countdown if DataIC is used.
+
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::store8):
+ * bytecode/PolymorphicAccess.cpp:
+ (JSC::PolymorphicAccess::regenerate):
+ * bytecode/StructureStubInfo.h:
+ (JSC::StructureStubInfo::offsetOfCountdown):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@281618 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-08-26 Yusuke Suzuki <[email protected]>
+
+ [JSC] DataIC should not embed StructureStubInfo pointer
+ https://bugs.webkit.org/show_bug.cgi?id=229541
+
+ Reviewed by Mark Lam.
+
+ We should not embed pointer to StructureStubInfo::countdown if DataIC is used.
+
+ * assembler/MacroAssemblerMIPS.h:
+ (JSC::MacroAssemblerMIPS::store8):
+ * bytecode/PolymorphicAccess.cpp:
+ (JSC::PolymorphicAccess::regenerate):
+ * bytecode/StructureStubInfo.h:
+ (JSC::StructureStubInfo::offsetOfCountdown):
+
+2021-09-01 Russell Epstein <[email protected]>
+
Cherry-pick r281615. rdar://problem/82651172
[JSC] Polymorphic PutByVal
Modified: branches/safari-612-branch/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h (281892 => 281893)
--- branches/safari-612-branch/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h 2021-09-02 01:04:46 UTC (rev 281892)
+++ branches/safari-612-branch/Source/_javascript_Core/assembler/MacroAssemblerMIPS.h 2021-09-02 01:04:50 UTC (rev 281893)
@@ -1327,6 +1327,23 @@
return dataLabel;
}
+ void store8(RegisterID src, ImplicitAddress address)
+ {
+ if (address.offset >= -32768 && address.offset <= 32767
+ && !m_fixedWidth)
+ m_assembler.sb(src, address.base, address.offset);
+ else {
+ /*
+ lui addrTemp, (offset + 0x8000) >> 16
+ addu addrTemp, addrTemp, base
+ sb src, (offset & 0xffff)(addrTemp)
+ */
+ m_assembler.lui(addrTempRegister, (address.offset + 0x8000) >> 16);
+ m_assembler.addu(addrTempRegister, addrTempRegister, address.base);
+ m_assembler.sb(src, addrTempRegister, address.offset);
+ }
+ }
+
void store8(RegisterID src, BaseIndex address)
{
if (!m_fixedWidth) {
Modified: branches/safari-612-branch/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp (281892 => 281893)
--- branches/safari-612-branch/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-09-02 01:04:46 UTC (rev 281892)
+++ branches/safari-612-branch/Source/_javascript_Core/bytecode/PolymorphicAccess.cpp 2021-09-02 01:04:50 UTC (rev 281893)
@@ -735,14 +735,24 @@
// of something that isn't patchable. The slow path will decrement "countdown" and will only
// patch things if the countdown reaches zero. We increment the slow path count here to ensure
// that the slow path does not try to patch.
+ if (codeBlock->useDataIC()) {
#if CPU(X86) || CPU(X86_64)
- jit.move(CCallHelpers::TrustedImmPtr(&stubInfo.countdown), state.scratchGPR);
- jit.add8(CCallHelpers::TrustedImm32(1), CCallHelpers::Address(state.scratchGPR));
+ jit.add8(CCallHelpers::TrustedImm32(1), CCallHelpers::Address(stubInfo.m_stubInfoGPR, StructureStubInfo::offsetOfCountdown()));
#else
- jit.load8(&stubInfo.countdown, state.scratchGPR);
- jit.add32(CCallHelpers::TrustedImm32(1), state.scratchGPR);
- jit.store8(state.scratchGPR, &stubInfo.countdown);
+ jit.load8(CCallHelpers::Address(stubInfo.m_stubInfoGPR, StructureStubInfo::offsetOfCountdown()), state.scratchGPR);
+ jit.add32(CCallHelpers::TrustedImm32(1), state.scratchGPR);
+ jit.store8(state.scratchGPR, CCallHelpers::Address(stubInfo.m_stubInfoGPR, StructureStubInfo::offsetOfCountdown()));
#endif
+ } else {
+#if CPU(X86) || CPU(X86_64)
+ jit.move(CCallHelpers::TrustedImmPtr(&stubInfo.countdown), state.scratchGPR);
+ jit.add8(CCallHelpers::TrustedImm32(1), CCallHelpers::Address(state.scratchGPR));
+#else
+ jit.load8(&stubInfo.countdown, state.scratchGPR);
+ jit.add32(CCallHelpers::TrustedImm32(1), state.scratchGPR);
+ jit.store8(state.scratchGPR, &stubInfo.countdown);
+#endif
+ }
}
CCallHelpers::JumpList failure;
Modified: branches/safari-612-branch/Source/_javascript_Core/bytecode/StructureStubInfo.h (281892 => 281893)
--- branches/safari-612-branch/Source/_javascript_Core/bytecode/StructureStubInfo.h 2021-09-02 01:04:46 UTC (rev 281892)
+++ branches/safari-612-branch/Source/_javascript_Core/bytecode/StructureStubInfo.h 2021-09-02 01:04:50 UTC (rev 281893)
@@ -354,6 +354,7 @@
static ptrdiff_t offsetOfCodePtr() { return OBJECT_OFFSETOF(StructureStubInfo, m_codePtr); }
static ptrdiff_t offsetOfSlowPathStartLocation() { return OBJECT_OFFSETOF(StructureStubInfo, slowPathStartLocation); }
static ptrdiff_t offsetOfSlowOperation() { return OBJECT_OFFSETOF(StructureStubInfo, m_slowOperation); }
+ static ptrdiff_t offsetOfCountdown() { return OBJECT_OFFSETOF(StructureStubInfo, countdown); }
RegisterSet usedRegisters;
