[webkit-changes] [291912] branches/safari-613-branch/Source/JavaScriptCore

[alancoon]

Title: [291912] branches/safari-613-branch/Source/_javascript_Core

Revision

291912

Author

alanc...@apple.com

Date

2022-03-25 18:46:24 -0700 (Fri, 25 Mar 2022)

Log Message

Cherry-pick r291891. rdar://problem/90838071

    AI should not set the structure for ObjectCreate
    https://bugs.webkit.org/show_bug.cgi?id=238349

    Patch by Justin Michaud <justin_mich...@apple.com> on 2022-03-24
    Reviewed by Saam Barati and Yusuke Suzuki.

    The AbstractInterpreter should not set the structure for ObjectCreate because it might change by
    the time the constant folding phase runs if the structure cache is cleared.

    * dfg/DFGAbstractInterpreterInlines.h:
    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291891 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Modified Paths

• branches/safari-613-branch/Source/_javascript_Core/ChangeLog
• branches/safari-613-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Diff

Modified: branches/safari-613-branch/Source/_javascript_Core/ChangeLog (291911 => 291912)

--- branches/safari-613-branch/Source/_javascript_Core/ChangeLog	2022-03-26 01:45:25 UTC (rev 291911)
+++ branches/safari-613-branch/Source/_javascript_Core/ChangeLog	2022-03-26 01:46:24 UTC (rev 291912)
@@ -1,3 +1,36 @@
+2022-03-25  Russell Epstein  <repst...@apple.com>
+
+        Cherry-pick r291891. rdar://problem/90838071
+
+    AI should not set the structure for ObjectCreate
+    https://bugs.webkit.org/show_bug.cgi?id=238349
+    
+    Patch by Justin Michaud <justin_mich...@apple.com> on 2022-03-24
+    Reviewed by Saam Barati and Yusuke Suzuki.
+    
+    The AbstractInterpreter should not set the structure for ObjectCreate because it might change by
+    the time the constant folding phase runs if the structure cache is cleared.
+    
+    * dfg/DFGAbstractInterpreterInlines.h:
+    (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+    
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@291891 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2022-03-24  Justin Michaud  <justin_mich...@apple.com>
+
+            AI should not set the structure for ObjectCreate
+            https://bugs.webkit.org/show_bug.cgi?id=238349
+
+            Reviewed by Saam Barati and Yusuke Suzuki.
+
+            The AbstractInterpreter should not set the structure for ObjectCreate because it might change by
+            the time the constant folding phase runs if the structure cache is cleared.
+
+            * dfg/DFGAbstractInterpreterInlines.h:
+            (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2022-03-21  Alan Coon  <alanc...@apple.com>
 
         Cherry-pick r290981. rdar://problem/83326232

Modified: branches/safari-613-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (291911 => 291912)

--- branches/safari-613-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2022-03-26 01:45:25 UTC (rev 291911)
+++ branches/safari-613-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2022-03-26 01:46:24 UTC (rev 291912)
@@ -3123,25 +3123,10 @@
     }
 
     case ObjectCreate: {
-        if (JSValue base = forNode(node->child1()).m_value) {
-            JSGlobalObject* globalObject = m_graph.globalObjectFor(node->origin.semantic);
-            Structure* structure = nullptr;
-            if (base.isNull())
-                structure = globalObject->nullPrototypeObjectStructure();
-            else if (base.isObject()) {
-                // Having a bad time clears the structureCache, and so it should invalidate this structure.
-                bool isHavingABadTime = globalObject->isHavingABadTime();
-                // Normally, we would always install a watchpoint. In this case, however, if we haveABadTime, we
-                // still want to optimize. There is no watchpoint for that case though, so we need to make sure this load
-                // does not get hoisted above the check.
-                WTF::loadLoadFence();
-                if (!isHavingABadTime)
-                    m_graph.watchpoints().addLazily(globalObject->havingABadTimeWatchpoint());
-                structure = m_vm.structureCache.emptyObjectStructureConcurrently(globalObject, base.getObject(), JSFinalObject::defaultInlineCapacity());
-            }
-            
-            if (structure) {
-                m_state.setShouldTryConstantFolding(true);
+        if (JSValue prototype = forNode(node->child1()).m_value) {
+            m_state.setShouldTryConstantFolding(true);
+            if (prototype.isNull()) {
+                Structure* structure = m_graph.globalObjectFor(node->origin.semantic)->nullPrototypeObjectStructure();
                 if (node->child1().useKind() == UntypedUse)
                     didFoldClobberWorld();
                 setForNode(node, structure);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes