Title: [164066] trunk/Source/_javascript_Core
- Revision
- 164066
- Author
- [email protected]
- Date
- 2014-02-13 15:31:20 -0800 (Thu, 13 Feb 2014)
Log Message
GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
https://bugs.webkit.org/show_bug.cgi?id=128772
Reviewed by Mark Hahnenberg.
* bytecode/GetByIdStatus.cpp:
(JSC::GetByIdStatus::computeFromLLInt):
(JSC::GetByIdStatus::computeForStubInfo):
* runtime/Structure.h:
(JSC::Structure::takesSlowPathInDFGForImpureProperty):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (164065 => 164066)
--- trunk/Source/_javascript_Core/ChangeLog 2014-02-13 23:28:50 UTC (rev 164065)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-02-13 23:31:20 UTC (rev 164066)
@@ -1,3 +1,16 @@
+2014-02-13 Filip Pizlo <[email protected]>
+
+ GetByIdStatus shouldn't call takesSlowPathInDFGForImpureProperty() for self accesses, and calling that method should never assert about anything
+ https://bugs.webkit.org/show_bug.cgi?id=128772
+
+ Reviewed by Mark Hahnenberg.
+
+ * bytecode/GetByIdStatus.cpp:
+ (JSC::GetByIdStatus::computeFromLLInt):
+ (JSC::GetByIdStatus::computeForStubInfo):
+ * runtime/Structure.h:
+ (JSC::Structure::takesSlowPathInDFGForImpureProperty):
+
2014-02-13 Mark Hahnenberg <[email protected]>
Add some RELEASE_ASSERTs to catch JSLock bugs earlier
Modified: trunk/Source/_javascript_Core/bytecode/GetByIdStatus.cpp (164065 => 164066)
--- trunk/Source/_javascript_Core/bytecode/GetByIdStatus.cpp 2014-02-13 23:28:50 UTC (rev 164065)
+++ trunk/Source/_javascript_Core/bytecode/GetByIdStatus.cpp 2014-02-13 23:31:20 UTC (rev 164066)
@@ -59,9 +59,6 @@
if (!structure)
return GetByIdStatus(NoInformation, false);
- if (structure->takesSlowPathInDFGForImpureProperty())
- return GetByIdStatus(NoInformation, false);
-
unsigned attributesIgnored;
JSCell* specificValue;
PropertyOffset offset = structure->getConcurrently(
@@ -191,8 +188,6 @@
case access_get_by_id_self: {
Structure* structure = stubInfo->u.getByIdSelf.baseObjectStructure.get();
- if (structure->takesSlowPathInDFGForImpureProperty())
- return GetByIdStatus(TakesSlowPath, true);
unsigned attributesIgnored;
JSCell* specificValue;
result.m_offset = structure->getConcurrently(
@@ -215,9 +210,6 @@
ASSERT(list->list[i].isDirect);
Structure* structure = list->list[i].base.get();
- if (structure->takesSlowPathInDFGForImpureProperty())
- return GetByIdStatus(TakesSlowPath, true);
-
if (result.m_structureSet.contains(structure))
continue;
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (164065 => 164066)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2014-02-13 23:28:50 UTC (rev 164065)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2014-02-13 23:31:20 UTC (rev 164066)
@@ -139,7 +139,6 @@
// DFG from inlining property accesses since structures don't transition when a new impure property appears.
bool takesSlowPathInDFGForImpureProperty()
{
- ASSERT(!typeInfo().hasImpureGetOwnPropertySlot() || typeInfo().newImpurePropertyFiresWatchpoints());
return typeInfo().hasImpureGetOwnPropertySlot();
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
