Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (173792 => 173793)
--- trunk/Source/_javascript_Core/ChangeLog 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-09-20 17:59:58 UTC (rev 173793)
@@ -1,3 +1,39 @@
+2014-09-19 Filip Pizlo <[email protected]>
+
+ StorageAccessData should be referenced in a sensible way
+ https://bugs.webkit.org/show_bug.cgi?id=136963
+
+ Reviewed and rubber stamped by Michael Saboff.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handleGetByOffset):
+ (JSC::DFG::ByteCodeParser::handlePutByOffset):
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::emitGetByOffset):
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+ * dfg/DFGGraph.h:
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::convertToGetByOffset):
+ (JSC::DFG::Node::convertToPutByOffset):
+ (JSC::DFG::Node::storageAccessData):
+ (JSC::DFG::Node::storageAccessDataIndex): Deleted.
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
+ (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
+
2014-09-19 Ryosuke Niwa <[email protected]>
Leak of mallocs under StructureSet::OutOfLineList::create
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-09-20 17:59:58 UTC (rev 173793)
@@ -1606,7 +1606,7 @@
}
case GetByOffset: {
- StorageAccessData data = ""
+ StorageAccessData& data = ""
JSValue result = m_graph.tryGetConstantProperty(forNode(node->child2()), data.offset);
if (result) {
setConstant(node, *m_graph.freeze(result));
@@ -1618,7 +1618,7 @@
}
case GetGetterSetterByOffset: {
- StorageAccessData data = ""
+ StorageAccessData& data = ""
JSValue result = m_graph.tryGetConstantProperty(forNode(node->child2()), data.offset);
if (result && jsDynamicCast<GetterSetter*>(result)) {
setConstant(node, *m_graph.freeze(result));
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2014-09-20 17:59:58 UTC (rev 173793)
@@ -1984,13 +1984,13 @@
propertyStorage = base;
else
propertyStorage = addToGraph(GetButterfly, base);
- Node* getByOffset = addToGraph(op, OpInfo(m_graph.m_storageAccessData.size()), OpInfo(prediction), propertyStorage, base);
+
+ StorageAccessData* data = ""
+ data->offset = offset;
+ data->identifierNumber = identifierNumber;
+
+ Node* getByOffset = addToGraph(op, OpInfo(data), OpInfo(prediction), propertyStorage, base);
- StorageAccessData storageAccessData;
- storageAccessData.offset = offset;
- storageAccessData.identifierNumber = identifierNumber;
- m_graph.m_storageAccessData.append(storageAccessData);
-
return getByOffset;
}
@@ -2001,13 +2001,13 @@
propertyStorage = base;
else
propertyStorage = addToGraph(GetButterfly, base);
- Node* result = addToGraph(PutByOffset, OpInfo(m_graph.m_storageAccessData.size()), propertyStorage, base, value);
- StorageAccessData storageAccessData;
- storageAccessData.offset = offset;
- storageAccessData.identifierNumber = identifier;
- m_graph.m_storageAccessData.append(storageAccessData);
-
+ StorageAccessData* data = ""
+ data->offset = offset;
+ data->identifierNumber = identifier;
+
+ Node* result = addToGraph(PutByOffset, OpInfo(data), propertyStorage, base, value);
+
return result;
}
@@ -2215,18 +2215,17 @@
addToGraph(PutStructure, OpInfo(transition), base);
+ StorageAccessData* data = ""
+ data->offset = variant.offset();
+ data->identifierNumber = identifierNumber;
+
addToGraph(
PutByOffset,
- OpInfo(m_graph.m_storageAccessData.size()),
+ OpInfo(data),
propertyStorage,
base,
value);
- StorageAccessData storageAccessData;
- storageAccessData.offset = variant.offset();
- storageAccessData.identifierNumber = identifierNumber;
- m_graph.m_storageAccessData.append(storageAccessData);
-
if (m_graph.compilation())
m_graph.compilation()->noticeInlinedPutById();
return;
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2014-09-20 17:59:58 UTC (rev 173793)
@@ -673,8 +673,7 @@
case GetByOffset:
case GetGetterSetterByOffset: {
- unsigned identifierNumber =
- graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber;
+ unsigned identifierNumber = node->storageAccessData().identifierNumber;
AbstractHeap heap(NamedProperties, identifierNumber);
read(heap);
def(HeapLocation(NamedPropertyLoc, heap, node->child2()), node);
@@ -704,8 +703,7 @@
}
case PutByOffset: {
- unsigned identifierNumber =
- graph.m_storageAccessData[node->storageAccessDataIndex()].identifierNumber;
+ unsigned identifierNumber = node->storageAccessData().identifierNumber;
AbstractHeap heap(NamedProperties, identifierNumber);
write(heap);
def(HeapLocation(NamedPropertyLoc, heap, node->child2()), node->child3().node());
Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2014-09-20 17:59:58 UTC (rev 173793)
@@ -486,12 +486,11 @@
indexInBlock, SpecNone, GetButterfly, origin, childEdge));
}
- node->convertToGetByOffset(m_graph.m_storageAccessData.size(), propertyStorage);
+ StorageAccessData& data = ""
+ data.offset = variant.offset();
+ data.identifierNumber = identifierNumber;
- StorageAccessData storageAccessData;
- storageAccessData.offset = variant.offset();
- storageAccessData.identifierNumber = identifierNumber;
- m_graph.m_storageAccessData.append(storageAccessData);
+ node->convertToGetByOffset(data, propertyStorage);
}
void emitPutByOffset(unsigned indexInBlock, Node* node, const AbstractValue& baseValue, const PutByIdVariant& variant, unsigned identifierNumber)
@@ -544,15 +543,14 @@
m_insertionSet.insert(indexInBlock, putStructure);
}
- node->convertToPutByOffset(m_graph.m_storageAccessData.size(), propertyStorage);
+ StorageAccessData& data = ""
+ data.offset = variant.offset();
+ data.identifierNumber = identifierNumber;
+
+ node->convertToPutByOffset(data, propertyStorage);
m_insertionSet.insertNode(
indexInBlock, SpecNone, StoreBarrier, origin,
Edge(node->child2().node(), KnownCellUse));
-
- StorageAccessData storageAccessData;
- storageAccessData.offset = variant.offset();
- storageAccessData.identifierNumber = identifierNumber;
- m_graph.m_storageAccessData.append(storageAccessData);
}
void addBaseCheck(
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2014-09-20 17:59:58 UTC (rev 173793)
@@ -250,7 +250,7 @@
out.print(comma, FunctionExecutableDump(executable));
}
if (node->hasStorageAccessData()) {
- StorageAccessData& storageAccessData = m_storageAccessData[node->storageAccessDataIndex()];
+ StorageAccessData& storageAccessData = node->storageAccessData();
out.print(comma, "id", storageAccessData.identifierNumber, "{", identifiers()[storageAccessData.identifierNumber], "}");
out.print(", ", static_cast<ptrdiff_t>(storageAccessData.offset));
}
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.h (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.h 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.h 2014-09-20 17:59:58 UTC (rev 173793)
@@ -55,11 +55,6 @@
namespace DFG {
-struct StorageAccessData {
- PropertyOffset offset;
- unsigned identifierNumber;
-};
-
struct InlineVariableData {
InlineCallFrame* inlineCallFrame;
unsigned argumentPositionStart;
@@ -730,7 +725,7 @@
HashMap<EncodedJSValue, FrozenValue*, EncodedJSValueHash, EncodedJSValueHashTraits> m_frozenValueMap;
Bag<FrozenValue> m_frozenValues;
- Vector<StorageAccessData> m_storageAccessData;
+ Bag<StorageAccessData> m_storageAccessData;
Vector<Node*, 8> m_arguments;
SegmentedVector<VariableAccessData, 16> m_variableAccessData;
SegmentedVector<ArgumentPosition, 8> m_argumentPositions;
Modified: trunk/Source/_javascript_Core/dfg/DFGNode.h (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGNode.h 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.h 2014-09-20 17:59:58 UTC (rev 173793)
@@ -55,6 +55,11 @@
class Graph;
struct BasicBlock;
+struct StorageAccessData {
+ PropertyOffset offset;
+ unsigned identifierNumber;
+};
+
struct MultiGetByOffsetData {
unsigned identifierNumber;
Vector<GetByIdVariant, 2> variants;
@@ -456,10 +461,10 @@
children.reset();
}
- void convertToGetByOffset(unsigned storageAccessDataIndex, Edge storage)
+ void convertToGetByOffset(StorageAccessData& data, Edge storage)
{
ASSERT(m_op == GetById || m_op == GetByIdFlush || m_op == MultiGetByOffset);
- m_opInfo = storageAccessDataIndex;
+ m_opInfo = bitwise_cast<uintptr_t>(&data);
children.setChild2(children.child1());
children.child2().setUseKind(KnownCellUse);
children.setChild1(storage);
@@ -476,10 +481,10 @@
m_flags &= ~NodeClobbersWorld;
}
- void convertToPutByOffset(unsigned storageAccessDataIndex, Edge storage)
+ void convertToPutByOffset(StorageAccessData& data, Edge storage)
{
ASSERT(m_op == PutById || m_op == PutByIdDirect || m_op == PutByIdFlush || m_op == MultiPutByOffset);
- m_opInfo = storageAccessDataIndex;
+ m_opInfo = bitwise_cast<uintptr_t>(&data);
children.setChild3(children.child2());
children.setChild2(children.child1());
children.setChild1(storage);
@@ -1153,10 +1158,10 @@
return op() == GetByOffset || op() == GetGetterSetterByOffset || op() == PutByOffset;
}
- unsigned storageAccessDataIndex()
+ StorageAccessData& storageAccessData()
{
ASSERT(hasStorageAccessData());
- return m_opInfo;
+ return *bitwise_cast<StorageAccessData*>(m_opInfo);
}
bool hasMultiGetByOffsetData()
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2014-09-20 17:59:58 UTC (rev 173793)
@@ -311,7 +311,7 @@
StructureAbstractValue& value = state.forNode(node->child1()).m_structure;
if (value.isTop())
return false;
- PropertyOffset offset = graph.m_storageAccessData[node->storageAccessDataIndex()].offset;
+ PropertyOffset offset = node->storageAccessData().offset;
for (unsigned i = value.size(); i--;) {
if (!value[i]->isValidOffset(offset))
return false;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-09-20 17:59:58 UTC (rev 173793)
@@ -3794,7 +3794,7 @@
GPRReg resultTagGPR = resultTag.gpr();
GPRReg resultPayloadGPR = resultPayload.gpr();
- StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
+ StorageAccessData& storageAccessData = node->storageAccessData();
m_jit.load32(JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)), resultPayloadGPR);
m_jit.load32(JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)), resultTagGPR);
@@ -3810,7 +3810,7 @@
GPRReg storageGPR = storage.gpr();
GPRReg resultPayloadGPR = resultPayload.gpr();
- StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
+ StorageAccessData& storageAccessData = node->storageAccessData();
m_jit.load32(JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)), resultPayloadGPR);
@@ -3854,7 +3854,7 @@
speculate(node, node->child2());
- StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
+ StorageAccessData& storageAccessData = node->storageAccessData();
m_jit.storePtr(valueTagGPR, JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag)));
m_jit.storePtr(valuePayloadGPR, JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset) + OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload)));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (173792 => 173793)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-09-20 17:59:58 UTC (rev 173793)
@@ -3889,7 +3889,7 @@
GPRReg storageGPR = storage.gpr();
GPRReg resultGPR = result.gpr();
- StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
+ StorageAccessData& storageAccessData = node->storageAccessData();
m_jit.load64(JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset)), resultGPR);
@@ -3934,7 +3934,7 @@
speculate(node, node->child2());
- StorageAccessData& storageAccessData = m_jit.graph().m_storageAccessData[node->storageAccessDataIndex()];
+ StorageAccessData& storageAccessData = node->storageAccessData();
m_jit.store64(valueGPR, JITCompiler::Address(storageGPR, offsetRelativeToBase(storageAccessData.offset)));
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (173792 => 173793)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-09-20 15:34:08 UTC (rev 173792)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-09-20 17:59:58 UTC (rev 173793)
@@ -3251,8 +3251,7 @@
void compileGetByOffset()
{
- StorageAccessData& data =
- m_graph.m_storageAccessData[m_node->storageAccessDataIndex()];
+ StorageAccessData& data = ""
setJSValue(loadProperty(
lowStorage(m_node->child1()), data.identifierNumber, data.offset));
@@ -3337,8 +3336,7 @@
void compilePutByOffset()
{
- StorageAccessData& data =
- m_graph.m_storageAccessData[m_node->storageAccessDataIndex()];
+ StorageAccessData& data = ""
storeProperty(
lowJSValue(m_node->child3()),
