[webkit-changes] [177083] trunk/Source/JavaScriptCore

Wed, 10 Dec 2014 11:37:42 -0800

Title: [177083] trunk/Source/_javascript_Core
Revision
177083
Author
[email protected]
Date
2014-12-10 11:36:32 -0800 (Wed, 10 Dec 2014)

Log Message

Fixes operationPutByIds such that they check that the put didn't
change the structure of the object who's property access is being
cached.
https://bugs.webkit.org/show_bug.cgi?id=139196

Reviewed by Filip Pizlo.

* jit/JITOperations.cpp:
(JSC::operationGetByIdOptimize): changed get to getPropertySlot
(JSC::operationPutByIdStrictBuildList): saved the structure before the put.
(JSC::operationPutByIdNonStrictBuildList): ditto.
(JSC::operationPutByIdDirectStrictBuildList): ditto.
(JSC::operationPutByIdDirectNonStrictBuildList): ditto.
* jit/Repatch.cpp:
(JSC::tryCachePutByID): fixed structure() to use the existant vm.
(JSC::tryBuildPutByIdList): Added a check that the old structure's id
is the same as the new.
(JSC::buildPutByIdList): Added an argument
* jit/Repatch.h:
(JSC::buildPutByIdList): Added an argument
* tests/stress/put-by-id-strict-build-list-order.js: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (177082 => 177083)


--- trunk/Source/_javascript_Core/ChangeLog	2014-12-10 19:25:42 UTC (rev 177082)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-12-10 19:36:32 UTC (rev 177083)
@@ -1,3 +1,27 @@
+2014-12-10  Matthew Mirman  <[email protected]>
+
+        Fixes operationPutByIds such that they check that the put didn't
+        change the structure of the object who's property access is being
+        cached.
+        https://bugs.webkit.org/show_bug.cgi?id=139196
+
+        Reviewed by Filip Pizlo.
+
+        * jit/JITOperations.cpp:
+        (JSC::operationGetByIdOptimize): changed get to getPropertySlot
+        (JSC::operationPutByIdStrictBuildList): saved the structure before the put.
+        (JSC::operationPutByIdNonStrictBuildList): ditto.
+        (JSC::operationPutByIdDirectStrictBuildList): ditto.
+        (JSC::operationPutByIdDirectNonStrictBuildList): ditto.
+        * jit/Repatch.cpp:
+        (JSC::tryCachePutByID): fixed structure() to use the existant vm. 
+        (JSC::tryBuildPutByIdList): Added a check that the old structure's id 
+        is the same as the new.
+        (JSC::buildPutByIdList): Added an argument
+        * jit/Repatch.h: 
+        (JSC::buildPutByIdList): Added an argument
+        * tests/stress/put-by-id-strict-build-list-order.js: Added.
+
 2014-12-10  Csaba Osztrogonác  <[email protected]>
 
         URTBF after r177030.

Modified: trunk/Source/_javascript_Core/jit/JITOperations.cpp (177082 => 177083)


--- trunk/Source/_javascript_Core/jit/JITOperations.cpp	2014-12-10 19:25:42 UTC (rev 177082)
+++ trunk/Source/_javascript_Core/jit/JITOperations.cpp	2014-12-10 19:36:32 UTC (rev 177083)
@@ -163,14 +163,15 @@
 
     JSValue baseValue = JSValue::decode(base);
     PropertySlot slot(baseValue);
-    JSValue result = baseValue.get(exec, ident, slot);
     
+    bool hasResult = baseValue.getPropertySlot(exec, ident, slot);
     if (stubInfo->seen)
         repatchGetByID(exec, baseValue, ident, slot, *stubInfo);
     else
         stubInfo->seen = true;
+    
+    return JSValue::encode(hasResult? slot.getValue(exec, ident) : jsUndefined());
 
-    return JSValue::encode(result);
 }
 
 EncodedJSValue JIT_OPERATION operationInOptimize(ExecState* exec, StructureStubInfo* stubInfo, JSCell* base, StringImpl* key)
@@ -365,12 +366,13 @@
     JSValue baseValue = JSValue::decode(encodedBase);
     PutPropertySlot slot(baseValue, true, exec->codeBlock()->putByIdContext());
     
+    Structure* structure = baseValue.isCell() ? baseValue.asCell()->structure(*vm) : nullptr; 
     baseValue.put(exec, ident, value, slot);
-    
+
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
-    
-    buildPutByIdList(exec, baseValue, ident, slot, *stubInfo, NotDirect);
+
+    buildPutByIdList(exec, baseValue, structure, ident, slot, *stubInfo, NotDirect);
 }
 
 void JIT_OPERATION operationPutByIdNonStrictBuildList(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, StringImpl* uid)
@@ -384,13 +386,14 @@
     JSValue value = JSValue::decode(encodedValue);
     JSValue baseValue = JSValue::decode(encodedBase);
     PutPropertySlot slot(baseValue, false, exec->codeBlock()->putByIdContext());
-    
+
+    Structure* structure = baseValue.isCell() ? baseValue.asCell()->structure(*vm) : nullptr;
     baseValue.put(exec, ident, value, slot);
     
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    buildPutByIdList(exec, baseValue, ident, slot, *stubInfo, NotDirect);
+    buildPutByIdList(exec, baseValue, structure, ident, slot, *stubInfo, NotDirect);
 }
 
 void JIT_OPERATION operationPutByIdDirectStrictBuildList(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, StringImpl* uid)
@@ -404,13 +407,14 @@
     JSValue value = JSValue::decode(encodedValue);
     JSObject* baseObject = asObject(JSValue::decode(encodedBase));
     PutPropertySlot slot(baseObject, true, exec->codeBlock()->putByIdContext());
+
+    Structure* structure = baseObject->structure(*vm);    
+    baseObject->putDirect(*vm, ident, value, slot);
     
-    baseObject->putDirect(exec->vm(), ident, value, slot);
-    
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    buildPutByIdList(exec, baseObject, ident, slot, *stubInfo, Direct);
+    buildPutByIdList(exec, baseObject, structure, ident, slot, *stubInfo, Direct);
 }
 
 void JIT_OPERATION operationPutByIdDirectNonStrictBuildList(ExecState* exec, StructureStubInfo* stubInfo, EncodedJSValue encodedValue, EncodedJSValue encodedBase, StringImpl* uid)
@@ -424,13 +428,14 @@
     JSValue value = JSValue::decode(encodedValue);
     JSObject* baseObject = asObject(JSValue::decode(encodedBase));
     PutPropertySlot slot(baseObject, false, exec->codeBlock()->putByIdContext());
-    
-    baseObject ->putDirect(exec->vm(), ident, value, slot);
-    
+
+    Structure* structure = baseObject->structure(*vm);    
+    baseObject->putDirect(*vm, ident, value, slot);
+
     if (accessType != static_cast<AccessType>(stubInfo->accessType))
         return;
     
-    buildPutByIdList(exec, baseObject, ident, slot, *stubInfo, Direct);
+    buildPutByIdList(exec, baseObject, structure, ident, slot, *stubInfo, Direct);
 }
 
 void JIT_OPERATION operationReallocateStorageAndFinishPut(ExecState* exec, JSObject* base, Structure* structure, PropertyOffset offset, EncodedJSValue value)

Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (177082 => 177083)


--- trunk/Source/_javascript_Core/jit/Repatch.cpp	2014-12-10 19:25:42 UTC (rev 177082)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp	2014-12-10 19:36:32 UTC (rev 177083)
@@ -1235,7 +1235,7 @@
     if (!baseValue.isCell())
         return GiveUpOnCache;
     JSCell* baseCell = baseValue.asCell();
-    Structure* structure = baseCell->structure();
+    Structure* structure = baseCell->structure(*vm);
     Structure* oldStructure = structure->previousID();
     
     if (!slot.isCacheablePut() && !slot.isCacheableCustom() && !slot.isCacheableSetter())
@@ -1341,15 +1341,18 @@
         repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
 }
 
-static InlineCacheAction tryBuildPutByIdList(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
+static InlineCacheAction tryBuildPutByIdList(ExecState* exec, JSValue baseValue, Structure* structure, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
 {
     CodeBlock* codeBlock = exec->codeBlock();
     VM* vm = &exec->vm();
 
-    if (!baseValue.isCell())
+    if (!baseValue.isCell() || !structure)
         return GiveUpOnCache;
     JSCell* baseCell = baseValue.asCell();
-    Structure* structure = baseCell->structure();
+
+    if (baseCell->structure(*vm)->id() != structure->id())
+        return GiveUpOnCache;
+
     Structure* oldStructure = structure->previousID();
     
     
@@ -1466,11 +1469,11 @@
     return GiveUpOnCache;
 }
 
-void buildPutByIdList(ExecState* exec, JSValue baseValue, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
+void buildPutByIdList(ExecState* exec, JSValue baseValue, Structure* structure, const Identifier& propertyName, const PutPropertySlot& slot, StructureStubInfo& stubInfo, PutKind putKind)
 {
     GCSafeConcurrentJITLocker locker(exec->codeBlock()->m_lock, exec->vm().heap);
     
-    if (tryBuildPutByIdList(exec, baseValue, propertyName, slot, stubInfo, putKind) == GiveUpOnCache)
+    if (tryBuildPutByIdList(exec, baseValue, structure, propertyName, slot, stubInfo, putKind) == GiveUpOnCache)
         repatchCall(exec->codeBlock(), stubInfo.callReturnLocation, appropriateGenericPutByIdFunction(slot, putKind));
 }

Modified: trunk/Source/_javascript_Core/jit/Repatch.h (177082 => 177083)


--- trunk/Source/_javascript_Core/jit/Repatch.h	2014-12-10 19:25:42 UTC (rev 177082)
+++ trunk/Source/_javascript_Core/jit/Repatch.h	2014-12-10 19:36:32 UTC (rev 177083)
@@ -37,7 +37,7 @@
 void buildGetByIDList(ExecState*, JSValue, const Identifier&, const PropertySlot&, StructureStubInfo&);
 void buildGetByIDProtoList(ExecState*, JSValue, const Identifier&, const PropertySlot&, StructureStubInfo&);
 void repatchPutByID(ExecState*, JSValue, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind);
-void buildPutByIdList(ExecState*, JSValue, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind);
+void buildPutByIdList(ExecState*, JSValue, Structure*, const Identifier&, const PutPropertySlot&, StructureStubInfo&, PutKind);
 void repatchIn(ExecState*, JSCell*, const Identifier&, bool wasFound, const PropertySlot&, StructureStubInfo&);
 void linkFor(ExecState*, CallLinkInfo&, CodeBlock*, JSFunction* callee, MacroAssemblerCodePtr, CodeSpecializationKind, RegisterPreservationMode);
 void linkSlowFor(ExecState*, CallLinkInfo&, CodeSpecializationKind, RegisterPreservationMode);

Added: trunk/Source/_javascript_Core/tests/stress/put-by-id-strict-build-list-order.js (0 => 177083)


--- trunk/Source/_javascript_Core/tests/stress/put-by-id-strict-build-list-order.js	                        (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/put-by-id-strict-build-list-order.js	2014-12-10 19:36:32 UTC (rev 177083)
@@ -0,0 +1,16 @@
+function foo(o) {
+    "use strict";
+    o.f = 42;
+}
+
+noInline(foo);
+
+var a = {};
+foo(a);
+foo(a);
+a = {f : 3};
+foo(a);
+
+var b = {};
+foo(b);
+foo(b);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to