Title: [188357] trunk/Source/_javascript_Core
- Revision
- 188357
- Author
- [email protected]
- Date
- 2015-08-12 14:01:15 -0700 (Wed, 12 Aug 2015)
Log Message
DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable
https://bugs.webkit.org/show_bug.cgi?id=147950
Reviewed by Michael Saboff.
Previously we reduced the constant folding power of ByteCodeParser::load() because that code was
responsible for memory corruption, since it would sometimes install watchpoints on structures that
weren't being traced. It seemed like the safest fix was to remove the constant folding rule
entirely since later phases also do constant folding, and they do it without introducing the bug.
Well, that change (http://trac.webkit.org/changeset/188292) caused a big regression, because we
still have some constant folding rules that only exist in ByteCodeParser, and so ByteCodeParser must
be maximally aggressive in constant-folding whenever possible.
So, this change now brings back that constant folding rule - for loads from object constants that
have DFG-watchable structures - and implements it properly, by ensuring that we only call into
tryGetConstantProperty() if we have registered the structure set.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::load):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (188356 => 188357)
--- trunk/Source/_javascript_Core/ChangeLog 2015-08-12 20:51:57 UTC (rev 188356)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-08-12 21:01:15 UTC (rev 188357)
@@ -1,3 +1,25 @@
+2015-08-12 Filip Pizlo <[email protected]>
+
+ DFG::ByteCodeParser should attempt constant folding on loads from structures that are DFG-watchable
+ https://bugs.webkit.org/show_bug.cgi?id=147950
+
+ Reviewed by Michael Saboff.
+
+ Previously we reduced the constant folding power of ByteCodeParser::load() because that code was
+ responsible for memory corruption, since it would sometimes install watchpoints on structures that
+ weren't being traced. It seemed like the safest fix was to remove the constant folding rule
+ entirely since later phases also do constant folding, and they do it without introducing the bug.
+ Well, that change (http://trac.webkit.org/changeset/188292) caused a big regression, because we
+ still have some constant folding rules that only exist in ByteCodeParser, and so ByteCodeParser must
+ be maximally aggressive in constant-folding whenever possible.
+
+ So, this change now brings back that constant folding rule - for loads from object constants that
+ have DFG-watchable structures - and implements it properly, by ensuring that we only call into
+ tryGetConstantProperty() if we have registered the structure set.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::load):
+
2015-08-12 Yusuke Suzuki <[email protected]>
[ES6] Add ES6 Modules preparsing phase to collect the dependencies
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (188356 => 188357)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2015-08-12 20:51:57 UTC (rev 188356)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2015-08-12 21:01:15 UTC (rev 188357)
@@ -2581,6 +2581,15 @@
if (!variant.conditionSet().isEmpty())
loadedValue = load(loadPrediction, variant.conditionSet(), loadOp);
else {
+ if (needStructureCheck && base->hasConstant()) {
+ // We did emit a structure check. That means that we have an opportunity to do constant folding
+ // here, since we didn't do it above.
+ JSValue constant = m_graph.tryGetConstantProperty(
+ base->asJSValue(), variant.structureSet(), variant.offset());
+ if (constant)
+ return weakJSConstant(constant);
+ }
+
loadedValue = handleGetByOffset(
loadPrediction, base, identifierNumber, variant.offset(), loadOp);
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
