[webkit-changes] [191139] trunk/Source/JavaScriptCore

[ggaren]

Title: [191139] trunk/Source/_javascript_Core

Revision

191139

Author

gga...@apple.com

Date

2015-10-15 14:52:05 -0700 (Thu, 15 Oct 2015)

Log Message

2015-10-15  Geoffrey Garen  <gga...@apple.com>

        Unreviewed, rolling out r191003.
        https://bugs.webkit.org/show_bug.cgi?id=150042

        We're seeing some crashes in GC beneath speculationFromCell. Maybe this
        patch caused them?

        Reverted changeset:

        CodeBlock write barriers should be precise
        https://bugs.webkit.org/show_bug.cgi?id=150042
        http://trac.webkit.org/changeset/191003

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/bytecode/CodeBlock.h
• trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (191138 => 191139)

--- trunk/Source/_javascript_Core/ChangeLog	2015-10-15 21:31:09 UTC (rev 191138)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-10-15 21:52:05 UTC (rev 191139)
@@ -1,3 +1,17 @@
+2015-10-15  Geoffrey Garen  <gga...@apple.com>
+
+        Unreviewed, rolling out r191003.
+        https://bugs.webkit.org/show_bug.cgi?id=150042
+
+        We're seeing some crashes in GC beneath speculationFromCell. Maybe this
+        patch caused them?
+
+        Reverted changeset:
+
+        CodeBlock write barriers should be precise
+        https://bugs.webkit.org/show_bug.cgi?id=150042
+        http://trac.webkit.org/changeset/191003
+
 2015-10-15  Joseph Pecoraro  <pecor...@apple.com>
 
         Web Inspector: _javascript_Core should parse sourceURL and sourceMappingURL directives

Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (191138 => 191139)

--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2015-10-15 21:31:09 UTC (rev 191138)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h	2015-10-15 21:52:05 UTC (rev 191139)
@@ -1376,6 +1376,11 @@
     if (!codeBlock)
         return;
 
+    // Try to recover gracefully if we forget to execute a barrier for a
+    // CodeBlock that does value profiling. This is probably overkill, but we
+    // have always done it.
+    Heap::heap(codeBlock)->writeBarrier(codeBlock);
+
     m_currentlyExecuting.add(codeBlock);
 }
 

Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp (191138 => 191139)

--- trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp	2015-10-15 21:31:09 UTC (rev 191138)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp	2015-10-15 21:52:05 UTC (rev 191139)
@@ -266,31 +266,30 @@
     ownerIsRememberedOrInEden.link(&jit);
 }
 
-static void osrWriteBarrier(CCallHelpers& jit, const OSRExitBase& exit)
+void adjustAndJumpToTarget(CCallHelpers& jit, const OSRExitBase& exit, bool isExitingToOpCatch)
 {
-    HashSet<CodeBlock*> codeBlocksToWriteBarrier;
+    jit.move(
+        AssemblyHelpers::TrustedImmPtr(
+            jit.codeBlock()->baselineAlternative()), GPRInfo::argumentGPR1);
+    osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
 
-    // Note that the value profiling CodeBlock and the baseline CodeBlock might
-    // not be equal. In "f() { a(); b(); }", if both 'a' and 'b' are inlined,
-    // we might exit to 'b' due to a bad value loaded from 'a'.
-    codeBlocksToWriteBarrier.add(jit.baselineCodeBlockFor(exit.m_codeOriginForExitProfile));
-
-    codeBlocksToWriteBarrier.add(jit.codeBlock()->baselineAlternative());
-
-    for (InlineCallFrame* inlineCallFrame = exit.m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->directCaller.inlineCallFrame)
-        codeBlocksToWriteBarrier.add(inlineCallFrame->baselineCodeBlock.get());
-
-    for (CodeBlock* codeBlock : codeBlocksToWriteBarrier) {
-        jit.move(
-            AssemblyHelpers::TrustedImmPtr(codeBlock), GPRInfo::argumentGPR1);
-        osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
+    // We barrier all inlined frames -- and not just the current inline stack --
+    // because we don't know which inlined function owns the value profile that
+    // we'll update when we exit. In the case of "f() { a(); b(); }", if both
+    // a and b are inlined, we might exit inside b due to a bad value loaded
+    // from a.
+    // FIXME: MethodOfGettingAValueProfile should remember which CodeBlock owns
+    // the value profile.
+    InlineCallFrameSet* inlineCallFrames = jit.codeBlock()->jitCode()->dfgCommon()->inlineCallFrames.get();
+    if (inlineCallFrames) {
+        for (InlineCallFrame* inlineCallFrame : *inlineCallFrames) {
+            jit.move(
+                AssemblyHelpers::TrustedImmPtr(
+                    inlineCallFrame->baselineCodeBlock.get()), GPRInfo::argumentGPR1);
+            osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
+        }
     }
-}
 
-void adjustAndJumpToTarget(CCallHelpers& jit, const OSRExitBase& exit, bool isExitingToOpCatch)
-{
-    osrWriteBarrier(jit, exit);
-
     if (exit.m_codeOrigin.inlineCallFrame)
         jit.addPtr(AssemblyHelpers::TrustedImm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes