Title: [191139] trunk/Source/_javascript_Core
- Revision
- 191139
- Author
- gga...@apple.com
- Date
- 2015-10-15 14:52:05 -0700 (Thu, 15 Oct 2015)
Log Message
2015-10-15 Geoffrey Garen <gga...@apple.com>
Unreviewed, rolling out r191003.
https://bugs.webkit.org/show_bug.cgi?id=150042
We're seeing some crashes in GC beneath speculationFromCell. Maybe this
patch caused them?
Reverted changeset:
CodeBlock write barriers should be precise
https://bugs.webkit.org/show_bug.cgi?id=150042
http://trac.webkit.org/changeset/191003
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (191138 => 191139)
--- trunk/Source/_javascript_Core/ChangeLog 2015-10-15 21:31:09 UTC (rev 191138)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-10-15 21:52:05 UTC (rev 191139)
@@ -1,3 +1,17 @@
+2015-10-15 Geoffrey Garen <gga...@apple.com>
+
+ Unreviewed, rolling out r191003.
+ https://bugs.webkit.org/show_bug.cgi?id=150042
+
+ We're seeing some crashes in GC beneath speculationFromCell. Maybe this
+ patch caused them?
+
+ Reverted changeset:
+
+ CodeBlock write barriers should be precise
+ https://bugs.webkit.org/show_bug.cgi?id=150042
+ http://trac.webkit.org/changeset/191003
+
2015-10-15 Joseph Pecoraro <pecor...@apple.com>
Web Inspector: _javascript_Core should parse sourceURL and sourceMappingURL directives
Modified: trunk/Source/_javascript_Core/bytecode/CodeBlock.h (191138 => 191139)
--- trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2015-10-15 21:31:09 UTC (rev 191138)
+++ trunk/Source/_javascript_Core/bytecode/CodeBlock.h 2015-10-15 21:52:05 UTC (rev 191139)
@@ -1376,6 +1376,11 @@
if (!codeBlock)
return;
+ // Try to recover gracefully if we forget to execute a barrier for a
+ // CodeBlock that does value profiling. This is probably overkill, but we
+ // have always done it.
+ Heap::heap(codeBlock)->writeBarrier(codeBlock);
+
m_currentlyExecuting.add(codeBlock);
}
Modified: trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp (191138 => 191139)
--- trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp 2015-10-15 21:31:09 UTC (rev 191138)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRExitCompilerCommon.cpp 2015-10-15 21:52:05 UTC (rev 191139)
@@ -266,31 +266,30 @@
ownerIsRememberedOrInEden.link(&jit);
}
-static void osrWriteBarrier(CCallHelpers& jit, const OSRExitBase& exit)
+void adjustAndJumpToTarget(CCallHelpers& jit, const OSRExitBase& exit, bool isExitingToOpCatch)
{
- HashSet<CodeBlock*> codeBlocksToWriteBarrier;
+ jit.move(
+ AssemblyHelpers::TrustedImmPtr(
+ jit.codeBlock()->baselineAlternative()), GPRInfo::argumentGPR1);
+ osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
- // Note that the value profiling CodeBlock and the baseline CodeBlock might
- // not be equal. In "f() { a(); b(); }", if both 'a' and 'b' are inlined,
- // we might exit to 'b' due to a bad value loaded from 'a'.
- codeBlocksToWriteBarrier.add(jit.baselineCodeBlockFor(exit.m_codeOriginForExitProfile));
-
- codeBlocksToWriteBarrier.add(jit.codeBlock()->baselineAlternative());
-
- for (InlineCallFrame* inlineCallFrame = exit.m_codeOrigin.inlineCallFrame; inlineCallFrame; inlineCallFrame = inlineCallFrame->directCaller.inlineCallFrame)
- codeBlocksToWriteBarrier.add(inlineCallFrame->baselineCodeBlock.get());
-
- for (CodeBlock* codeBlock : codeBlocksToWriteBarrier) {
- jit.move(
- AssemblyHelpers::TrustedImmPtr(codeBlock), GPRInfo::argumentGPR1);
- osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
+ // We barrier all inlined frames -- and not just the current inline stack --
+ // because we don't know which inlined function owns the value profile that
+ // we'll update when we exit. In the case of "f() { a(); b(); }", if both
+ // a and b are inlined, we might exit inside b due to a bad value loaded
+ // from a.
+ // FIXME: MethodOfGettingAValueProfile should remember which CodeBlock owns
+ // the value profile.
+ InlineCallFrameSet* inlineCallFrames = jit.codeBlock()->jitCode()->dfgCommon()->inlineCallFrames.get();
+ if (inlineCallFrames) {
+ for (InlineCallFrame* inlineCallFrame : *inlineCallFrames) {
+ jit.move(
+ AssemblyHelpers::TrustedImmPtr(
+ inlineCallFrame->baselineCodeBlock.get()), GPRInfo::argumentGPR1);
+ osrWriteBarrier(jit, GPRInfo::argumentGPR1, GPRInfo::nonArgGPR0);
+ }
}
-}
-void adjustAndJumpToTarget(CCallHelpers& jit, const OSRExitBase& exit, bool isExitingToOpCatch)
-{
- osrWriteBarrier(jit, exit);
-
if (exit.m_codeOrigin.inlineCallFrame)
jit.addPtr(AssemblyHelpers::TrustedImm32(exit.m_codeOrigin.inlineCallFrame->stackOffset * sizeof(EncodedJSValue)), GPRInfo::callFrameRegister);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes