Title: [196446] trunk/Source/_javascript_Core
- Revision
- 196446
- Author
- [email protected]
- Date
- 2016-02-11 15:06:02 -0800 (Thu, 11 Feb 2016)
Log Message
DFG::ByteCodeParser needs to null check the result of presenceLike()
https://bugs.webkit.org/show_bug.cgi?id=154135
rdar://problem/24291586
Reviewed by Geoffrey Garen.
ByteCodeParser::presenceLike() could return a null object property condition if it detects a
contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
bail from using a property condition when that happens.
* bytecode/ObjectPropertyCondition.h:
(JSC::ObjectPropertyCondition::equivalence):
(JSC::ObjectPropertyCondition::operator bool):
(JSC::ObjectPropertyCondition::object):
(JSC::ObjectPropertyCondition::condition):
(JSC::ObjectPropertyCondition::operator!): Deleted.
* bytecode/PropertyCondition.h:
(JSC::PropertyCondition::equivalence):
(JSC::PropertyCondition::operator bool):
(JSC::PropertyCondition::kind):
(JSC::PropertyCondition::uid):
(JSC::PropertyCondition::operator!): Deleted.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::check):
(JSC::DFG::ByteCodeParser::load):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (196445 => 196446)
--- trunk/Source/_javascript_Core/ChangeLog 2016-02-11 23:04:13 UTC (rev 196445)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-02-11 23:06:02 UTC (rev 196446)
@@ -1,3 +1,31 @@
+2016-02-11 Filip Pizlo <[email protected]>
+
+ DFG::ByteCodeParser needs to null check the result of presenceLike()
+ https://bugs.webkit.org/show_bug.cgi?id=154135
+ rdar://problem/24291586
+
+ Reviewed by Geoffrey Garen.
+
+ ByteCodeParser::presenceLike() could return a null object property condition if it detects a
+ contradiction. That could happen due to bogus profiling. It's totally OK - we just need to
+ bail from using a property condition when that happens.
+
+ * bytecode/ObjectPropertyCondition.h:
+ (JSC::ObjectPropertyCondition::equivalence):
+ (JSC::ObjectPropertyCondition::operator bool):
+ (JSC::ObjectPropertyCondition::object):
+ (JSC::ObjectPropertyCondition::condition):
+ (JSC::ObjectPropertyCondition::operator!): Deleted.
+ * bytecode/PropertyCondition.h:
+ (JSC::PropertyCondition::equivalence):
+ (JSC::PropertyCondition::operator bool):
+ (JSC::PropertyCondition::kind):
+ (JSC::PropertyCondition::uid):
+ (JSC::PropertyCondition::operator!): Deleted.
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::check):
+ (JSC::DFG::ByteCodeParser::load):
+
2016-02-11 Benjamin Poulain <[email protected]>
[JSC] SqrtFloat and CeilFloat also suffer from partial register stalls
Modified: trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.h (196445 => 196446)
--- trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.h 2016-02-11 23:04:13 UTC (rev 196445)
+++ trunk/Source/_javascript_Core/bytecode/ObjectPropertyCondition.h 2016-02-11 23:06:02 UTC (rev 196446)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -122,9 +122,9 @@
vm.heap.writeBarrier(owner);
return equivalenceWithoutBarrier(object, uid, value);
}
+
+ explicit operator bool() const { return !!m_condition; }
- bool operator!() const { return !m_condition; };
-
JSObject* object() const { return m_object; }
PropertyCondition condition() const { return m_condition; }
Modified: trunk/Source/_javascript_Core/bytecode/PropertyCondition.h (196445 => 196446)
--- trunk/Source/_javascript_Core/bytecode/PropertyCondition.h 2016-02-11 23:04:13 UTC (rev 196445)
+++ trunk/Source/_javascript_Core/bytecode/PropertyCondition.h 2016-02-11 23:06:02 UTC (rev 196446)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2015 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -125,9 +125,9 @@
vm.heap.writeBarrier(owner);
return equivalenceWithoutBarrier(uid, value);
}
-
- bool operator!() const { return !m_uid && m_kind == Presence; };
+ explicit operator bool() const { return m_uid || m_kind != Presence; }
+
Kind kind() const { return m_kind; }
UniquedStringImpl* uid() const { return m_uid; }
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (196445 => 196446)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2016-02-11 23:04:13 UTC (rev 196445)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2016-02-11 23:06:02 UTC (rev 196446)
@@ -2525,6 +2525,9 @@
bool ByteCodeParser::check(const ObjectPropertyCondition& condition)
{
+ if (!condition)
+ return false;
+
if (m_graph.watchCondition(condition))
return true;
@@ -2772,14 +2775,15 @@
ObjectPropertyCondition presenceCondition =
presenceLike(knownBase, uid, variant.offset(), variant.structureSet());
-
- ObjectPropertyCondition equivalenceCondition =
- presenceCondition.attemptToMakeEquivalenceWithoutBarrier();
- if (m_graph.watchCondition(equivalenceCondition))
- return weakJSConstant(equivalenceCondition.requiredValue());
-
- if (check(presenceCondition))
- needStructureCheck = false;
+ if (presenceCondition) {
+ ObjectPropertyCondition equivalenceCondition =
+ presenceCondition.attemptToMakeEquivalenceWithoutBarrier();
+ if (m_graph.watchCondition(equivalenceCondition))
+ return weakJSConstant(equivalenceCondition.requiredValue());
+
+ if (check(presenceCondition))
+ needStructureCheck = false;
+ }
}
}
}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
