- Revision
- 200177
- Author
- [email protected]
- Date
- 2016-04-27 23:54:54 -0700 (Wed, 27 Apr 2016)
Log Message
The GetterSetter structure needs a globalObject.
https://bugs.webkit.org/show_bug.cgi?id=157120
Reviewed by Filip Pizlo.
In r199170: <http://trac.webkit.org/r199170>, GetterSetter was promoted from
being a JSCell to a JSObject. JSObject methods expect their structure to have a
globalObject. For example, see JSObject::calculatedClassName(). GetterSetter
was previously using a singleton getterSetterStructure owned by the VM. That
singleton getterSetterStructure is not associated with any globalObjects. As a
result, JSObject::calculatedClassName() will run into a null globalObject when it
is called on a GetterSetter object.
This patch removes the VM singleton getterSetterStructure, and instead, creates
a getterSetterStructure for each JSGlobalObject.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGStructureRegistrationPhase.cpp:
(JSC::DFG::StructureRegistrationPhase::run):
* runtime/GetterSetter.h:
* runtime/JSGlobalObject.cpp:
(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):
* runtime/JSGlobalObject.h:
(JSC::JSGlobalObject::functionStructure):
(JSC::JSGlobalObject::boundFunctionStructure):
(JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
(JSC::JSGlobalObject::getterSetterStructure):
(JSC::JSGlobalObject::nativeStdFunctionStructure):
(JSC::JSGlobalObject::namedFunctionStructure):
(JSC::JSGlobalObject::functionNameOffset):
* runtime/VM.cpp:
(JSC::VM::VM):
* runtime/VM.h:
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (200176 => 200177)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-28 06:54:54 UTC (rev 200177)
@@ -1,3 +1,41 @@
+2016-04-27 Mark Lam <[email protected]>
+
+ The GetterSetter structure needs a globalObject.
+ https://bugs.webkit.org/show_bug.cgi?id=157120
+
+ Reviewed by Filip Pizlo.
+
+ In r199170: <http://trac.webkit.org/r199170>, GetterSetter was promoted from
+ being a JSCell to a JSObject. JSObject methods expect their structure to have a
+ globalObject. For example, see JSObject::calculatedClassName(). GetterSetter
+ was previously using a singleton getterSetterStructure owned by the VM. That
+ singleton getterSetterStructure is not associated with any globalObjects. As a
+ result, JSObject::calculatedClassName() will run into a null globalObject when it
+ is called on a GetterSetter object.
+
+ This patch removes the VM singleton getterSetterStructure, and instead, creates
+ a getterSetterStructure for each JSGlobalObject.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGStructureRegistrationPhase.cpp:
+ (JSC::DFG::StructureRegistrationPhase::run):
+ * runtime/GetterSetter.h:
+ * runtime/JSGlobalObject.cpp:
+ (JSC::JSGlobalObject::init):
+ (JSC::JSGlobalObject::visitChildren):
+ * runtime/JSGlobalObject.h:
+ (JSC::JSGlobalObject::functionStructure):
+ (JSC::JSGlobalObject::boundFunctionStructure):
+ (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
+ (JSC::JSGlobalObject::getterSetterStructure):
+ (JSC::JSGlobalObject::nativeStdFunctionStructure):
+ (JSC::JSGlobalObject::namedFunctionStructure):
+ (JSC::JSGlobalObject::functionNameOffset):
+ * runtime/VM.cpp:
+ (JSC::VM::VM):
+ * runtime/VM.h:
+
2016-04-27 Keith Miller <[email protected]>
Unreviewed, Revert r199397 due to PLT regressions
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (200176 => 200177)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2016-04-28 06:54:54 UTC (rev 200177)
@@ -2371,7 +2371,7 @@
break;
}
- forNode(node).set(m_graph, m_graph.m_vm.getterSetterStructure.get());
+ forNode(node).set(m_graph, m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure());
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGStructureRegistrationPhase.cpp (200176 => 200177)
--- trunk/Source/_javascript_Core/dfg/DFGStructureRegistrationPhase.cpp 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/dfg/DFGStructureRegistrationPhase.cpp 2016-04-28 06:54:54 UTC (rev 200177)
@@ -62,7 +62,6 @@
registerStructure(m_graph.m_vm.structureStructure.get());
registerStructure(m_graph.m_vm.stringStructure.get());
registerStructure(m_graph.m_vm.symbolStructure.get());
- registerStructure(m_graph.m_vm.getterSetterStructure.get());
for (FrozenValue* value : m_graph.m_frozenValues)
assertIsRegistered(value->structure());
@@ -92,7 +91,11 @@
registerStructure(node->transition()->previous);
registerStructure(node->transition()->next);
break;
-
+
+ case GetGetterSetterByOffset:
+ registerStructure(m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure());
+ break;
+
case MultiGetByOffset:
for (const MultiGetByOffsetCase& getCase : node->multiGetByOffsetData().cases)
registerStructures(getCase.set());
Modified: trunk/Source/_javascript_Core/runtime/GetterSetter.h (200176 => 200177)
--- trunk/Source/_javascript_Core/runtime/GetterSetter.h 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/runtime/GetterSetter.h 2016-04-28 06:54:54 UTC (rev 200177)
@@ -46,7 +46,7 @@
typedef JSNonFinalObject Base;
private:
GetterSetter(VM& vm, JSGlobalObject* globalObject)
- : Base(vm, vm.getterSetterStructure.get())
+ : Base(vm, globalObject->getterSetterStructure())
{
m_getter.set(vm, this, globalObject->nullGetterFunction());
m_setter.set(vm, this, globalObject->nullSetterFunction());
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp (200176 => 200177)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.cpp 2016-04-28 06:54:54 UTC (rev 200177)
@@ -294,6 +294,7 @@
m_functionStructure.set(vm, this, JSFunction::createStructure(vm, this, m_functionPrototype.get()));
m_boundSlotBaseFunctionStructure.set(vm, this, JSBoundSlotBaseFunction::createStructure(vm, this, m_functionPrototype.get()));
m_boundFunctionStructure.set(vm, this, JSBoundFunction::createStructure(vm, this, m_functionPrototype.get()));
+ m_getterSetterStructure.set(vm, this, GetterSetter::createStructure(vm, this, jsNull()));
m_nativeStdFunctionStructure.set(vm, this, JSNativeStdFunction::createStructure(vm, this, m_functionPrototype.get()));
m_namedFunctionStructure.set(vm, this, Structure::addPropertyTransition(vm, m_functionStructure.get(), vm.propertyNames->name, DontDelete | ReadOnly | DontEnum, m_functionNameOffset));
m_internalFunctionStructure.set(vm, this, InternalFunction::createStructure(vm, this, m_functionPrototype.get()));
@@ -976,6 +977,7 @@
visitor.append(&thisObject->m_functionStructure);
visitor.append(&thisObject->m_boundSlotBaseFunctionStructure);
visitor.append(&thisObject->m_boundFunctionStructure);
+ visitor.append(&thisObject->m_getterSetterStructure);
visitor.append(&thisObject->m_nativeStdFunctionStructure);
visitor.append(&thisObject->m_namedFunctionStructure);
visitor.append(&thisObject->m_symbolObjectStructure);
Modified: trunk/Source/_javascript_Core/runtime/JSGlobalObject.h (200176 => 200177)
--- trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/runtime/JSGlobalObject.h 2016-04-28 06:54:54 UTC (rev 200177)
@@ -273,6 +273,7 @@
WriteBarrier<Structure> m_functionStructure;
WriteBarrier<Structure> m_boundFunctionStructure;
WriteBarrier<Structure> m_boundSlotBaseFunctionStructure;
+ WriteBarrier<Structure> m_getterSetterStructure;
WriteBarrier<Structure> m_nativeStdFunctionStructure;
WriteBarrier<Structure> m_namedFunctionStructure;
PropertyOffset m_functionNameOffset;
@@ -531,6 +532,7 @@
Structure* functionStructure() const { return m_functionStructure.get(); }
Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(); }
Structure* boundSlotBaseFunctionStructure() const { return m_boundSlotBaseFunctionStructure.get(); }
+ Structure* getterSetterStructure() const { return m_getterSetterStructure.get(); }
Structure* nativeStdFunctionStructure() const { return m_nativeStdFunctionStructure.get(); }
Structure* namedFunctionStructure() const { return m_namedFunctionStructure.get(); }
PropertyOffset functionNameOffset() const { return m_functionNameOffset; }
Modified: trunk/Source/_javascript_Core/runtime/VM.cpp (200176 => 200177)
--- trunk/Source/_javascript_Core/runtime/VM.cpp 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/runtime/VM.cpp 2016-04-28 06:54:54 UTC (rev 200177)
@@ -217,7 +217,6 @@
terminatedExecutionErrorStructure.set(*this, TerminatedExecutionError::createStructure(*this, 0, jsNull()));
stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
- getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));
customGetterSetterStructure.set(*this, CustomGetterSetter::createStructure(*this, 0, jsNull()));
scopedArgumentsTableStructure.set(*this, ScopedArgumentsTable::createStructure(*this, 0, jsNull()));
apiWrapperStructure.set(*this, JSAPIValueWrapper::createStructure(*this, 0, jsNull()));
Modified: trunk/Source/_javascript_Core/runtime/VM.h (200176 => 200177)
--- trunk/Source/_javascript_Core/runtime/VM.h 2016-04-28 06:49:01 UTC (rev 200176)
+++ trunk/Source/_javascript_Core/runtime/VM.h 2016-04-28 06:54:54 UTC (rev 200177)
@@ -288,7 +288,6 @@
Strong<Structure> stringStructure;
Strong<Structure> propertyNameIteratorStructure;
Strong<Structure> propertyNameEnumeratorStructure;
- Strong<Structure> getterSetterStructure;
Strong<Structure> customGetterSetterStructure;
Strong<Structure> scopedArgumentsTableStructure;
Strong<Structure> apiWrapperStructure;
