[webkit-changes] [160038] trunk/Source/JavaScriptCore

Tue, 03 Dec 2013 14:23:14 -0800

Title: [160038] trunk/Source/_javascript_Core
Revision
160038
Author
fpi...@apple.com
Date
2013-12-03 14:24:53 -0800 (Tue, 03 Dec 2013)

Log Message

ObjectAllocationProfile is racy and the DFG should be cool with that
https://bugs.webkit.org/show_bug.cgi?id=125172
<rdar://problem/15233487>

Reviewed by Mark Hahnenberg.
        
We would previously sometimes get a null Structure because checking if the profile is non-null and loading
the structure from it were two separate operations.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::setFuturePossibleStructure):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* runtime/JSFunction.h:
(JSC::JSFunction::allocationProfile):
(JSC::JSFunction::allocationStructure):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (160037 => 160038)


--- trunk/Source/_javascript_Core/ChangeLog	2013-12-03 22:19:32 UTC (rev 160037)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-12-03 22:24:53 UTC (rev 160038)
@@ -1,3 +1,24 @@
+2013-12-03  Filip Pizlo  <fpi...@apple.com>
+
+        ObjectAllocationProfile is racy and the DFG should be cool with that
+        https://bugs.webkit.org/show_bug.cgi?id=125172
+        <rdar://problem/15233487>
+
+        Reviewed by Mark Hahnenberg.
+        
+        We would previously sometimes get a null Structure because checking if the profile is non-null and loading
+        the structure from it were two separate operations.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGAbstractValue.cpp:
+        (JSC::DFG::AbstractValue::setFuturePossibleStructure):
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::parseBlock):
+        * runtime/JSFunction.h:
+        (JSC::JSFunction::allocationProfile):
+        (JSC::JSFunction::allocationStructure):
+
 2013-12-03  pe...@outlook.com  <pe...@outlook.com>
 
         testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (160037 => 160038)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2013-12-03 22:19:32 UTC (rev 160037)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2013-12-03 22:24:53 UTC (rev 160038)
@@ -1136,6 +1136,7 @@
         break;
 
     case NewObject:
+        ASSERT(node->structure());
         forNode(node).set(m_graph, node->structure());
         m_state.setHaveStructures(true);
         break;

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp (160037 => 160038)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp	2013-12-03 22:19:32 UTC (rev 160037)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.cpp	2013-12-03 22:24:53 UTC (rev 160038)
@@ -153,6 +153,7 @@
 
 void AbstractValue::setFuturePossibleStructure(Graph& graph, Structure* structure)
 {
+    ASSERT(structure);
     if (graph.watchpoints().isStillValid(structure->transitionWatchpointSet()))
         m_futurePossibleStructure = structure;
     else

Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (160037 => 160038)


--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-12-03 22:19:32 UTC (rev 160037)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2013-12-03 22:24:53 UTC (rev 160038)
@@ -1916,19 +1916,18 @@
                 ASSERT(cell->inherits(JSFunction::info()));
                 
                 JSFunction* function = jsCast<JSFunction*>(cell);
-                ObjectAllocationProfile* allocationProfile = function->tryGetAllocationProfile();
-                if (allocationProfile) {
+                if (Structure* structure = function->allocationStructure()) {
                     addToGraph(AllocationProfileWatchpoint, OpInfo(function));
                     // The callee is still live up to this point.
                     addToGraph(Phantom, callee);
-                    set(VirtualRegister(currentInstruction[1].u.operand),
-                        addToGraph(NewObject, OpInfo(allocationProfile->structure())));
+                    set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(NewObject, OpInfo(structure)));
                     alreadyEmitted = true;
                 }
             }
-            if (!alreadyEmitted)
+            if (!alreadyEmitted) {
                 set(VirtualRegister(currentInstruction[1].u.operand),
                     addToGraph(CreateThis, OpInfo(currentInstruction[3].u.operand), callee));
+            }
             NEXT_OPCODE(op_create_this);
         }

Modified: trunk/Source/_javascript_Core/runtime/JSFunction.h (160037 => 160038)


--- trunk/Source/_javascript_Core/runtime/JSFunction.h	2013-12-03 22:19:32 UTC (rev 160037)
+++ trunk/Source/_javascript_Core/runtime/JSFunction.h	2013-12-03 22:24:53 UTC (rev 160038)
@@ -137,22 +137,9 @@
                 return createAllocationProfile(exec, inlineCapacity);
             return &m_allocationProfile;
         }
-
-        ObjectAllocationProfile* tryGetAllocationProfile()
-        {
-            if (m_allocationProfile.isNull())
-                return 0;
-            if (m_allocationProfileWatchpoint.hasBeenInvalidated())
-                return 0;
-            return &m_allocationProfile;
-        }
         
-        void addAllocationProfileWatchpoint(Watchpoint* watchpoint)
-        {
-            ASSERT(tryGetAllocationProfile());
-            m_allocationProfileWatchpoint.add(watchpoint);
-        }
-        
+        Structure* allocationStructure() { return m_allocationProfile.structure(); }
+
         InlineWatchpointSet& allocationProfileWatchpointSet()
         {
             return m_allocationProfileWatchpoint;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to