[webkit-changes] [165435] trunk/Source/JavaScriptCore

[mhahnenberg]

Title: [165435] trunk/Source/_javascript_Core

Revision

165435

Author

mhahnenb...@apple.com

Date

2014-03-10 23:57:43 -0700 (Mon, 10 Mar 2014)

Log Message

REGRESSION(r165407): DoYouEvenBench crashes in DRT
https://bugs.webkit.org/show_bug.cgi?id=130066

Reviewed by Geoffrey Garen.

The baseline JIT does a conditional store barrier for the put_by_id, but we need
an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.

* jit/JIT.h:
* jit/JITPropertyAccess.cpp:
(JSC::JIT::emit_op_put_by_id):
(JSC::JIT::emitWriteBarrier):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/jit/JIT.h
• trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (165434 => 165435)

--- trunk/Source/_javascript_Core/ChangeLog	2014-03-11 06:25:23 UTC (rev 165434)
+++ trunk/Source/_javascript_Core/ChangeLog	2014-03-11 06:57:43 UTC (rev 165435)
@@ -1,3 +1,18 @@
+2014-03-10  Mark Hahnenberg  <mhahnenb...@apple.com>
+
+        REGRESSION(r165407): DoYouEvenBench crashes in DRT
+        https://bugs.webkit.org/show_bug.cgi?id=130066
+
+        Reviewed by Geoffrey Garen.
+
+        The baseline JIT does a conditional store barrier for the put_by_id, but we need 
+        an unconditional store barrier so that we cover the butterfly case as well in emitPutTransitionStub.
+
+        * jit/JIT.h:
+        * jit/JITPropertyAccess.cpp:
+        (JSC::JIT::emit_op_put_by_id):
+        (JSC::JIT::emitWriteBarrier):
+
 2014-03-10  Mark Lam  <mark....@apple.com>
 
         Resurrect bit-rotted JIT::probe() mechanism.

Modified: trunk/Source/_javascript_Core/jit/JIT.h (165434 => 165435)

--- trunk/Source/_javascript_Core/jit/JIT.h	2014-03-11 06:25:23 UTC (rev 165434)
+++ trunk/Source/_javascript_Core/jit/JIT.h	2014-03-11 06:57:43 UTC (rev 165435)
@@ -311,7 +311,7 @@
         void addStructureTransitionCheck(JSCell*, Structure*, StructureStubInfo*, JumpList& failureCases, RegisterID scratch);
         void testPrototype(JSValue, JumpList& failureCases, StructureStubInfo*);
 
-        enum WriteBarrierMode { UnconditionalWriteBarrier, ShouldFilterValue, ShouldFilterBaseAndValue };
+        enum WriteBarrierMode { UnconditionalWriteBarrier, ShouldFilterBase, ShouldFilterValue, ShouldFilterBaseAndValue };
         // value register in write barrier is used before any scratch registers
         // so may safely be the same as either of the scratch registers.
         void emitWriteBarrier(unsigned owner, unsigned value, WriteBarrierMode);

Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (165434 => 165435)

--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2014-03-11 06:25:23 UTC (rev 165434)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp	2014-03-11 06:57:43 UTC (rev 165435)
@@ -554,7 +554,7 @@
     int valueVReg = currentInstruction[3].u.operand;
     unsigned direct = currentInstruction[8].u.operand;
 
-    emitWriteBarrier(baseVReg, valueVReg, ShouldFilterBaseAndValue);
+    emitWriteBarrier(baseVReg, valueVReg, ShouldFilterBase);
 
     // In order to be able to patch both the Structure, and the object offset, we store one pointer,
     // to just after the arguments have been loaded into registers 'hotPathBegin', and we generate code
@@ -883,21 +883,22 @@
 void JIT::emitWriteBarrier(unsigned owner, unsigned value, WriteBarrierMode mode)
 {
 #if ENABLE(GGC)
-    emitGetVirtualRegister(value, regT0);
     Jump valueNotCell;
-    if (mode == ShouldFilterValue || mode == ShouldFilterBaseAndValue)
+    if (mode == ShouldFilterValue || mode == ShouldFilterBaseAndValue) {
+        emitGetVirtualRegister(value, regT0);
         valueNotCell = branchTest64(NonZero, regT0, tagMaskRegister);
+    }
     
     emitGetVirtualRegister(owner, regT0);
     Jump ownerNotCell;
-    if (mode == ShouldFilterBaseAndValue)
+    if (mode == ShouldFilterBaseAndValue || mode == ShouldFilterBase)
         ownerNotCell = branchTest64(NonZero, regT0, tagMaskRegister);
 
     Jump ownerNotMarkedOrAlreadyRemembered = checkMarkByte(regT0);
     callOperation(operationUnconditionalWriteBarrier, regT0);
     ownerNotMarkedOrAlreadyRemembered.link(this);
 
-    if (mode == ShouldFilterBaseAndValue)
+    if (mode == ShouldFilterBaseAndValue || mode == ShouldFilterBase)
         ownerNotCell.link(this);
     if (mode == ShouldFilterValue || mode == ShouldFilterBaseAndValue) 
         valueNotCell.link(this);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes