Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (176624 => 176625)
--- trunk/Source/_javascript_Core/ChangeLog 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-12-02 04:09:24 UTC (rev 176625)
@@ -1,5 +1,39 @@
2014-12-01 Michael Saboff <msab...@apple.com>
+ Remove GetMyScope node from DFG
+ https://bugs.webkit.org/show_bug.cgi?id=139166
+
+ Reviewed by Oliver Hunt.
+
+ Eliminated GetMyScope DFG node type.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::isLiveInBytecode):
+ * dfg/DFGNodeType.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ (JSC::DFG::PredictionPropagationPhase::propagate):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileNode):
+ (JSC::FTL::LowerDFGToLLVM::compileGetMyScope): Deleted.
+
+2014-12-01 Michael Saboff <msab...@apple.com>
+
Crash (integer overflow) beneath ByteCodeParser::handleGetById typing in search field on weather.com
https://bugs.webkit.org/show_bug.cgi?id=139165
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2014-12-02 04:09:24 UTC (rev 176625)
@@ -1408,7 +1408,6 @@
}
case GetScope: // FIXME: We could get rid of these if we know that the JSFunction is a constant. https://bugs.webkit.org/show_bug.cgi?id=106202
- case GetMyScope:
forNode(node).setType(SpecObjectOther);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2014-12-02 04:09:24 UTC (rev 176625)
@@ -745,14 +745,6 @@
}
}
- case GetMyScope:
- if (graph.m_codeBlock->needsActivation()) {
- read(AbstractHeap(Variables, JSStack::ScopeChain));
- def(HeapLocation(VariableLoc, AbstractHeap(Variables, JSStack::ScopeChain)), node);
- } else
- def(PureValue(node));
- return;
-
case GetClosureRegisters:
read(JSEnvironmentRecord_registers);
def(HeapLocation(ClosureRegistersLoc, JSEnvironmentRecord_registers, node->child1()), node);
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -95,7 +95,6 @@
case GetButterfly:
case CheckArray:
case GetScope:
- case GetMyScope:
case SkipScope:
case GetClosureRegisters:
case GetClosureVar:
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -1192,7 +1192,6 @@
case Flush:
case PhantomLocal:
case GetLocalUnlinked:
- case GetMyScope:
case GetClosureVar:
case GetGlobalVar:
case NotifyWrite:
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -887,8 +887,6 @@
if (reg.offset() == JSStack::Callee)
return true;
- if (reg.offset() == JSStack::ScopeChain)
- return true;
return false;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGNodeType.h (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGNodeType.h 2014-12-02 04:09:24 UTC (rev 176625)
@@ -177,7 +177,6 @@
macro(GetArrayLength, NodeResultInt32) \
macro(GetTypedArrayByteOffset, NodeResultInt32) \
macro(GetScope, NodeResultJS) \
- macro(GetMyScope, NodeResultJS) \
macro(SkipScope, NodeResultJS) \
macro(GetClosureRegisters, NodeResultStorage) \
macro(GetClosureVar, NodeResultJS) \
Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -462,7 +462,6 @@
break;
}
- case GetMyScope:
case SkipScope: {
changed |= setPrediction(SpecObjectOther);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2014-12-02 04:09:24 UTC (rev 176625)
@@ -167,7 +167,6 @@
case Arrayify:
case ArrayifyToStructure:
case GetScope:
- case GetMyScope:
case SkipScope:
case GetClosureRegisters:
case GetClosureVar:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -3525,15 +3525,6 @@
break;
}
- case GetMyScope: {
- GPRTemporary result(this);
- GPRReg resultGPR = result.gpr();
-
- m_jit.loadPtr(JITCompiler::payloadFor(JSStack::ScopeChain), resultGPR);
- cellResult(resultGPR, node);
- break;
- }
-
case SkipScope: {
SpeculateCellOperand scope(this, node->child1());
GPRTemporary result(this, Reuse, scope);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -3633,15 +3633,6 @@
break;
}
- case GetMyScope: {
- GPRTemporary result(this);
- GPRReg resultGPR = result.gpr();
-
- m_jit.loadPtr(JITCompiler::addressFor(JSStack::ScopeChain), resultGPR);
- cellResult(resultGPR, node);
- break;
- }
-
case SkipScope: {
SpeculateCellOperand scope(this, node->child1());
GPRTemporary result(this, Reuse, scope);
Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -99,7 +99,6 @@
case Upsilon:
case ExtractOSREntryLocal:
case LoopHint:
- case GetMyScope:
case SkipScope:
case GetClosureRegisters:
case GetClosureVar:
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp (176624 => 176625)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-12-02 02:50:15 UTC (rev 176624)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToLLVM.cpp 2014-12-02 04:09:24 UTC (rev 176625)
@@ -592,9 +592,6 @@
case GetScope:
compileGetScope();
break;
- case GetMyScope:
- compileGetMyScope();
- break;
case SkipScope:
compileSkipScope();
break;
@@ -3424,12 +3421,6 @@
setJSValue(m_out.loadPtr(lowCell(m_node->child1()), m_heaps.JSFunction_scope));
}
- void compileGetMyScope()
- {
- setJSValue(m_out.loadPtr(addressFor(
- m_node->origin.semantic.stackOffset() + JSStack::ScopeChain)));
- }
-
void compileSkipScope()
{
setJSValue(m_out.loadPtr(lowCell(m_node->child1()), m_heaps.JSScope_next));