[webkit-changes] [197757] releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore

[carlosgc]

Title: [197757] releases/WebKitGTK/webkit-2.12/Source/_javascript_Core

Revision

197757

Author

carlo...@webkit.org

Date

2016-03-08 05:23:49 -0800 (Tue, 08 Mar 2016)

Log Message

Merge r197491 - [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
https://bugs.webkit.org/show_bug.cgi?id=154947

Patch by Benjamin Poulain <bpoul...@apple.com> on 2016-03-02
Reviewed by Filip Pizlo.

This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.

The problem was that JSCell_freeListNext and JSCell_structureID were
considered as disjoint. When reordering instructions, the scheduler
could move the write of the StructureID first to reduce dependencies.
This would erase half of JSCell_freeListNext before we get a chance
to load the value.

This patch changes the hierarchy to make sure nothing is written
until JSCell_freeListNext is processed.

All credits for this patch go to Filip.

* ftl/FTLAbstractHeapRepository.cpp:
(JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
* ftl/FTLAbstractHeapRepository.h:

Modified Paths

• releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog
• releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp
• releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h

Diff

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (197756 => 197757)

--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-03-08 12:57:22 UTC (rev 197756)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-03-08 13:23:49 UTC (rev 197757)
@@ -1,5 +1,29 @@
 2016-03-02  Benjamin Poulain  <bpoul...@apple.com>
 
+        [JSC] JSCell_freeListNext and JSCell_structureID are considered not overlapping
+        https://bugs.webkit.org/show_bug.cgi?id=154947
+
+        Reviewed by Filip Pizlo.
+
+        This bug was discovered while testing https://bugs.webkit.org/show_bug.cgi?id=154894.
+
+        The problem was that JSCell_freeListNext and JSCell_structureID were
+        considered as disjoint. When reordering instructions, the scheduler
+        could move the write of the StructureID first to reduce dependencies.
+        This would erase half of JSCell_freeListNext before we get a chance
+        to load the value.
+
+        This patch changes the hierarchy to make sure nothing is written
+        until JSCell_freeListNext is processed.
+
+        All credits for this patch go to Filip.
+
+        * ftl/FTLAbstractHeapRepository.cpp:
+        (JSC::FTL::AbstractHeapRepository::AbstractHeapRepository):
+        * ftl/FTLAbstractHeapRepository.h:
+
+2016-03-02  Benjamin Poulain  <bpoul...@apple.com>
+
         [JSC] Improve Select of Doubles based on Double condition
         https://bugs.webkit.org/show_bug.cgi?id=154572
 

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp (197756 => 197757)

--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp	2016-03-08 12:57:22 UTC (rev 197756)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.cpp	2016-03-08 13:23:49 UTC (rev 197757)
@@ -57,7 +57,7 @@
     FOR_EACH_ABSTRACT_FIELD(ABSTRACT_FIELD_INITIALIZATION)
 #undef ABSTRACT_FIELD_INITIALIZATION
     
-    , JSCell_freeListNext(JSCell_structureID)
+    , JSCell_freeListNext(JSCell_header)
     
 #define INDEXED_ABSTRACT_HEAP_INITIALIZATION(name, offset, size) , name(&root, #name, offset, size)
     FOR_EACH_INDEXED_ABSTRACT_HEAP(INDEXED_ABSTRACT_HEAP_INITIALIZATION)
@@ -75,6 +75,8 @@
     RELEASE_ASSERT(JSCell_indexingType.offset() + 2 == JSCell_typeInfoFlags.offset());
     RELEASE_ASSERT(JSCell_indexingType.offset() + 3 == JSCell_cellState.offset());
 
+    JSCell_structureID.changeParent(&JSCell_header);
+    JSCell_usefulBytes.changeParent(&JSCell_header);
     JSCell_indexingType.changeParent(&JSCell_usefulBytes);
     JSCell_typeInfoType.changeParent(&JSCell_usefulBytes);
     JSCell_typeInfoFlags.changeParent(&JSCell_usefulBytes);

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h (197756 => 197757)

--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h	2016-03-08 12:57:22 UTC (rev 197756)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLAbstractHeapRepository.h	2016-03-08 13:23:49 UTC (rev 197757)
@@ -54,6 +54,7 @@
     macro(JSArrayBufferView_mode, JSArrayBufferView::offsetOfMode()) \
     macro(JSArrayBufferView_vector, JSArrayBufferView::offsetOfVector()) \
     macro(JSCell_cellState, JSCell::cellStateOffset()) \
+    macro(JSCell_header, 0) \
     macro(JSCell_indexingType, JSCell::indexingTypeOffset()) \
     macro(JSCell_structureID, JSCell::structureIDOffset()) \
     macro(JSCell_typeInfoFlags, JSCell::typeInfoFlagsOffset()) \

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes