Skip to site navigation (Press enter)

[webkit-changes] [224366] trunk

msaboff Thu, 02 Nov 2017 17:23:47 -0700

Title: [224366] trunk

Revision: 224366
Author: msab...@apple.com
Date: 2017-11-02 17:23:00 -0700 (Thu, 02 Nov 2017)

Log Message

DFG needs to handle code motion of code in for..in loop bodies
https://bugs.webkit.org/show_bug.cgi?id=179212


Reviewed by Keith Miller.

JSTests:

New regression test.

* stress/for-in-side-effects.js: Added.
(getPrototypeOf):
(reset):
(testWithoutFTL.f):
(testWithoutFTL):
(testWithFTL.f):
(testWithFTL):

Source/_javascript_Core:

The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
make calls with side effects.  Updated clobberize() for those nodes to take that into account.

* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGClobberize.h

Added Paths

trunk/JSTests/stress/for-in-side-effects.js

Diff

Modified: trunk/JSTests/ChangeLog (224365 => 224366)


--- trunk/JSTests/ChangeLog	2017-11-03 00:12:51 UTC (rev 224365)
+++ trunk/JSTests/ChangeLog	2017-11-03 00:23:00 UTC (rev 224366)
@@ -1,3 +1,20 @@
+2017-11-02  Michael Saboff  <msab...@apple.com>
+
+        DFG needs to handle code motion of code in for..in loop bodies
+        https://bugs.webkit.org/show_bug.cgi?id=179212
+
+        Reviewed by Keith Miller.
+
+        New regression test.
+
+        * stress/for-in-side-effects.js: Added.
+        (getPrototypeOf):
+        (reset):
+        (testWithoutFTL.f):
+        (testWithoutFTL):
+        (testWithFTL.f):
+        (testWithFTL):
+
 2017-11-02  Filip Pizlo  <fpi...@apple.com>
 
         AI does not correctly model the clobber case of ArithClz32

Added: trunk/JSTests/stress/for-in-side-effects.js (0 => 224366)


--- trunk/JSTests/stress/for-in-side-effects.js	                        (rev 0)
+++ trunk/JSTests/stress/for-in-side-effects.js	2017-11-03 00:23:00 UTC (rev 224366)
@@ -0,0 +1,79 @@
+// Regression test for bug 179212
+
+var p = { "a": {} };
+
+var flag = 0;
+var data = ""
+var copy = [];
+
+var z = new Proxy({}, {
+    getPrototypeOf: function() {
+        if (flag == 2) {
+            data[0] = { "x": "I changed" };
+        }
+
+        if (flag == 1) {
+            flag = 2;
+        }
+
+        return {"a": 1, "b": 2}
+    }
+});
+
+p.__proto__ = z;
+
+function reset()
+{
+    flag = 0;
+    data = "" 2.2, 3.3];
+    copy = [];
+}
+
+function runTest(func)
+{
+    reset();
+
+    for (var i = 0; i < 0x10000; i++)
+        func();
+
+    flag = 1;
+    func();
+
+    if (copy[0].x != "I changed")
+        throw "Expected updated value for copy[0]";
+}
+
+function testWithoutFTL()
+{
+    function f()
+    {
+        data[0] = 2.2;
+        for(var d in p) {
+            copy[0] = data[0];
+            copy[1] = data[1];
+            copy[2] = data[2];
+        }
+    }
+
+    noFTL(f);
+
+    runTest(f);
+}
+
+function testWithFTL()
+{
+    function f()
+    {
+        data[0] = 2.2;
+        for(var d in p) {
+            copy[0] = data[0];
+            copy[1] = data[1];
+            copy[2] = data[2];
+        }
+    }
+
+    runTest(f);
+}
+
+testWithoutFTL();
+testWithFTL();
Property changes on: trunk/JSTests/stress/for-in-side-effects.js
___________________________________________________________________

Added: svn:executable

+* \ No newline at end of property

Modified: trunk/Source/_javascript_Core/ChangeLog (224365 => 224366)


--- trunk/Source/_javascript_Core/ChangeLog	2017-11-03 00:12:51 UTC (rev 224365)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-11-03 00:23:00 UTC (rev 224366)
@@ -1,3 +1,16 @@
+2017-11-02  Michael Saboff  <msab...@apple.com>
+
+        DFG needs to handle code motion of code in for..in loop bodies
+        https://bugs.webkit.org/show_bug.cgi?id=179212
+
+        Reviewed by Keith Miller.
+
+        The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
+        make calls with side effects.  Updated clobberize() for those nodes to take that into account.
+
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+
 2017-11-02  Joseph Pecoraro  <pecor...@apple.com>
 
         Inspector should display service worker served responses properly

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (224365 => 224366)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2017-11-03 00:12:51 UTC (rev 224365)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2017-11-03 00:23:00 UTC (rev 224366)
@@ -270,8 +270,13 @@
 
     case HasGenericProperty:
     case HasStructureProperty:
-    case GetEnumerableLength:
     case GetPropertyEnumerator: {
+        read(World);
+        write(Heap);
+        return;
+    }
+
+    case GetEnumerableLength: {
         read(Heap);
         write(SideState);
         return;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes