Title: [236332] branches/safari-606-branch
- Revision
- 236332
- Author
- kocsen_ch...@apple.com
- Date
- 2018-09-21 10:48:26 -0700 (Fri, 21 Sep 2018)
Log Message
Cherry-pick r236223. rdar://problem/44682814
AI rule for MultiPutByOffset executes its effects in the wrong order
https://bugs.webkit.org/show_bug.cgi?id=189757
<rdar://problem/43535257>
Reviewed by Michael Saboff.
JSTests:
* stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
(foo):
(Foo):
(g):
Source/_javascript_Core:
The AI rule for MultiPutByOffset was executing effects in the wrong order.
It first executed the transition effects and the effects on the base, and
then executed the filtering effects on the value being stored. However, you
can end up with the wrong type when the base and the value being stored
are the same. E.g, in a program like `o.f = o`. These effects need to happen
in the opposite order, modeling what happens in the runtime executing of
MultiPutByOffset.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Added Paths
Diff
Modified: branches/safari-606-branch/JSTests/ChangeLog (236331 => 236332)
--- branches/safari-606-branch/JSTests/ChangeLog 2018-09-21 17:13:34 UTC (rev 236331)
+++ branches/safari-606-branch/JSTests/ChangeLog 2018-09-21 17:48:26 UTC (rev 236332)
@@ -1,3 +1,49 @@
+2018-09-21 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r236223. rdar://problem/44682814
+
+ AI rule for MultiPutByOffset executes its effects in the wrong order
+ https://bugs.webkit.org/show_bug.cgi?id=189757
+ <rdar://problem/43535257>
+
+ Reviewed by Michael Saboff.
+
+ JSTests:
+
+ * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
+ (foo):
+ (Foo):
+ (g):
+
+ Source/_javascript_Core:
+
+ The AI rule for MultiPutByOffset was executing effects in the wrong order.
+ It first executed the transition effects and the effects on the base, and
+ then executed the filtering effects on the value being stored. However, you
+ can end up with the wrong type when the base and the value being stored
+ are the same. E.g, in a program like `o.f = o`. These effects need to happen
+ in the opposite order, modeling what happens in the runtime executing of
+ MultiPutByOffset.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-19 Saam barati <sbar...@apple.com>
+
+ AI rule for MultiPutByOffset executes its effects in the wrong order
+ https://bugs.webkit.org/show_bug.cgi?id=189757
+ <rdar://problem/43535257>
+
+ Reviewed by Michael Saboff.
+
+ * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
+ (foo):
+ (Foo):
+ (g):
+
2018-09-19 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r236161. rdar://problem/44613375
Added: branches/safari-606-branch/JSTests/stress/multi-put-by-offset-must-filter-value-before-filtering-base.js (0 => 236332)
--- branches/safari-606-branch/JSTests/stress/multi-put-by-offset-must-filter-value-before-filtering-base.js (rev 0)
+++ branches/safari-606-branch/JSTests/stress/multi-put-by-offset-must-filter-value-before-filtering-base.js 2018-09-21 17:48:26 UTC (rev 236332)
@@ -0,0 +1,25 @@
+//@ runDefault("--collectContinuously=1", "--useConcurrentJIT=0", "--useConcurrentGC=1")
+
+function foo(oo) {
+ oo.x = 4;
+ oo.y = 4;
+ oo.e = oo;
+ oo.e = 7;
+ oo.f = 8;
+}
+noInline(foo);
+
+function Foo() {
+ foo(this);
+}
+
+for (var i = 0; i < 100000; i++) {
+ g();
+}
+
+function g(){
+ foo({f:8});
+ new Foo();
+ new Foo();
+ new Foo();
+}
Modified: branches/safari-606-branch/Source/_javascript_Core/ChangeLog (236331 => 236332)
--- branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-21 17:13:34 UTC (rev 236331)
+++ branches/safari-606-branch/Source/_javascript_Core/ChangeLog 2018-09-21 17:48:26 UTC (rev 236332)
@@ -1,3 +1,55 @@
+2018-09-21 Kocsen Chung <kocsen_ch...@apple.com>
+
+ Cherry-pick r236223. rdar://problem/44682814
+
+ AI rule for MultiPutByOffset executes its effects in the wrong order
+ https://bugs.webkit.org/show_bug.cgi?id=189757
+ <rdar://problem/43535257>
+
+ Reviewed by Michael Saboff.
+
+ JSTests:
+
+ * stress/multi-put-by-offset-must-filter-value-before-filtering-base.js: Added.
+ (foo):
+ (Foo):
+ (g):
+
+ Source/_javascript_Core:
+
+ The AI rule for MultiPutByOffset was executing effects in the wrong order.
+ It first executed the transition effects and the effects on the base, and
+ then executed the filtering effects on the value being stored. However, you
+ can end up with the wrong type when the base and the value being stored
+ are the same. E.g, in a program like `o.f = o`. These effects need to happen
+ in the opposite order, modeling what happens in the runtime executing of
+ MultiPutByOffset.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@236223 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-09-19 Saam barati <sbar...@apple.com>
+
+ AI rule for MultiPutByOffset executes its effects in the wrong order
+ https://bugs.webkit.org/show_bug.cgi?id=189757
+ <rdar://problem/43535257>
+
+ Reviewed by Michael Saboff.
+
+ The AI rule for MultiPutByOffset was executing effects in the wrong order.
+ It first executed the transition effects and the effects on the base, and
+ then executed the filtering effects on the value being stored. However, you
+ can end up with the wrong type when the base and the value being stored
+ are the same. E.g, in a program like `o.f = o`. These effects need to happen
+ in the opposite order, modeling what happens in the runtime executing of
+ MultiPutByOffset.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
2018-09-19 Kocsen Chung <kocsen_ch...@apple.com>
Cherry-pick r236161. rdar://problem/44613375
Modified: branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (236331 => 236332)
--- branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-09-21 17:13:34 UTC (rev 236331)
+++ branches/safari-606-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-09-21 17:48:26 UTC (rev 236332)
@@ -3154,12 +3154,17 @@
}
}
+ // We need to order AI executing these effects in the same order as they're executed
+ // at runtime. This is critical when you have JS code like `o.f = o;`. We first
+ // filter types on o, then transition o. Not the other way around. If we got
+ // this ordering wrong, we could end up with the wrong type representing o.
+ setForNode(node->child2(), resultingValue);
+ if (!!originalValue && !resultingValue)
+ m_state.setIsValid(false);
+
observeTransitions(clobberLimit, transitions);
if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
m_state.setIsValid(false);
- setForNode(node->child2(), resultingValue);
- if (!!originalValue && !resultingValue)
- m_state.setIsValid(false);
break;
}
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
