Skip to site navigation (Press enter)

[webkit-changes] [259681] trunk

sbarati Tue, 07 Apr 2020 16:12:12 -0700

Title: [259681] trunk

Revision: 259681
Author: sbar...@apple.com
Date: 2020-04-07 16:11:21 -0700 (Tue, 07 Apr 2020)

Log Message

Delete ICs can't cache dictionaries
https://bugs.webkit.org/show_bug.cgi?id=210147
<rdar://problem/61382405>


Reviewed by Tadeu Zagallo.

JSTests:

* stress/dont-cache-delete-ic-on-dictionary-2.js: Added.
(assert):
(makeDictionary):
(foo):
* stress/dont-cache-delete-ic-on-dictionary.js: Added.
(assert):
(foo):

Source/_javascript_Core:

We were happily caching delete IC cases on a dictionary object.
This is clearly wrong, as we might cache a miss on a dictionary
on a property "P", even though we might add "P" to the structure
without transitioning it.

* jit/Repatch.cpp:
(JSC::tryCacheDeleteBy):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/jit/Repatch.cpp

Added Paths

trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js
trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js

Diff

Modified: trunk/JSTests/ChangeLog (259680 => 259681)


--- trunk/JSTests/ChangeLog	2020-04-07 23:01:20 UTC (rev 259680)
+++ trunk/JSTests/ChangeLog	2020-04-07 23:11:21 UTC (rev 259681)
@@ -1,3 +1,19 @@
+2020-04-07  Saam Barati  <sbar...@apple.com>
+
+        Delete ICs can't cache dictionaries
+        https://bugs.webkit.org/show_bug.cgi?id=210147
+        <rdar://problem/61382405>
+
+        Reviewed by Tadeu Zagallo.
+
+        * stress/dont-cache-delete-ic-on-dictionary-2.js: Added.
+        (assert):
+        (makeDictionary):
+        (foo):
+        * stress/dont-cache-delete-ic-on-dictionary.js: Added.
+        (assert):
+        (foo):
+
 2020-04-07  Tadeu Zagallo  <tzaga...@apple.com>
 
         Not using strict mode within ClassDeclaration statement

Added: trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js (0 => 259681)


--- trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js	                        (rev 0)
+++ trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js	2020-04-07 23:11:21 UTC (rev 259681)
@@ -0,0 +1,25 @@
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+function makeDictionary() {
+    let o = {};
+    for (let i = 0; i < 1000; ++i)
+        o["f" + i] = 42;
+    return o;
+}
+
+function foo(o) {
+    delete o.x;
+}
+
+let d = makeDictionary();
+for (let i = 0; i < 150; ++i) {
+    foo(d);
+}
+
+d.x = 42;
+foo(d);
+
+assert(!d.x);

Added: trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js (0 => 259681)


--- trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js	                        (rev 0)
+++ trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js	2020-04-07 23:11:21 UTC (rev 259681)
@@ -0,0 +1,17 @@
+//@ runDefault("--repatchBufferingCountdown=8", "--useDFGJIT=0", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+
+function assert(b) {
+    if (!b)
+        throw new Error;
+}
+
+function foo(i) {
+    Object.defineProperty(Reflect, "get", {});
+    for (let i = 0; i < 2; i++) {
+        delete Reflect.get;
+    }
+}
+
+for (let i=0; i<100; i++) {
+    foo(i);
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (259680 => 259681)


--- trunk/Source/_javascript_Core/ChangeLog	2020-04-07 23:01:20 UTC (rev 259680)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-04-07 23:11:21 UTC (rev 259681)
@@ -1,3 +1,19 @@
+2020-04-07  Saam Barati  <sbar...@apple.com>
+
+        Delete ICs can't cache dictionaries
+        https://bugs.webkit.org/show_bug.cgi?id=210147
+        <rdar://problem/61382405>
+
+        Reviewed by Tadeu Zagallo.
+
+        We were happily caching delete IC cases on a dictionary object.
+        This is clearly wrong, as we might cache a miss on a dictionary
+        on a property "P", even though we might add "P" to the structure
+        without transitioning it.
+
+        * jit/Repatch.cpp:
+        (JSC::tryCacheDeleteBy):
+
 2020-04-07  Tadeu Zagallo  <tzaga...@apple.com>
 
         Not using strict mode within ClassDeclaration statement

Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (259680 => 259681)


--- trunk/Source/_javascript_Core/jit/Repatch.cpp	2020-04-07 23:01:20 UTC (rev 259680)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp	2020-04-07 23:11:21 UTC (rev 259681)
@@ -756,6 +756,16 @@
         if (!slot.isCacheableDelete())
             return GiveUpOnCache;
 
+        if (baseValue.asCell()->structure()->isDictionary()) {
+            if (baseValue.asCell()->structure()->hasBeenFlattenedBefore())
+                return GiveUpOnCache;
+            jsCast<JSObject*>(baseValue)->flattenDictionaryObject(vm);
+            return RetryCacheLater;
+        }
+
+        if (oldStructure->isDictionary())
+            return RetryCacheLater;
+
         std::unique_ptr<AccessCase> newCase;
 
         if (slot.isDeleteHit()) {

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes