Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (90192 => 90193)
--- trunk/Source/_javascript_Core/ChangeLog 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-07-01 02:17:27 UTC (rev 90193)
@@ -1,3 +1,34 @@
+2011-06-30 Geoffrey Garen <[email protected]>
+
+ Reviewed by Gavin Barraclough.
+
+ Added write barrier that was missing from put_by_id_transition
+ https://bugs.webkit.org/show_bug.cgi?id=63775
+
+ * dfg/DFGJITCodeGenerator.cpp:
+ (JSC::DFG::JITCodeGenerator::writeBarrier): Made this static with a
+ MacroAssembler& argument so our patching functions could use it.
+
+ (JSC::DFG::JITCodeGenerator::cachedPutById):
+ * dfg/DFGJITCodeGenerator.h:
+ * dfg/DFGNonSpeculativeJIT.cpp:
+ (JSC::DFG::NonSpeculativeJIT::compile): Updated for signature change.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCachePutByID): Missing barrier!
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile): Updated for signature change.
+
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompilePutByIdTransition):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::privateCompilePutByIdTransition):
+ * jit/JSInterfaceJIT.h: Same game here. Removed storePtrWithWriteBarrier
+ because its meaning isn't clear -- maybe in the future we'll have a
+ clear way to pass all stores through a common function that guarantees
+ a write barrier, but that's not the case right now.
+
2011-06-30 Filip Pizlo <[email protected]>
Reviewed by Gavin Barraclough.
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (90192 => 90193)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp 2011-07-01 02:17:27 UTC (rev 90193)
@@ -368,7 +368,7 @@
unlock(scratchGPR);
}
-void JITCodeGenerator::writeBarrier(GPRReg owner, GPRReg scratch)
+void JITCodeGenerator::writeBarrier(MacroAssembler&, GPRReg owner, GPRReg scratch)
{
UNUSED_PARAM(owner);
UNUSED_PARAM(scratch);
@@ -380,7 +380,7 @@
JITCompiler::DataLabelPtr structureToCompare;
JITCompiler::Jump structureCheck = m_jit.branchPtrWithPatch(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), structureToCompare, JITCompiler::TrustedImmPtr(reinterpret_cast<void*>(-1)));
- writeBarrier(baseGPR, scratchGPR);
+ writeBarrier(m_jit, baseGPR, scratchGPR);
m_jit.loadPtr(JITCompiler::Address(baseGPR, JSObject::offsetOfPropertyStorage()), scratchGPR);
JITCompiler::DataLabel32 storeWithPatch = m_jit.storePtrWithAddressOffsetPatch(valueGPR, JITCompiler::Address(scratchGPR, 0));
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h (90192 => 90193)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h 2011-07-01 02:17:27 UTC (rev 90193)
@@ -155,6 +155,8 @@
return info.registerFormat() == DataFormatDouble;
}
+ static void writeBarrier(MacroAssembler&, GPRReg ownerGPR, GPRReg scratchGPR);
+
static GPRReg selectScratchGPR(GPRReg preserve1 = InvalidGPRReg, GPRReg preserve2 = InvalidGPRReg, GPRReg preserve3 = InvalidGPRReg)
{
if (preserve1 != GPRInfo::regT0 && preserve2 != GPRInfo::regT0 && preserve3 != GPRInfo::regT0)
@@ -518,8 +520,6 @@
}
}
- void writeBarrier(GPRReg ownerGPR, GPRReg scratchGPR);
-
void cachedGetById(GPRReg baseGPR, GPRReg resultGPR, unsigned identifierNumber, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
void cachedPutById(GPRReg baseGPR, GPRReg valueGPR, GPRReg scratchGPR, unsigned identifierNumber, PutKind, JITCompiler::Jump slowPathTarget = JITCompiler::Jump());
Modified: trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp (90192 => 90193)
--- trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-07-01 02:17:27 UTC (rev 90193)
@@ -800,7 +800,7 @@
m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectReg);
- writeBarrier(globalObjectReg, scratchReg);
+ writeBarrier(m_jit, globalObjectReg, scratchReg);
m_jit.loadPtr(MacroAssembler::Address(globalObjectReg, JSVariableObject::offsetOfRegisters()), scratchReg);
m_jit.storePtr(value.gpr(), JITCompiler::addressForGlobalVar(scratchReg, node.varNumber()));
Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (90192 => 90193)
--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2011-07-01 02:17:27 UTC (rev 90193)
@@ -318,6 +318,8 @@
testPrototype(stubJit, scratchGPR, (*it)->storedPrototype(), failureCases);
}
+ JITCodeGenerator::writeBarrier(stubJit, baseGPR, scratchGPR);
+
stubJit.storePtr(MacroAssembler::TrustedImmPtr(structure), MacroAssembler::Address(baseGPR, JSCell::structureOffset()));
if (structure->isUsingInlineStorage())
stubJit.storePtr(valueGPR, MacroAssembler::Address(baseGPR, JSObject::offsetOfInlineStorage() + slot.cachedOffset() * sizeof(JSValue)));
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (90192 => 90193)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-07-01 02:17:27 UTC (rev 90193)
@@ -899,7 +899,7 @@
GPRReg valueReg = value.gpr();
GPRReg scratchReg = scratch.gpr();
- writeBarrier(baseReg, scratchReg);
+ writeBarrier(m_jit, baseReg, scratchReg);
// Check that base is an array, and that property is contained within m_vector (< m_vectorLength).
// If we have predicted the base to be type array, we can skip the check.
@@ -953,7 +953,7 @@
GPRReg baseReg = base.gpr();
GPRReg scratchReg = scratch.gpr();
- writeBarrier(baseReg, scratchReg);
+ writeBarrier(m_jit, baseReg, scratchReg);
// Get the array storage.
GPRReg storageReg = scratchReg;
@@ -1094,7 +1094,7 @@
m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectReg);
- writeBarrier(globalObjectReg, scratchReg);
+ writeBarrier(m_jit, globalObjectReg, scratchReg);
m_jit.loadPtr(MacroAssembler::Address(globalObjectReg, JSVariableObject::offsetOfRegisters()), scratchReg);
m_jit.storePtr(value.gpr(), JITCompiler::addressForGlobalVar(scratchReg, node.varNumber()));
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (90192 => 90193)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2011-07-01 02:17:27 UTC (rev 90193)
@@ -536,10 +536,10 @@
restoreReturnAddressBeforeReturn(regT3);
}
+
+ emitWriteBarrier(regT0, regT2);
- storePtrWithWriteBarrier(TrustedImmPtr(newStructure), regT0, Address(regT0, JSCell::structureOffset()));
-
- // write the value
+ storePtr(TrustedImmPtr(newStructure), Address(regT0, JSCell::structureOffset()));
compilePutDirectOffset(regT0, regT1, newStructure, cachedOffset);
ret();
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (90192 => 90193)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2011-07-01 02:17:27 UTC (rev 90193)
@@ -502,8 +502,9 @@
restoreReturnAddressBeforeReturn(regT3);
}
- storePtrWithWriteBarrier(TrustedImmPtr(newStructure), regT0, Address(regT0, JSCell::structureOffset()));
-
+ emitWriteBarrier(regT0, regT1);
+
+ storePtr(TrustedImmPtr(newStructure), Address(regT0, JSCell::structureOffset()));
#if CPU(MIPS) || CPU(SH4)
// For MIPS, we don't add sizeof(void*) to the stack offset.
load32(Address(stackPointerRegister, OBJECT_OFFSETOF(JITStackFrame, args[2]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT3);
@@ -512,8 +513,6 @@
load32(Address(stackPointerRegister, OBJECT_OFFSETOF(JITStackFrame, args[2]) + sizeof(void*) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), regT3);
load32(Address(stackPointerRegister, OBJECT_OFFSETOF(JITStackFrame, args[2]) + sizeof(void*) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), regT2);
#endif
-
- // Write the value
compilePutDirectOffset(regT0, regT2, regT3, newStructure, cachedOffset);
ret();
Modified: trunk/Source/_javascript_Core/jit/JSInterfaceJIT.h (90192 => 90193)
--- trunk/Source/_javascript_Core/jit/JSInterfaceJIT.h 2011-07-01 02:10:25 UTC (rev 90192)
+++ trunk/Source/_javascript_Core/jit/JSInterfaceJIT.h 2011-07-01 02:17:27 UTC (rev 90193)
@@ -193,11 +193,6 @@
inline Jump emitLoadInt32(unsigned virtualRegisterIndex, RegisterID dst);
inline Jump emitLoadDouble(unsigned virtualRegisterIndex, FPRegisterID dst, RegisterID scratch);
- inline void storePtrWithWriteBarrier(TrustedImmPtr ptr, RegisterID /* owner */, Address dest)
- {
- storePtr(ptr, dest);
- }
-
#if USE(JSVALUE32_64)
inline Jump emitJumpIfNotJSCell(unsigned virtualRegisterIndex);
inline Address tagFor(int index, RegisterID base = callFrameRegister);
