Title: [202866] trunk/Source/_javascript_Core
- Revision
- 202866
- Author
- sbar...@apple.com
- Date
- 2016-07-06 11:23:38 -0700 (Wed, 06 Jul 2016)
Log Message
InlineAccess::sizeForLengthAccess() is wrong on some platforms because it should also consider "length" not being array length
https://bugs.webkit.org/show_bug.cgi?id=159429
Reviewed by Filip Pizlo.
The calculation inside sizeForLengthAccess() was not taking into
account that an access to a "length" property might not be an
array length access. sizeForLengthAccess() should always have enough
room for a regular self property accesses. This only changes how
much of a nop sled we emit if array length access size is smaller
than self access size. This matters on ARM64.
* bytecode/InlineAccess.h:
(JSC::InlineAccess::sizeForPropertyAccess):
(JSC::InlineAccess::sizeForPropertyReplace):
(JSC::InlineAccess::sizeForLengthAccess):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (202865 => 202866)
--- trunk/Source/_javascript_Core/ChangeLog 2016-07-06 18:22:17 UTC (rev 202865)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-07-06 18:23:38 UTC (rev 202866)
@@ -1,3 +1,22 @@
+2016-07-06 Saam Barati <sbar...@apple.com>
+
+ InlineAccess::sizeForLengthAccess() is wrong on some platforms because it should also consider "length" not being array length
+ https://bugs.webkit.org/show_bug.cgi?id=159429
+
+ Reviewed by Filip Pizlo.
+
+ The calculation inside sizeForLengthAccess() was not taking into
+ account that an access to a "length" property might not be an
+ array length access. sizeForLengthAccess() should always have enough
+ room for a regular self property accesses. This only changes how
+ much of a nop sled we emit if array length access size is smaller
+ than self access size. This matters on ARM64.
+
+ * bytecode/InlineAccess.h:
+ (JSC::InlineAccess::sizeForPropertyAccess):
+ (JSC::InlineAccess::sizeForPropertyReplace):
+ (JSC::InlineAccess::sizeForLengthAccess):
+
2016-07-06 Commit Queue <commit-qu...@webkit.org>
Unreviewed, rolling out r198928 and r198985.
Modified: trunk/Source/_javascript_Core/bytecode/InlineAccess.h (202865 => 202866)
--- trunk/Source/_javascript_Core/bytecode/InlineAccess.h 2016-07-06 18:22:17 UTC (rev 202865)
+++ trunk/Source/_javascript_Core/bytecode/InlineAccess.h 2016-07-06 18:23:38 UTC (rev 202866)
@@ -41,6 +41,7 @@
class InlineAccess {
public:
+ // This is the maximum between inline and out of line self access cases.
static constexpr size_t sizeForPropertyAccess()
{
#if CPU(X86_64)
@@ -60,6 +61,7 @@
#endif
}
+ // This is the maximum between inline and out of line property replace cases.
static constexpr size_t sizeForPropertyReplace()
{
#if CPU(X86_64)
@@ -79,23 +81,28 @@
#endif
}
- static constexpr size_t sizeForLengthAccess()
+ // FIXME: Make this constexpr when GCC is able to compile std::max() inside a constexpr function.
+ // https://bugs.webkit.org/show_bug.cgi?id=159436
+ //
+ // This is the maximum between the size for array length access, and the size for regular self access.
+ ALWAYS_INLINE static size_t sizeForLengthAccess()
{
#if CPU(X86_64)
- return 26;
+ size_t size = 26;
#elif CPU(X86)
- return 27;
+ size_t size = 27;
#elif CPU(ARM64)
- return 32;
+ size_t size = 32;
#elif CPU(ARM)
#if CPU(ARM_THUMB2)
- return 30;
+ size_t size = 30;
#else
- return 50;
+ size_t size = 50;
#endif
#else
#error "unsupported platform"
#endif
+ return std::max(size, sizeForPropertyAccess());
}
static bool generateSelfPropertyAccess(VM&, StructureStubInfo&, Structure*, PropertyOffset);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
