Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (99131 => 99132)
--- trunk/Source/_javascript_Core/ChangeLog 2011-11-03 02:19:17 UTC (rev 99131)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-11-03 02:58:37 UTC (rev 99132)
@@ -1,3 +1,15 @@
+2011-11-02 Filip Pizlo <fpi...@apple.com>
+
+ Inlined uses of the global object should use the right global object
+ https://bugs.webkit.org/show_bug.cgi?id=71427
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::globalObjectFor):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2011-11-02 Yuqiang Xian <yuqiang.x...@intel.com>
Remove some unnecessary loads/stores in DFG JIT 32_64
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCompiler.h (99131 => 99132)
--- trunk/Source/_javascript_Core/dfg/DFGJITCompiler.h 2011-11-03 02:19:17 UTC (rev 99131)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCompiler.h 2011-11-03 02:58:37 UTC (rev 99132)
@@ -432,6 +432,14 @@
return m_graph.valueProfileFor(nodeIndex, baselineCodeBlockFor(m_graph[nodeIndex].codeOrigin));
}
+ JSGlobalObject* globalObjectFor(CodeOrigin codeOrigin)
+ {
+ if (!codeOrigin.inlineCallFrame)
+ return codeBlock()->globalObject();
+ // FIXME: if we ever inline based on executable not function, this code will need to change.
+ return codeOrigin.inlineCallFrame->callee->scope()->globalObject.get();
+ }
+
private:
// Internal implementation to compile.
void compileEntry();
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (99131 => 99132)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2011-11-03 02:19:17 UTC (rev 99131)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2011-11-03 02:58:37 UTC (rev 99132)
@@ -1900,7 +1900,7 @@
// since this operation does not otherwise get the payload.
speculationCheck(JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::NotEqual, scratchGPR, TrustedImm32(JSValue::NullTag)));
- m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), scratchGPR);
+ m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)), scratchGPR);
cellResult(scratchGPR, m_compileIndex);
break;
}
@@ -1993,7 +1993,7 @@
MacroAssembler::JumpList slowPath;
- emitAllocateJSFinalObject(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()->emptyObjectStructure()), resultGPR, scratchGPR, slowPath);
+ emitAllocateJSFinalObject(MacroAssembler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)->emptyObjectStructure()), resultGPR, scratchGPR, slowPath);
MacroAssembler::Jump done = m_jit.jump();
@@ -2285,7 +2285,7 @@
if (!m_state.forNode(node.child1()).m_structure.doesNotContainAnyOtherThan(methodCheckData.structure))
speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
- if (methodCheckData.prototype != m_jit.codeBlock()->globalObject()->methodCallDummy()) {
+ if (methodCheckData.prototype != m_jit.globalObjectFor(node.codeOrigin)->methodCallDummy()) {
m_jit.move(JITCompiler::TrustedImmPtr(methodCheckData.prototype->structureAddress()), scratchGPR);
speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(scratchGPR), JITCompiler::TrustedImmPtr(methodCheckData.prototypeStructure)));
}
@@ -2337,7 +2337,7 @@
GPRTemporary result(this);
GPRTemporary scratch(this);
- JSVariableObject* globalObject = m_jit.codeBlock()->globalObject();
+ JSVariableObject* globalObject = m_jit.globalObjectFor(node.codeOrigin);
m_jit.loadPtr(const_cast<WriteBarrier<Unknown>**>(globalObject->addressOfRegisters()), result.gpr());
m_jit.load32(JITCompiler::tagForGlobalVar(result.gpr(), node.varNumber()), scratch.gpr());
m_jit.load32(JITCompiler::payloadForGlobalVar(result.gpr(), node.varNumber()), result.gpr());
@@ -2354,9 +2354,9 @@
GPRReg globalObjectReg = globalObject.gpr();
GPRReg scratchReg = scratch.gpr();
- m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectReg);
+ m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)), globalObjectReg);
- writeBarrier(m_jit.codeBlock()->globalObject(), value.tagGPR(), node.child1(), WriteBarrierForVariableAccess, scratchReg);
+ writeBarrier(m_jit.globalObjectFor(node.codeOrigin), value.tagGPR(), node.child1(), WriteBarrierForVariableAccess, scratchReg);
m_jit.loadPtr(MacroAssembler::Address(globalObjectReg, JSVariableObject::offsetOfRegisters()), scratchReg);
m_jit.store32(value.tagGPR(), JITCompiler::tagForGlobalVar(scratchReg, node.varNumber()));
@@ -2474,7 +2474,7 @@
GlobalResolveInfo* resolveInfoAddress = &(m_jit.codeBlock()->globalResolveInfo(data.resolveInfoIndex));
// Check Structure of global object
- m_jit.move(JITCompiler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectGPR);
+ m_jit.move(JITCompiler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)), globalObjectGPR);
m_jit.move(JITCompiler::TrustedImmPtr(resolveInfoAddress), resolveInfoGPR);
m_jit.loadPtr(JITCompiler::Address(resolveInfoGPR, OBJECT_OFFSETOF(GlobalResolveInfo, structure)), resultPayloadGPR);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (99131 => 99132)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2011-11-03 02:19:17 UTC (rev 99131)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2011-11-03 02:58:37 UTC (rev 99132)
@@ -1911,7 +1911,7 @@
speculationCheck(JSValueRegs(thisValueGPR), node.child1(), m_jit.branchPtr(MacroAssembler::NotEqual, scratchGPR, MacroAssembler::TrustedImmPtr(reinterpret_cast<void*>(ValueNull))));
}
- m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), scratchGPR);
+ m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)), scratchGPR);
cellResult(scratchGPR, m_compileIndex);
break;
}
@@ -2003,7 +2003,7 @@
MacroAssembler::JumpList slowPath;
- emitAllocateJSFinalObject(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()->emptyObjectStructure()), resultGPR, scratchGPR, slowPath);
+ emitAllocateJSFinalObject(MacroAssembler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)->emptyObjectStructure()), resultGPR, scratchGPR, slowPath);
MacroAssembler::Jump done = m_jit.jump();
@@ -2280,7 +2280,7 @@
if (!m_state.forNode(node.child1()).m_structure.doesNotContainAnyOtherThan(methodCheckData.structure))
speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(baseGPR, JSCell::structureOffset()), JITCompiler::TrustedImmPtr(methodCheckData.structure)));
- if (methodCheckData.prototype != m_jit.codeBlock()->globalObject()->methodCallDummy()) {
+ if (methodCheckData.prototype != m_jit.globalObjectFor(node.codeOrigin)->methodCallDummy()) {
m_jit.move(JITCompiler::TrustedImmPtr(methodCheckData.prototype->structureAddress()), scratchGPR);
speculationCheck(JSValueRegs(), NoNode, m_jit.branchPtr(JITCompiler::NotEqual, JITCompiler::Address(scratchGPR), JITCompiler::TrustedImmPtr(methodCheckData.prototypeStructure)));
}
@@ -2329,7 +2329,7 @@
case GetGlobalVar: {
GPRTemporary result(this);
- JSVariableObject* globalObject = m_jit.codeBlock()->globalObject();
+ JSVariableObject* globalObject = m_jit.globalObjectFor(node.codeOrigin);
m_jit.loadPtr(globalObject->addressOfRegisters(), result.gpr());
m_jit.loadPtr(JITCompiler::addressForGlobalVar(result.gpr(), node.varNumber()), result.gpr());
@@ -2345,9 +2345,9 @@
GPRReg globalObjectReg = globalObject.gpr();
GPRReg scratchReg = scratch.gpr();
- m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectReg);
+ m_jit.move(MacroAssembler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)), globalObjectReg);
- writeBarrier(m_jit.codeBlock()->globalObject(), value.gpr(), node.child1(), WriteBarrierForVariableAccess, scratchReg);
+ writeBarrier(m_jit.globalObjectFor(node.codeOrigin), value.gpr(), node.child1(), WriteBarrierForVariableAccess, scratchReg);
m_jit.loadPtr(MacroAssembler::Address(globalObjectReg, JSVariableObject::offsetOfRegisters()), scratchReg);
m_jit.storePtr(value.gpr(), JITCompiler::addressForGlobalVar(scratchReg, node.varNumber()));
@@ -2459,7 +2459,7 @@
GlobalResolveInfo* resolveInfoAddress = &(m_jit.codeBlock()->globalResolveInfo(data.resolveInfoIndex));
// Check Structure of global object
- m_jit.move(JITCompiler::TrustedImmPtr(m_jit.codeBlock()->globalObject()), globalObjectGPR);
+ m_jit.move(JITCompiler::TrustedImmPtr(m_jit.globalObjectFor(node.codeOrigin)), globalObjectGPR);
m_jit.move(JITCompiler::TrustedImmPtr(resolveInfoAddress), resolveInfoGPR);
m_jit.loadPtr(JITCompiler::Address(resolveInfoGPR, OBJECT_OFFSETOF(GlobalResolveInfo, structure)), resultGPR);
JITCompiler::Jump structuresMatch = m_jit.branchPtr(JITCompiler::Equal, resultGPR, JITCompiler::Address(globalObjectGPR, JSCell::structureOffset()));
