Title: [220783] trunk/Source/_javascript_Core
- Revision
- 220783
- Author
- [email protected]
- Date
- 2017-08-15 19:49:04 -0700 (Tue, 15 Aug 2017)
Log Message
We are too conservative about the effects of PushWithScope
https://bugs.webkit.org/show_bug.cgi?id=175584
Patch by Robin Morisset <[email protected]> on 2017-08-15
Reviewed by Saam Barati.
PushWithScope converts its argument to an object (this can throw a type error,
but has no other observable effect), and allocates a new scope, that it then
makes the new current scope. We were a bit too
conservative in saying that it clobbers the world.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (220782 => 220783)
--- trunk/Source/_javascript_Core/ChangeLog 2017-08-16 02:23:41 UTC (rev 220782)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-08-16 02:49:04 UTC (rev 220783)
@@ -1,3 +1,22 @@
+2017-08-15 Robin Morisset <[email protected]>
+
+ We are too conservative about the effects of PushWithScope
+ https://bugs.webkit.org/show_bug.cgi?id=175584
+
+ Reviewed by Saam Barati.
+
+ PushWithScope converts its argument to an object (this can throw a type error,
+ but has no other observable effect), and allocates a new scope, that it then
+ makes the new current scope. We were a bit too
+ conservative in saying that it clobbers the world.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+
2017-08-15 Ryosuke Niwa <[email protected]>
Make DataTransferItemList work with plain text entries
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (220782 => 220783)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-08-16 02:23:41 UTC (rev 220782)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2017-08-16 02:49:04 UTC (rev 220783)
@@ -2064,8 +2064,6 @@
}
case PushWithScope:
- clobberWorld(node->origin.semantic, clobberLimit);
-
// We don't use the more precise withScopeStructure() here because it is a LazyProperty and may not yet be allocated.
forNode(node).setType(m_graph, SpecObjectOther);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (220782 => 220783)
--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2017-08-16 02:23:41 UTC (rev 220782)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h 2017-08-16 02:49:04 UTC (rev 220783)
@@ -471,6 +471,12 @@
write(SideState);
return;
+ case PushWithScope: {
+ read(World);
+ write(HeapObjectCount);
+ return;
+ }
+
case CreateActivation: {
SymbolTable* table = node->castOperand<SymbolTable*>();
if (table->singletonScope()->isStillValid())
@@ -605,7 +611,6 @@
case PutDynamicVar:
case ResolveScopeForHoistingFuncDeclInEval:
case ResolveScope:
- case PushWithScope:
read(World);
write(Heap);
return;
Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (220782 => 220783)
--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2017-08-16 02:23:41 UTC (rev 220782)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2017-08-16 02:49:04 UTC (rev 220783)
@@ -280,9 +280,9 @@
case AtomicsSub:
case AtomicsXor:
case AtomicsIsLockFree:
- case PushWithScope:
return false;
+ case PushWithScope:
case CreateActivation:
case CreateDirectArguments:
case CreateScopedArguments:
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
