Title: [241035] branches/safari-607-branch
- Revision
- 241035
- Author
- mark....@apple.com
- Date
- 2019-02-06 11:33:43 -0800 (Wed, 06 Feb 2019)
Log Message
Cherry-pick r240991. rdar://problem/47855123
2019-02-05 Mark Lam <mark....@apple.com>
Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
https://bugs.webkit.org/show_bug.cgi?id=194298
<rdar://problem/47827555>
Reviewed by Saam Barati.
We do this for 3 reasons:
1. It's clearer when reading doesGC()'s code that these nodes will return true.
2. If things change in the future where clobberize() no longer reports these nodes
as write(Heap), each node should be vetted first to make sure that it can never
GC before being moved back to the doesGC() list that returns false.
3. This reduces the list of nodes that we need to audit to make sure doesGC() is
correct in its claims about the nodes' GCing possibility.
The list of nodes moved are:
ArrayPush
ArrayPop
Call
CallEval
CallForwardVarargs
CallVarargs
Construct
ConstructForwardVarargs
ConstructVarargs
DefineDataProperty
DefineAccessorProperty
DeleteById
DeleteByVal
DirectCall
DirectConstruct
DirectTailCallInlinedCaller
GetById
GetByIdDirect
GetByIdDirectFlush
GetByIdFlush
GetByIdWithThis
GetByValWithThis
GetDirectPname
GetDynamicVar
HasGenericProperty
HasOwnProperty
HasStructureProperty
InById
InByVal
InstanceOf
InstanceOfCustom
LoadVarargs
NumberToStringWithRadix
PutById
PutByIdDirect
PutByIdFlush
PutByIdWithThis
PutByOffset
PutByValWithThis
PutDynamicVar
PutGetterById
PutGetterByVal
PutGetterSetterById
PutSetterById
PutSetterByVal
PutStack
PutToArguments
RegExpExec
RegExpTest
ResolveScope
ResolveScopeForHoistingFuncDeclInEval
TailCall
TailCallForwardVarargsInlinedCaller
TailCallInlinedCaller
TailCallVarargsInlinedCaller
ToNumber
ToPrimitive
ValueNegate
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
Modified Paths
Property Changed
Diff
Index: branches/safari-607-branch
===================================================================
--- branches/safari-607-branch 2019-02-06 19:32:31 UTC (rev 241034)
+++ branches/safari-607-branch 2019-02-06 19:33:43 UTC (rev 241035)
Property changes: branches/safari-607-branch
Modified: svn:mergeinfo
-/trunk:53455,239940,240329,240335,240616,240917
\ No newline at end of property
+/trunk:53455,239940,240329,240335,240616,240917,240991
\ No newline at end of property
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (241034 => 241035)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 19:32:31 UTC (rev 241034)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 19:33:43 UTC (rev 241035)
@@ -1,5 +1,89 @@
2019-02-06 Mark Lam <mark....@apple.com>
+ Cherry-pick r240991. rdar://problem/47855123
+
+ 2019-02-05 Mark Lam <mark....@apple.com>
+
+ Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
+ https://bugs.webkit.org/show_bug.cgi?id=194298
+ <rdar://problem/47827555>
+
+ Reviewed by Saam Barati.
+
+ We do this for 3 reasons:
+ 1. It's clearer when reading doesGC()'s code that these nodes will return true.
+ 2. If things change in the future where clobberize() no longer reports these nodes
+ as write(Heap), each node should be vetted first to make sure that it can never
+ GC before being moved back to the doesGC() list that returns false.
+ 3. This reduces the list of nodes that we need to audit to make sure doesGC() is
+ correct in its claims about the nodes' GCing possibility.
+
+ The list of nodes moved are:
+
+ ArrayPush
+ ArrayPop
+ Call
+ CallEval
+ CallForwardVarargs
+ CallVarargs
+ Construct
+ ConstructForwardVarargs
+ ConstructVarargs
+ DefineDataProperty
+ DefineAccessorProperty
+ DeleteById
+ DeleteByVal
+ DirectCall
+ DirectConstruct
+ DirectTailCallInlinedCaller
+ GetById
+ GetByIdDirect
+ GetByIdDirectFlush
+ GetByIdFlush
+ GetByIdWithThis
+ GetByValWithThis
+ GetDirectPname
+ GetDynamicVar
+ HasGenericProperty
+ HasOwnProperty
+ HasStructureProperty
+ InById
+ InByVal
+ InstanceOf
+ InstanceOfCustom
+ LoadVarargs
+ NumberToStringWithRadix
+ PutById
+ PutByIdDirect
+ PutByIdFlush
+ PutByIdWithThis
+ PutByOffset
+ PutByValWithThis
+ PutDynamicVar
+ PutGetterById
+ PutGetterByVal
+ PutGetterSetterById
+ PutSetterById
+ PutSetterByVal
+ PutStack
+ PutToArguments
+ RegExpExec
+ RegExpTest
+ ResolveScope
+ ResolveScopeForHoistingFuncDeclInEval
+ TailCall
+ TailCallForwardVarargsInlinedCaller
+ TailCallInlinedCaller
+ TailCallVarargsInlinedCaller
+ ToNumber
+ ToPrimitive
+ ValueNegate
+
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+
+2019-02-06 Mark Lam <mark....@apple.com>
+
Cherry-pick r240917. rdar://problem/47810465
2019-02-03 Mark Lam <mark....@apple.com>
Modified: branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp (241034 => 241035)
--- branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-06 19:32:31 UTC (rev 241034)
+++ branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-06 19:33:43 UTC (rev 241035)
@@ -103,28 +103,8 @@
case ValueAdd:
case ValueSub:
case ValueMul:
- case ValueNegate:
case ValueDiv:
case TryGetById:
- case GetById:
- case GetByIdFlush:
- case GetByIdWithThis:
- case GetByIdDirect:
- case GetByIdDirectFlush:
- case PutById:
- case PutByIdFlush:
- case PutByIdWithThis:
- case PutByValWithThis:
- case PutByIdDirect:
- case PutGetterById:
- case PutSetterById:
- case PutGetterSetterById:
- case PutGetterByVal:
- case PutSetterByVal:
- case DefineDataProperty:
- case DefineAccessorProperty:
- case DeleteById:
- case DeleteByVal:
case CheckStructure:
case CheckStructureOrEmpty:
case CheckStructureImmediate:
@@ -148,9 +128,7 @@
case CheckNotEmpty:
case AssertNotEmpty:
case CheckStringIdent:
- case RegExpExec:
case RegExpExecNonGlobalOrSticky:
- case RegExpTest:
case RegExpMatchFast:
case RegExpMatchFastGlobal:
case CompareLess:
@@ -162,26 +140,10 @@
case CompareEq:
case CompareStrictEq:
case CompareEqPtr:
- case Call:
- case DirectCall:
- case TailCallInlinedCaller:
- case DirectTailCallInlinedCaller:
- case Construct:
- case DirectConstruct:
- case CallVarargs:
- case CallEval:
- case TailCallVarargsInlinedCaller:
- case ConstructVarargs:
- case LoadVarargs:
- case CallForwardVarargs:
- case ConstructForwardVarargs:
case TailCallForwardVarargs:
- case TailCallForwardVarargsInlinedCaller:
case ProfileType:
case ProfileControlFlow:
case OverridesHasInstance:
- case InstanceOf:
- case InstanceOfCustom:
case IsEmpty:
case IsUndefined:
case IsBoolean:
@@ -194,19 +156,12 @@
case IsTypedArrayView:
case TypeOf:
case LogicalNot:
- case ToPrimitive:
- case ToNumber:
- case NumberToStringWithRadix:
case NumberToStringWithValidRadixConstant:
- case InByVal:
- case InById:
- case HasOwnProperty:
case Jump:
case Branch:
case Switch:
case EntrySwitch:
case Return:
- case TailCall:
case DirectTailCall:
case TailCallVarargs:
case Throw:
@@ -251,11 +206,8 @@
case GetGetter:
case GetSetter:
case GetByVal:
- case GetByValWithThis:
case GetArrayLength:
case GetVectorLength:
- case ArrayPush:
- case ArrayPop:
case StringCharAt:
case StringCharCodeAt:
case GetTypedArrayByteOffset:
@@ -266,12 +218,8 @@
case PutStructure:
case GetByOffset:
case GetGetterSetterByOffset:
- case PutByOffset:
case GetEnumerableLength:
- case HasGenericProperty:
- case HasStructureProperty:
case HasIndexedProperty:
- case GetDirectPname:
case FiatInt52:
case BooleanToNumber:
case CheckBadCell:
@@ -293,18 +241,12 @@
case GetMyArgumentByValOutOfBounds:
case ForwardVarargs:
case PutHint:
- case PutStack:
case KillStack:
case GetStack:
case GetFromArguments:
- case PutToArguments:
case GetArgument:
case LogShadowChickenPrologue:
case LogShadowChickenTail:
- case GetDynamicVar:
- case PutDynamicVar:
- case ResolveScopeForHoistingFuncDeclInEval:
- case ResolveScope:
case NukeStructureAndSetButterfly:
case AtomicsAdd:
case AtomicsAnd:
@@ -326,13 +268,70 @@
case DataViewSet:
return false;
+ case ArrayPush:
+ case ArrayPop:
case PushWithScope:
case CreateActivation:
case CreateDirectArguments:
case CreateScopedArguments:
case CreateClonedArguments:
+ case Call:
+ case CallEval:
+ case CallForwardVarargs:
case CallObjectConstructor:
+ case CallVarargs:
+ case Construct:
+ case ConstructForwardVarargs:
+ case ConstructVarargs:
+ case DefineDataProperty:
+ case DefineAccessorProperty:
+ case DeleteById:
+ case DeleteByVal:
+ case DirectCall:
+ case DirectConstruct:
+ case DirectTailCallInlinedCaller:
+ case GetById:
+ case GetByIdDirect:
+ case GetByIdDirectFlush:
+ case GetByIdFlush:
+ case GetByIdWithThis:
+ case GetByValWithThis:
+ case GetDirectPname:
+ case GetDynamicVar:
+ case HasGenericProperty:
+ case HasOwnProperty:
+ case HasStructureProperty:
+ case InById:
+ case InByVal:
+ case InstanceOf:
+ case InstanceOfCustom:
+ case LoadVarargs:
+ case NumberToStringWithRadix:
+ case PutById:
+ case PutByIdDirect:
+ case PutByIdFlush:
+ case PutByIdWithThis:
+ case PutByOffset:
+ case PutByValWithThis:
+ case PutDynamicVar:
+ case PutGetterById:
+ case PutGetterByVal:
+ case PutGetterSetterById:
+ case PutSetterById:
+ case PutSetterByVal:
+ case PutStack:
+ case PutToArguments:
+ case RegExpExec:
+ case RegExpTest:
+ case ResolveScope:
+ case ResolveScopeForHoistingFuncDeclInEval:
+ case TailCall:
+ case TailCallForwardVarargsInlinedCaller:
+ case TailCallInlinedCaller:
+ case TailCallVarargsInlinedCaller:
+ case ToNumber:
case ToObject:
+ case ToPrimitive:
case ToThis:
case CreateThis:
case ObjectCreate:
@@ -378,6 +377,7 @@
case ParseInt: // We might resolve a rope even though we don't clobber anything.
case SetAdd:
case MapSet:
+ case ValueNegate:
return true;
case CallStringConstructor:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
