Title: [258427] trunk/Source/_javascript_Core
- Revision
- 258427
- Author
- ysuz...@apple.com
- Date
- 2020-03-13 13:37:09 -0700 (Fri, 13 Mar 2020)
Log Message
[JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless of Structure::outOfLineCapacity
https://bugs.webkit.org/show_bug.cgi?id=209027
Reviewed by Saam Barati.
Delete IC code generation assumes that mayNeedToCheckCell (it is replaced with canCacheDeleteIC) is false
while we are looking into this status only if Structure::outOfLineCapacity meets a certain condition. We should avoid
create Delete IC when mayNeedToCheckCell/canCacheDeleteIC is true regardless of Structure::outOfLineCapacity
* bytecode/AccessCase.cpp:
(JSC::AccessCase::createDelete):
(JSC::AccessCase::generateImpl):
* runtime/Structure.h:
* runtime/StructureInlines.h:
(JSC::Structure::mayHaveIndexingHeader const):
(JSC::Structure::canCacheDeleteIC const):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (258426 => 258427)
--- trunk/Source/_javascript_Core/ChangeLog 2020-03-13 20:31:28 UTC (rev 258426)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-03-13 20:37:09 UTC (rev 258427)
@@ -1,3 +1,22 @@
+2020-03-12 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] Delete IC creation should check mayNeedToCheckCell/canCacheDeleteIC regardless of Structure::outOfLineCapacity
+ https://bugs.webkit.org/show_bug.cgi?id=209027
+
+ Reviewed by Saam Barati.
+
+ Delete IC code generation assumes that mayNeedToCheckCell (it is replaced with canCacheDeleteIC) is false
+ while we are looking into this status only if Structure::outOfLineCapacity meets a certain condition. We should avoid
+ create Delete IC when mayNeedToCheckCell/canCacheDeleteIC is true regardless of Structure::outOfLineCapacity
+
+ * bytecode/AccessCase.cpp:
+ (JSC::AccessCase::createDelete):
+ (JSC::AccessCase::generateImpl):
+ * runtime/Structure.h:
+ * runtime/StructureInlines.h:
+ (JSC::Structure::mayHaveIndexingHeader const):
+ (JSC::Structure::canCacheDeleteIC const):
+
2020-03-13 Alexey Shvayka <shvaikal...@gmail.com>
Bound functions should pass correct NewTarget value
Modified: trunk/Source/_javascript_Core/bytecode/AccessCase.cpp (258426 => 258427)
--- trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2020-03-13 20:31:28 UTC (rev 258426)
+++ trunk/Source/_javascript_Core/bytecode/AccessCase.cpp 2020-03-13 20:37:09 UTC (rev 258427)
@@ -129,15 +129,10 @@
VM& vm, JSCell* owner, CacheableIdentifier identifier, PropertyOffset offset, Structure* oldStructure, Structure* newStructure)
{
RELEASE_ASSERT(oldStructure == newStructure->previousID(vm));
- if (!newStructure->outOfLineCapacity() && oldStructure->outOfLineCapacity()) {
- // We do not cache this case so that we do not need to check the jscell.
- // See the Delete code below.
- bool mayNeedToCheckCell;
- newStructure->mayHaveIndexingHeader(mayNeedToCheckCell);
-
- if (mayNeedToCheckCell)
- return nullptr;
- }
+ // We do not cache this case so that we do not need to check the jscell, e.g. TypedArray cells require a check for neutering status.
+ // See the Delete code below.
+ if (!newStructure->canCacheDeleteIC())
+ return nullptr;
return std::unique_ptr<AccessCase>(new AccessCase(vm, owner, Delete, identifier, offset, newStructure, { }, { }));
}
@@ -1950,11 +1945,10 @@
ScratchRegisterAllocator::PreservedState preservedState =
allocator.preserveReusedRegistersByPushing(jit, ScratchRegisterAllocator::ExtraStackSpace::NoExtraSpace);
- bool mayNeedToCheckCell;
- bool hasIndexingHeader = newStructure()->mayHaveIndexingHeader(mayNeedToCheckCell);
+ bool hasIndexingHeader = newStructure()->mayHaveIndexingHeader();
// We do not cache this case yet so that we do not need to check the jscell.
// See Structure::hasIndexingHeader and JSObject::deleteProperty.
- ASSERT(!mayNeedToCheckCell);
+ ASSERT(newStructure()->canCacheDeleteIC());
// Clear the butterfly if we have no properties, since our put code expects this.
bool shouldNukeStructureAndClearButterfly = !newStructure()->outOfLineCapacity() && structure()->outOfLineCapacity() && !hasIndexingHeader;
Modified: trunk/Source/_javascript_Core/runtime/Structure.h (258426 => 258427)
--- trunk/Source/_javascript_Core/runtime/Structure.h 2020-03-13 20:31:28 UTC (rev 258426)
+++ trunk/Source/_javascript_Core/runtime/Structure.h 2020-03-13 20:37:09 UTC (rev 258427)
@@ -532,7 +532,8 @@
}
bool hasIndexingHeader(const JSCell*) const;
- bool mayHaveIndexingHeader(bool& mustCheckCell) const;
+ bool mayHaveIndexingHeader() const;
+ bool canCacheDeleteIC() const;
bool masqueradesAsUndefined(JSGlobalObject* lexicalGlobalObject);
Modified: trunk/Source/_javascript_Core/runtime/StructureInlines.h (258426 => 258427)
--- trunk/Source/_javascript_Core/runtime/StructureInlines.h 2020-03-13 20:31:28 UTC (rev 258426)
+++ trunk/Source/_javascript_Core/runtime/StructureInlines.h 2020-03-13 20:37:09 UTC (rev 258427)
@@ -256,9 +256,8 @@
return jsCast<const JSArrayBufferView*>(cell)->mode() == WastefulTypedArray;
}
-inline bool Structure::mayHaveIndexingHeader(bool& mustCheckCell) const
+inline bool Structure::mayHaveIndexingHeader() const
{
- mustCheckCell = false;
if (hasIndexedProperties(indexingType()))
return true;
@@ -265,10 +264,14 @@
if (!isTypedView(typedArrayTypeForType(m_blob.type())))
return false;
- mustCheckCell = true;
return true;
}
+inline bool Structure::canCacheDeleteIC() const
+{
+ return !isTypedView(typedArrayTypeForType(m_blob.type()));
+}
+
inline bool Structure::masqueradesAsUndefined(JSGlobalObject* lexicalGlobalObject)
{
return typeInfo().masqueradesAsUndefined() && globalObject() == lexicalGlobalObject;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
