Title: [259681] trunk
- Revision
- 259681
- Author
- sbar...@apple.com
- Date
- 2020-04-07 16:11:21 -0700 (Tue, 07 Apr 2020)
Log Message
Delete ICs can't cache dictionaries
https://bugs.webkit.org/show_bug.cgi?id=210147
<rdar://problem/61382405>
Reviewed by Tadeu Zagallo.
JSTests:
* stress/dont-cache-delete-ic-on-dictionary-2.js: Added.
(assert):
(makeDictionary):
(foo):
* stress/dont-cache-delete-ic-on-dictionary.js: Added.
(assert):
(foo):
Source/_javascript_Core:
We were happily caching delete IC cases on a dictionary object.
This is clearly wrong, as we might cache a miss on a dictionary
on a property "P", even though we might add "P" to the structure
without transitioning it.
* jit/Repatch.cpp:
(JSC::tryCacheDeleteBy):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (259680 => 259681)
--- trunk/JSTests/ChangeLog 2020-04-07 23:01:20 UTC (rev 259680)
+++ trunk/JSTests/ChangeLog 2020-04-07 23:11:21 UTC (rev 259681)
@@ -1,3 +1,19 @@
+2020-04-07 Saam Barati <sbar...@apple.com>
+
+ Delete ICs can't cache dictionaries
+ https://bugs.webkit.org/show_bug.cgi?id=210147
+ <rdar://problem/61382405>
+
+ Reviewed by Tadeu Zagallo.
+
+ * stress/dont-cache-delete-ic-on-dictionary-2.js: Added.
+ (assert):
+ (makeDictionary):
+ (foo):
+ * stress/dont-cache-delete-ic-on-dictionary.js: Added.
+ (assert):
+ (foo):
+
2020-04-07 Tadeu Zagallo <tzaga...@apple.com>
Not using strict mode within ClassDeclaration statement
Added: trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js (0 => 259681)
--- trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js (rev 0)
+++ trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary-2.js 2020-04-07 23:11:21 UTC (rev 259681)
@@ -0,0 +1,25 @@
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+function makeDictionary() {
+ let o = {};
+ for (let i = 0; i < 1000; ++i)
+ o["f" + i] = 42;
+ return o;
+}
+
+function foo(o) {
+ delete o.x;
+}
+
+let d = makeDictionary();
+for (let i = 0; i < 150; ++i) {
+ foo(d);
+}
+
+d.x = 42;
+foo(d);
+
+assert(!d.x);
Added: trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js (0 => 259681)
--- trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js (rev 0)
+++ trunk/JSTests/stress/dont-cache-delete-ic-on-dictionary.js 2020-04-07 23:11:21 UTC (rev 259681)
@@ -0,0 +1,17 @@
+//@ runDefault("--repatchBufferingCountdown=8", "--useDFGJIT=0", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+
+function assert(b) {
+ if (!b)
+ throw new Error;
+}
+
+function foo(i) {
+ Object.defineProperty(Reflect, "get", {});
+ for (let i = 0; i < 2; i++) {
+ delete Reflect.get;
+ }
+}
+
+for (let i=0; i<100; i++) {
+ foo(i);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (259680 => 259681)
--- trunk/Source/_javascript_Core/ChangeLog 2020-04-07 23:01:20 UTC (rev 259680)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-04-07 23:11:21 UTC (rev 259681)
@@ -1,3 +1,19 @@
+2020-04-07 Saam Barati <sbar...@apple.com>
+
+ Delete ICs can't cache dictionaries
+ https://bugs.webkit.org/show_bug.cgi?id=210147
+ <rdar://problem/61382405>
+
+ Reviewed by Tadeu Zagallo.
+
+ We were happily caching delete IC cases on a dictionary object.
+ This is clearly wrong, as we might cache a miss on a dictionary
+ on a property "P", even though we might add "P" to the structure
+ without transitioning it.
+
+ * jit/Repatch.cpp:
+ (JSC::tryCacheDeleteBy):
+
2020-04-07 Tadeu Zagallo <tzaga...@apple.com>
Not using strict mode within ClassDeclaration statement
Modified: trunk/Source/_javascript_Core/jit/Repatch.cpp (259680 => 259681)
--- trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-04-07 23:01:20 UTC (rev 259680)
+++ trunk/Source/_javascript_Core/jit/Repatch.cpp 2020-04-07 23:11:21 UTC (rev 259681)
@@ -756,6 +756,16 @@
if (!slot.isCacheableDelete())
return GiveUpOnCache;
+ if (baseValue.asCell()->structure()->isDictionary()) {
+ if (baseValue.asCell()->structure()->hasBeenFlattenedBefore())
+ return GiveUpOnCache;
+ jsCast<JSObject*>(baseValue)->flattenDictionaryObject(vm);
+ return RetryCacheLater;
+ }
+
+ if (oldStructure->isDictionary())
+ return RetryCacheLater;
+
std::unique_ptr<AccessCase> newCase;
if (slot.isDeleteHit()) {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes