Title: [265987] branches/safari-609-branch/Source/_javascript_Core
- Revision
- 265987
- Author
- repst...@apple.com
- Date
- 2020-08-20 17:47:55 -0700 (Thu, 20 Aug 2020)
Log Message
Cherry-pick r264643. rdar://problem/67027034
TryGetById clobberize rules are wrong.
https://bugs.webkit.org/show_bug.cgi?id=163834
<rdar://problem/65625807>
Reviewed by Keith Miller.
Theoretically, TryGetById can do the same things GetById does i.e. reify lazy
properties, read the stack, etc. Hence, its clobberize rule should be clobberTop
just like GetById. However, in practice, we don't currently use @tryGetById to
access anything on the stack (and probably never will). But as a conservative
measure, we'll just treat TryGetById like it can. In clobberize terms, this
means we declare TryGetById as doing read(World) (just like GetById) instead of
read(Heap).
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@264643 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-609-branch/Source/_javascript_Core/ChangeLog (265986 => 265987)
--- branches/safari-609-branch/Source/_javascript_Core/ChangeLog 2020-08-21 00:19:59 UTC (rev 265986)
+++ branches/safari-609-branch/Source/_javascript_Core/ChangeLog 2020-08-21 00:47:55 UTC (rev 265987)
@@ -1,3 +1,53 @@
+2020-08-20 Russell Epstein <repst...@apple.com>
+
+ Cherry-pick r264643. rdar://problem/67027034
+
+ TryGetById clobberize rules are wrong.
+ https://bugs.webkit.org/show_bug.cgi?id=163834
+ <rdar://problem/65625807>
+
+ Reviewed by Keith Miller.
+
+ Theoretically, TryGetById can do the same things GetById does i.e. reify lazy
+ properties, read the stack, etc. Hence, its clobberize rule should be clobberTop
+ just like GetById. However, in practice, we don't currently use @tryGetById to
+ access anything on the stack (and probably never will). But as a conservative
+ measure, we'll just treat TryGetById like it can. In clobberize terms, this
+ means we declare TryGetById as doing read(World) (just like GetById) instead of
+ read(Heap).
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGClobbersExitState.cpp:
+ (JSC::DFG::clobbersExitState):
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@264643 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-07-20 Mark Lam <mark....@apple.com>
+
+ TryGetById clobberize rules are wrong.
+ https://bugs.webkit.org/show_bug.cgi?id=163834
+ <rdar://problem/65625807>
+
+ Reviewed by Keith Miller.
+
+ Theoretically, TryGetById can do the same things GetById does i.e. reify lazy
+ properties, read the stack, etc. Hence, its clobberize rule should be clobberTop
+ just like GetById. However, in practice, we don't currently use @tryGetById to
+ access anything on the stack (and probably never will). But as a conservative
+ measure, we'll just treat TryGetById like it can. In clobberize terms, this
+ means we declare TryGetById as doing read(World) (just like GetById) instead of
+ read(Heap).
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGClobbersExitState.cpp:
+ (JSC::DFG::clobbersExitState):
+
2020-05-20 Alan Coon <alanc...@apple.com>
Cherry-pick r261877. rdar://problem/63461428
Modified: branches/safari-609-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (265986 => 265987)
--- branches/safari-609-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2020-08-21 00:19:59 UTC (rev 265986)
+++ branches/safari-609-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2020-08-21 00:47:55 UTC (rev 265987)
@@ -3142,6 +3142,7 @@
case TryGetById:
// FIXME: This should constant fold at least as well as the normal GetById case.
// https://bugs.webkit.org/show_bug.cgi?id=156422
+ clobberWorld();
makeHeapTopForNode(node);
break;
Modified: branches/safari-609-branch/Source/_javascript_Core/dfg/DFGClobberize.h (265986 => 265987)
--- branches/safari-609-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2020-08-21 00:19:59 UTC (rev 265986)
+++ branches/safari-609-branch/Source/_javascript_Core/dfg/DFGClobberize.h 2020-08-21 00:47:55 UTC (rev 265987)
@@ -614,6 +614,7 @@
case GetByIdDirect:
case GetByIdDirectFlush:
case GetByValWithThis:
+ case TryGetById:
case PutById:
case PutByIdWithThis:
case PutByValWithThis:
@@ -1242,11 +1243,6 @@
return;
}
- case TryGetById: {
- read(Heap);
- return;
- }
-
case MultiGetByOffset: {
read(JSCell_structureID);
read(JSObject_butterfly);
Modified: branches/safari-609-branch/Source/_javascript_Core/dfg/DFGClobbersExitState.cpp (265986 => 265987)
--- branches/safari-609-branch/Source/_javascript_Core/dfg/DFGClobbersExitState.cpp 2020-08-21 00:19:59 UTC (rev 265986)
+++ branches/safari-609-branch/Source/_javascript_Core/dfg/DFGClobbersExitState.cpp 2020-08-21 00:47:55 UTC (rev 265987)
@@ -83,6 +83,7 @@
case FilterGetByStatus:
case FilterPutByIdStatus:
case FilterInByIdStatus:
+ case TryGetById:
// These do clobber memory, but nothing that is observable. It may be nice to separate the
// heaps into those that are observable and those that aren't, but we don't do that right now.
// FIXME: https://bugs.webkit.org/show_bug.cgi?id=148440
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
