[webkit-changes] [WebKit/WebKit] 34e32f: [JSC] Bound function should propagate tail-call in...

Thu, 23 Feb 2023 01:06:13 -0800 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 34e32f7614d691d6bf29ac7e30678728e052cc07
      
https://github.com/WebKit/WebKit/commit/34e32f7614d691d6bf29ac7e30678728e052cc07
  Author: Yusuke Suzuki <ysuz...@apple.com>
  Date:   2023-02-23 (Thu, 23 Feb 2023)

  Changed paths:
    A JSTests/stress/bound-function-tail-call.js
    M Source/JavaScriptCore/bytecode/InlineCallFrame.cpp
    M Source/JavaScriptCore/bytecode/InlineCallFrame.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/runtime/JSBoundFunction.cpp

  Log Message:
  -----------
  [JSC] Bound function should propagate tail-call information
https://bugs.webkit.org/show_bug.cgi?id=252726
rdar://105763999

Reviewed by Justin Michaud.

When bound function is called in a tail-call form and DFG inlines it,
we should make it a bound-function-tail-call. Otherwise, when reconstructing
frames on OSR exit, we accidentally compute the wrong frame (bound function's 
return place gets its frame
while it is doing a tail-call).
The attached program is doing,

    entry -call-> test4 -tail-call-> test3 -tail-call-> bound function -call-> 
test2 (OSR exit)

And DFG wipes bound function and make it,

    entry -call-> test4 -tail-call-> test3 -bound-function-tail-call-> test2
                  [              one DFG function                           ]

Then, the reconstructed frame on OSR exit should be

    entry -call-> test2

since test2 should return to entry (test4, test3 are tail calls, and bound 
function is completely inlined and diminished).

We also fix bound function's construct's newTarget compuation (which caused 
test262 failures).

* JSTests/stress/bound-function-tail-call.js: Added.
(shouldBe):
(entry.test):
(entry.test2):
(entry.test3):
(entry.test4):
(entry):
* Source/JavaScriptCore/bytecode/InlineCallFrame.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/bytecode/InlineCallFrame.h:
(JSC::InlineCallFrame::callModeFor):
(JSC::InlineCallFrame::specializationKindFor):
(JSC::InlineCallFrame::isTail):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/runtime/JSBoundFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/260733@main


_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to