[webkit-changes] [197323] releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore

Mon, 29 Feb 2016 01:54:13 -0800

Title: [197323] releases/WebKitGTK/webkit-2.12/Source/_javascript_Core
Revision
197323
Author
carlo...@webkit.org
Date
2016-02-29 01:53:38 -0800 (Mon, 29 Feb 2016)

Log Message

Merge r197155 - [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
https://bugs.webkit.org/show_bug.cgi?id=154664

Reviewed by Saam Barati.

When doing OSR Enter into a constructor, we lose the information
that this may have been set to empty by a previously executed block.

All the code just assumed the type for a FlushedJS value and thus
not an empty value. It was then okay to eliminate the TDZ checks.

In this patch, the values on root entry now assume they may be empty.
As a result, the SetArgument() for "this" has "empty" as possible
type and the TDZ checks are no longer eliminated.

* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):

[JSC] Add the test for r197155
https://bugs.webkit.org/show_bug.cgi?id=154715

Reviewed by Mark Lam.

Silly me. I forgot the test in the latest patch update.

* tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.

Modified Paths

Added Paths

Diff

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (197322 => 197323)


--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-02-29 09:45:16 UTC (rev 197322)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog	2016-02-29 09:53:38 UTC (rev 197323)
@@ -1,3 +1,34 @@
+2016-02-26  Benjamin Poulain  <benja...@webkit.org>
+
+        [JSC] Add the test for r197155
+        https://bugs.webkit.org/show_bug.cgi?id=154715
+
+        Reviewed by Mark Lam.
+
+        Silly me. I forgot the test in the latest patch update.
+
+        * tests/stress/class-syntax-tdz-osr-entry-in-loop.js: Added.
+
+2016-02-25  Benjamin Poulain  <benja...@webkit.org>
+
+        [JSC] Temporal Dead Zone checks on "this" are eliminated when doing OSR Entry to FTL
+        https://bugs.webkit.org/show_bug.cgi?id=154664
+
+        Reviewed by Saam Barati.
+
+        When doing OSR Enter into a constructor, we lose the information
+        that this may have been set to empty by a previously executed block.
+
+        All the code just assumed the type for a FlushedJS value and thus
+        not an empty value. It was then okay to eliminate the TDZ checks.
+
+        In this patch, the values on root entry now assume they may be empty.
+        As a result, the SetArgument() for "this" has "empty" as possible
+        type and the TDZ checks are no longer eliminated.
+
+        * dfg/DFGInPlaceAbstractState.cpp:
+        (JSC::DFG::InPlaceAbstractState::initialize):
+
 2016-02-25  Benjamin Poulain  <bpoul...@apple.com>
 
         [JSC] Remove a useless "Move" in the lowering of Select

Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp (197322 => 197323)


--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp	2016-02-29 09:45:16 UTC (rev 197322)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.cpp	2016-02-29 09:53:38 UTC (rev 197323)
@@ -121,7 +121,7 @@
             root->valuesAtHead.argument(i).setType(m_graph, SpecCell);
             break;
         case FlushedJSValue:
-            root->valuesAtHead.argument(i).makeHeapTop();
+            root->valuesAtHead.argument(i).makeBytecodeTop();
             break;
         default:
             DFG_CRASH(m_graph, nullptr, "Bad flush format for argument");

Added: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/class-syntax-tdz-osr-entry-in-loop.js (0 => 197323)


--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/class-syntax-tdz-osr-entry-in-loop.js	                        (rev 0)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/class-syntax-tdz-osr-entry-in-loop.js	2016-02-29 09:53:38 UTC (rev 197323)
@@ -0,0 +1,58 @@
+
+class A {
+    constructor() { }
+}
+
+class B extends A {
+    constructor(iterationCount) {
+        let values = [];
+
+        for (let i = 2; i < iterationCount; ++i) {
+            // Let's keep the loop busy.
+            let divided = false;
+            for (let j = i - 1; j > 1; --j) {
+                if (!(i % j)) {
+                    divided = true;
+                    break;
+                }
+            }
+            if (!divided)
+                values.push(i);
+
+            if (!(i % (iterationCount - 2)))
+                print(this);
+            else if (values.length == iterationCount)
+                super(values);
+        }
+    }
+}
+
+noInline(B);
+
+// Small warm up with small iteration count. Try to get to DFG.
+for (var i = 0; i < 30; ++i) {
+    var exception = null;
+    try {
+        new B(10);
+    } catch (e) {
+        exception = e;
+        if (!(e instanceof ReferenceError))
+            throw "Exception thrown in iteration " + i + " was not a reference error";
+    }
+    if (!exception)
+        throw "Exception not thrown for an unitialized this at iteration " + i;
+}
+
+// Now try to go to FTL in the constructor.
+for (var i = 0; i < 2; ++i) {
+    var exception = null;
+    try {
+        new B(7e3);
+    } catch (e) {
+        exception = e;
+        if (!(e instanceof ReferenceError))
+            throw "Exception thrown in iteration " + i + " was not a reference error";
+    }
+    if (!exception)
+        throw "Exception not thrown for an unitialized this at iteration " + i;
+}

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to