Modified: trunk/Source/_javascript_Core/ChangeLog (199782 => 199783)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-20 20:21:21 UTC (rev 199782)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-20 20:31:21 UTC (rev 199783)
@@ -1,3 +1,30 @@
+2016-04-20 Michael Saboff <msab...@apple.com>
+
+ REGRESSION(r190289): Spin trying to view/sign in to hbogo.com
+ https://bugs.webkit.org/show_bug.cgi?id=156765
+
+ Reviewed by Saam Barati.
+
+ In the op_get_by_val case, we were holding the lock on a profiled CodeBlock
+ when we call into handleGetById(). Changed to drop the lock before calling
+ handleGetById().
+
+ The bug here was that the call to handleGetById() may end up calling in to
+ getPredictionWithoutOSRExit() for a tail call opcode. As part of that
+ processing, we walk back up the stack to find the effective caller and when
+ found, we lock the corresponding CodeBlock to get the predicition.
+ That CodeBLock may be the same one locked above. There is no need anyway
+ to hold the CodeBlock lock when calling handleGetById().
+
+ Added a new stress test.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+ * tests/stress/regress-156765.js: Added.
+ (realValue):
+ (object.get hello):
+ (ok):
+
2016-04-20 Mark Lam <mark....@apple.com>
Unindent an unnecessary block in stringProtoFuncSplitFast().
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (199782 => 199783)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2016-04-20 20:21:21 UTC (rev 199782)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2016-04-20 20:31:21 UTC (rev 199783)
@@ -3888,6 +3888,8 @@
Node* base = get(VirtualRegister(currentInstruction[2].u.operand));
Node* property = get(VirtualRegister(currentInstruction[3].u.operand));
bool compiledAsGetById = false;
+ GetByIdStatus getByIdStatus;
+ unsigned identifierNumber = 0;
{
ConcurrentJITLocker locker(m_inlineStackTop->m_profiledBlock->m_lock);
ByValInfo* byValInfo = m_inlineStackTop->m_byValInfos.get(CodeOrigin(currentCodeOrigin().bytecodeIndex));
@@ -3895,20 +3897,20 @@
// At that time, there is no information.
if (byValInfo && byValInfo->stubInfo && !byValInfo->tookSlowPath && !m_inlineStackTop->m_exitProfile.hasExitSite(m_currentIndex, BadIdent)) {
compiledAsGetById = true;
- unsigned identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
+ identifierNumber = m_graph.identifiers().ensure(byValInfo->cachedId.impl());
UniquedStringImpl* uid = m_graph.identifiers()[identifierNumber];
addToGraph(CheckIdent, OpInfo(uid), property);
- GetByIdStatus getByIdStatus = GetByIdStatus::computeForStubInfo(
+ getByIdStatus = GetByIdStatus::computeForStubInfo(
locker, m_inlineStackTop->m_profiledBlock,
byValInfo->stubInfo, currentCodeOrigin(), uid);
-
- handleGetById(currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, AccessType::Get);
}
}
- if (!compiledAsGetById) {
+ if (compiledAsGetById)
+ handleGetById(currentInstruction[1].u.operand, prediction, base, identifierNumber, getByIdStatus, AccessType::Get);
+ else {
ArrayMode arrayMode = getArrayMode(currentInstruction[4].u.arrayProfile, Array::Read);
Node* getByVal = addToGraph(GetByVal, OpInfo(arrayMode.asWord()), OpInfo(prediction), base, property);
m_exitOK = false; // GetByVal must be treated as if it clobbers exit state, since FixupPhase may make it generic.
Added: trunk/Source/_javascript_Core/tests/stress/regress-156765.js (0 => 199783)
--- trunk/Source/_javascript_Core/tests/stress/regress-156765.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/regress-156765.js 2016-04-20 20:31:21 UTC (rev 199783)
@@ -0,0 +1,27 @@
+// Regression test for https://webkit.org/b/156765. This test should not hang.
+
+"use strict";
+
+let forty = 40;
+
+function realValue()
+{
+ return forty + 2;
+}
+
+var object = {
+ get hello() {
+ return realValue();
+ }
+};
+
+function ok() {
+ var value = 'hello';
+ if (object[value] + 20 !== 62)
+ throw new Error();
+}
+
+noInline(ok);
+
+for (var i = 0; i < 100000; ++i)
+ ok();
