Changeset 228638 in webkit
- Timestamp:
- Feb 19, 2018 2:47:07 AM (6 years ago)
- Location:
- releases/WebKitGTK/webkit-2.20
- Files:
-
- 1 added
- 7 edited
Legend:
- Unmodified
- Added
- Removed
-
releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog
r228047 r228638 1 2018-02-06 Keith Miller <keith_miller@apple.com> 2 3 put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object 4 https://bugs.webkit.org/show_bug.cgi?id=182549 5 <rdar://problem/36189995> 6 7 Reviewed by Saam Barati. 8 9 * stress/var-injection-cache-invalidation.js: Added. 10 (allocateLotsOfThings): 11 (test): 12 1 13 2018-02-03 Yusuke Suzuki <utatane.tea@gmail.com> 2 14 -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/ChangeLog
r228633 r228638 1 2018-02-06 Keith Miller <keith_miller@apple.com> 2 3 put_to_scope/get_from_scope should not cache lexical scopes when expecting a global object 4 https://bugs.webkit.org/show_bug.cgi?id=182549 5 <rdar://problem/36189995> 6 7 Reviewed by Saam Barati. 8 9 Previously, the llint/baseline caching for put_to_scope and 10 get_from_scope would cache lexical environments when the 11 varInjectionWatchpoint had been fired for global properties. Code 12 in the DFG does not follow this same assumption so we could 13 potentially return the wrong result. Additionally, the baseline 14 would write barrier the global object rather than the lexical 15 enviroment object. This patch makes it so that we do not cache 16 anything other than the global object for when the resolve type is 17 GlobalPropertyWithVarInjectionChecks or GlobalProperty. 18 19 * assembler/MacroAssembler.cpp: 20 (JSC::MacroAssembler::jitAssert): 21 * assembler/MacroAssembler.h: 22 * jit/JITPropertyAccess.cpp: 23 (JSC::JIT::emit_op_get_from_scope): 24 (JSC::JIT::emit_op_put_to_scope): 25 * runtime/CommonSlowPaths.h: 26 (JSC::CommonSlowPaths::tryCachePutToScopeGlobal): 27 (JSC::CommonSlowPaths::tryCacheGetFromScopeGlobal): 28 * runtime/Options.h: 29 1 30 2018-02-11 Guillaume Emont <guijemont@igalia.com> 2 31 -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/assembler/MacroAssembler.cpp
r222871 r228638 29 29 #if ENABLE(ASSEMBLER) 30 30 31 #include "Options.h" 31 32 #include "ProbeContext.h" 32 33 #include <wtf/PrintStream.h> 34 #include <wtf/ScopedLambda.h> 33 35 34 36 namespace JSC { 35 37 36 38 const double MacroAssembler::twoToThe32 = (double)0x100000000ull; 39 40 void MacroAssembler::jitAssert(const ScopedLambda<Jump(void)>& functor) 41 { 42 if (Options::enableJITDebugAssetions()) { 43 Jump passed = functor(); 44 breakpoint(); 45 passed.link(this); 46 } 47 } 37 48 38 49 #if ENABLE(MASM_PROBE) -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/assembler/MacroAssembler.h
r227643 r228638 61 61 62 62 #include "MacroAssemblerHelpers.h" 63 64 namespace WTF { 65 66 template<typename FunctionType> 67 class ScopedLambda; 68 69 } // namespace WTF 63 70 64 71 namespace JSC { … … 1884 1891 urshift32(src, trustedImm32ForShift(amount), dest); 1885 1892 } 1893 1894 // If the result jump is taken that means the assert passed. 1895 void jitAssert(const WTF::ScopedLambda<Jump(void)>&); 1886 1896 1887 1897 #if ENABLE(MASM_PROBE) -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
r227874 r228638 44 44 #include "SlowPathCall.h" 45 45 #include "StructureStubInfo.h" 46 #include <wtf/ScopedLambda.h> 46 47 #include <wtf/StringPrintStream.h> 47 48 … … 858 859 case GlobalProperty: 859 860 case GlobalPropertyWithVarInjectionChecks: { 860 emitLoadWithStructureCheck(scope, structureSlot); // Structure check covers var injection .861 emitLoadWithStructureCheck(scope, structureSlot); // Structure check covers var injection since we don't cache structures for anything but the GlobalObject. Additionally, resolve_scope handles checking for the var injection. 861 862 GPRReg base = regT0; 862 863 GPRReg result = regT0; 863 864 GPRReg offset = regT1; 864 865 GPRReg scratch = regT2; 865 866 867 jitAssert(scopedLambda<Jump(void)>([&] () -> Jump { 868 return branchPtr(Equal, base, TrustedImmPtr(m_codeBlock->globalObject())); 869 })); 870 866 871 load32(operandSlot, offset); 867 872 if (!ASSERT_DISABLED) { … … 986 991 case GlobalProperty: 987 992 case GlobalPropertyWithVarInjectionChecks: { 988 emitLoadWithStructureCheck(scope, structureSlot); // Structure check covers var injection .993 emitLoadWithStructureCheck(scope, structureSlot); // Structure check covers var injection since we don't cache structures for anything but the GlobalObject. Additionally, resolve_scope handles checking for the var injection. 989 994 emitGetVirtualRegister(value, regT2); 990 995 996 jitAssert(scopedLambda<Jump(void)>([&] () -> Jump { 997 return branchPtr(Equal, regT0, TrustedImmPtr(m_codeBlock->globalObject())); 998 })); 999 991 1000 loadPtr(Address(regT0, JSObject::butterflyOffset()), regT0); 992 1001 loadPtr(operandSlot, regT1); -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/CommonSlowPaths.h
r226310 r228638 139 139 140 140 if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks) { 141 JSGlobalObject* globalObject = codeBlock->globalObject(); 142 ASSERT(globalObject == scope || globalObject->varInjectionWatchpoint()->hasBeenInvalidated()); 141 143 if (!slot.isCacheablePut() 142 144 || slot.base() != scope 145 || scope != globalObject 143 146 || !scope->structure()->propertyAccessesAreCacheable()) 144 147 return; … … 184 187 185 188 // Covers implicit globals. Since they don't exist until they first execute, we didn't know how to cache them at compile time. 186 if (slot.isCacheableValue() && slot.slotBase() == scope && scope->structure()->propertyAccessesAreCacheable()) { 187 if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks) { 188 CodeBlock* codeBlock = exec->codeBlock(); 189 if (resolveType == GlobalProperty || resolveType == GlobalPropertyWithVarInjectionChecks) { 190 CodeBlock* codeBlock = exec->codeBlock(); 191 JSGlobalObject* globalObject = codeBlock->globalObject(); 192 ASSERT(scope == globalObject || globalObject->varInjectionWatchpoint()->hasBeenInvalidated()); 193 if (slot.isCacheableValue() && slot.slotBase() == scope && scope == globalObject && scope->structure()->propertyAccessesAreCacheable()) { 189 194 Structure* structure = scope->structure(vm); 190 195 { -
releases/WebKitGTK/webkit-2.20/Source/JavaScriptCore/runtime/Options.h
r227617 r228638 251 251 v(bool, ftlCrashes, false, Normal, nullptr) /* fool-proof way of checking that you ended up in the FTL. ;-) */\ 252 252 v(bool, clobberAllRegsInFTLICSlowPath, !ASSERT_DISABLED, Normal, nullptr) \ 253 v(bool, enableJITDebugAssetions, !ASSERT_DISABLED, Normal, nullptr) \ 253 254 v(bool, useAccessInlining, true, Normal, nullptr) \ 254 255 v(unsigned, maxAccessVariantListSize, 8, Normal, nullptr) \
Note: See TracChangeset
for help on using the changeset viewer.