Changeset 200177 in webkit

Timestamp:

Apr 27, 2016, 11:54:54 PM (9 years ago)

Author:

mark.lam@apple.com

Message:

The GetterSetter structure needs a globalObject.
​https://bugs.webkit.org/show_bug.cgi?id=157120

Reviewed by Filip Pizlo.

In r199170: <​http://trac.webkit.org/r199170>, GetterSetter was promoted from
being a JSCell to a JSObject. JSObject methods expect their structure to have a
globalObject. For example, see JSObject::calculatedClassName(). GetterSetter
was previously using a singleton getterSetterStructure owned by the VM. That
singleton getterSetterStructure is not associated with any globalObjects. As a
result, JSObject::calculatedClassName() will run into a null globalObject when it
is called on a GetterSetter object.

This patch removes the VM singleton getterSetterStructure, and instead, creates
a getterSetterStructure for each JSGlobalObject.

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGStructureRegistrationPhase.cpp:

(JSC::DFG::StructureRegistrationPhase::run):

• runtime/GetterSetter.h:
• runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren):

• runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::functionStructure):
(JSC::JSGlobalObject::boundFunctionStructure):
(JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
(JSC::JSGlobalObject::getterSetterStructure):
(JSC::JSGlobalObject::nativeStdFunctionStructure):
(JSC::JSGlobalObject::namedFunctionStructure):
(JSC::JSGlobalObject::functionNameOffset):

• runtime/VM.cpp:

(JSC::VM::VM):

• runtime/VM.h:

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• dfg/DFGStructureRegistrationPhase.cpp (modified) (2 diffs)
• runtime/GetterSetter.h (modified) (1 diff)
• runtime/JSGlobalObject.cpp (modified) (2 diffs)
• runtime/JSGlobalObject.h (modified) (2 diffs)
• runtime/VM.cpp (modified) (1 diff)
• runtime/VM.h (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-04-27  Mark Lam  <mark.lam@apple.com>
+
+        The GetterSetter structure needs a globalObject.
+        https://bugs.webkit.org/show_bug.cgi?id=157120
+
+        Reviewed by Filip Pizlo.
+
+        In r199170: <http://trac.webkit.org/r199170>, GetterSetter was promoted from
+        being a JSCell to a JSObject.  JSObject methods expect their structure to have a
+        globalObject.  For example, see JSObject::calculatedClassName().  GetterSetter
+        was previously using a singleton getterSetterStructure owned by the VM.  That
+        singleton getterSetterStructure is not associated with any globalObjects.  As a
+        result, JSObject::calculatedClassName() will run into a null globalObject when it
+        is called on a GetterSetter object.
+
+        This patch removes the VM singleton getterSetterStructure, and instead, creates
+        a getterSetterStructure for each JSGlobalObject.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGStructureRegistrationPhase.cpp:
+        (JSC::DFG::StructureRegistrationPhase::run):
+        * runtime/GetterSetter.h:
+        * runtime/JSGlobalObject.cpp:
+        (JSC::JSGlobalObject::init):
+        (JSC::JSGlobalObject::visitChildren):
+        * runtime/JSGlobalObject.h:
+        (JSC::JSGlobalObject::functionStructure):
+        (JSC::JSGlobalObject::boundFunctionStructure):
+        (JSC::JSGlobalObject::boundSlotBaseFunctionStructure):
+        (JSC::JSGlobalObject::getterSetterStructure):
+        (JSC::JSGlobalObject::nativeStdFunctionStructure):
+        (JSC::JSGlobalObject::namedFunctionStructure):
+        (JSC::JSGlobalObject::functionNameOffset):
+        * runtime/VM.cpp:
+        (JSC::VM::VM):
+        * runtime/VM.h:
+
 2016-04-27  Keith Miller  <keith_miller@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -2372 +2372 @@
         }
         
-        forNode(node).set(m_graph, m_graph.m_vm.getterSetterStructure.get());
+        forNode(node).set(m_graph, m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure());
         break;
     }

trunk/Source/JavaScriptCore/dfg/DFGStructureRegistrationPhase.cpp

@@ -63 +63 @@
         registerStructure(m_graph.m_vm.stringStructure.get());
         registerStructure(m_graph.m_vm.symbolStructure.get());
-        registerStructure(m_graph.m_vm.getterSetterStructure.get());
         
         for (FrozenValue* value : m_graph.m_frozenValues)
@@ -93 +92 @@
                     registerStructure(node->transition()->next);
                     break;
-                    
+
+                case GetGetterSetterByOffset:
+                    registerStructure(m_graph.globalObjectFor(node->origin.semantic)->getterSetterStructure());
+                    break;
+
                 case MultiGetByOffset:
                     for (const MultiGetByOffsetCase& getCase : node->multiGetByOffsetData().cases)

trunk/Source/JavaScriptCore/runtime/GetterSetter.h

@@ -47 +47 @@
 private:
     GetterSetter(VM& vm, JSGlobalObject* globalObject)
-        : Base(vm, vm.getterSetterStructure.get())
+        : Base(vm, globalObject->getterSetterStructure())
     {
         m_getter.set(vm, this, globalObject->nullGetterFunction());

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.cpp

@@ -295 +295 @@
     m_boundSlotBaseFunctionStructure.set(vm, this, JSBoundSlotBaseFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_boundFunctionStructure.set(vm, this, JSBoundFunction::createStructure(vm, this, m_functionPrototype.get()));
+    m_getterSetterStructure.set(vm, this, GetterSetter::createStructure(vm, this, jsNull()));
     m_nativeStdFunctionStructure.set(vm, this, JSNativeStdFunction::createStructure(vm, this, m_functionPrototype.get()));
     m_namedFunctionStructure.set(vm, this, Structure::addPropertyTransition(vm, m_functionStructure.get(), vm.propertyNames->name, DontDelete | ReadOnly | DontEnum, m_functionNameOffset));
@@ -977 +978 @@
     visitor.append(&thisObject->m_boundSlotBaseFunctionStructure);
     visitor.append(&thisObject->m_boundFunctionStructure);
+    visitor.append(&thisObject->m_getterSetterStructure);
     visitor.append(&thisObject->m_nativeStdFunctionStructure);
     visitor.append(&thisObject->m_namedFunctionStructure);

trunk/Source/JavaScriptCore/runtime/JSGlobalObject.h

@@ -274 +274 @@
     WriteBarrier<Structure> m_boundFunctionStructure;
     WriteBarrier<Structure> m_boundSlotBaseFunctionStructure;
+    WriteBarrier<Structure> m_getterSetterStructure;
     WriteBarrier<Structure> m_nativeStdFunctionStructure;
     WriteBarrier<Structure> m_namedFunctionStructure;
@@ -532 +533 @@
     Structure* boundFunctionStructure() const { return m_boundFunctionStructure.get(); }
     Structure* boundSlotBaseFunctionStructure() const { return m_boundSlotBaseFunctionStructure.get(); }
+    Structure* getterSetterStructure() const { return m_getterSetterStructure.get(); }
     Structure* nativeStdFunctionStructure() const { return m_nativeStdFunctionStructure.get(); }
     Structure* namedFunctionStructure() const { return m_namedFunctionStructure.get(); }

trunk/Source/JavaScriptCore/runtime/VM.cpp

@@ -218 +218 @@
     stringStructure.set(*this, JSString::createStructure(*this, 0, jsNull()));
     propertyNameEnumeratorStructure.set(*this, JSPropertyNameEnumerator::createStructure(*this, 0, jsNull()));
-    getterSetterStructure.set(*this, GetterSetter::createStructure(*this, 0, jsNull()));
     customGetterSetterStructure.set(*this, CustomGetterSetter::createStructure(*this, 0, jsNull()));
     scopedArgumentsTableStructure.set(*this, ScopedArgumentsTable::createStructure(*this, 0, jsNull()));

trunk/Source/JavaScriptCore/runtime/VM.h

@@ -289 +289 @@
     Strong<Structure> propertyNameIteratorStructure;
     Strong<Structure> propertyNameEnumeratorStructure;
-    Strong<Structure> getterSetterStructure;
     Strong<Structure> customGetterSetterStructure;
     Strong<Structure> scopedArgumentsTableStructure;