Changeset 233253 in webkit
- Timestamp:
- Jun 27, 2018, 4:19:46 AM (7 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 3 edited
-
JSTests/ChangeLog (modified) (1 diff)
-
JSTests/stress/regress-187091.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r233252 r233253 1 2018-06-27 Mark Lam <mark.lam@apple.com> 2 3 DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties. 4 https://bugs.webkit.org/show_bug.cgi?id=187091 5 <rdar://problem/41395624> 6 7 Reviewed by Yusuke Suzuki. 8 9 * stress/regress-187091.js: Added. 10 1 11 2018-06-27 Yusuke Suzuki <utatane.tea@gmail.com> 2 12 -
trunk/Source/JavaScriptCore/ChangeLog
r233252 r233253 1 2018-06-27 Mark Lam <mark.lam@apple.com> 2 3 DFG's compileReallocatePropertyStorage() and compileAllocatePropertyStorage() slow paths should also clear unused properties. 4 https://bugs.webkit.org/show_bug.cgi?id=187091 5 <rdar://problem/41395624> 6 7 Reviewed by Yusuke Suzuki. 8 9 Previously, when compileReallocatePropertyStorage() and compileAllocatePropertyStorage() 10 take their slow paths, the slow path would jump back to the fast path right after 11 the emitted code which clears the unused property values. As a result, the 12 unused properties are not initialized. We've fixed this by adding the slow path 13 generators before we emit the code to clear the unused properties. 14 15 * dfg/DFGSpeculativeJIT.cpp: 16 (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage): 17 (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage): 18 1 19 2018-06-27 Yusuke Suzuki <utatane.tea@gmail.com> 2 20 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
r232461 r233253 8937 8937 m_jit.emitAllocate(scratchGPR1, JITAllocator::constant(allocator), scratchGPR2, scratchGPR3, slowPath); 8938 8938 m_jit.addPtr(JITCompiler::TrustedImm32(size + sizeof(IndexingHeader)), scratchGPR1); 8939 8939 8940 addSlowPathGenerator( 8941 slowPathCall(slowPath, this, operationAllocateSimplePropertyStorageWithInitialCapacity, scratchGPR1)); 8942 8940 8943 for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(size); offset += sizeof(void*)) 8941 8944 m_jit.storePtr(TrustedImmPtr(nullptr), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*)))); 8942 8943 addSlowPathGenerator(8944 slowPathCall(slowPath, this, operationAllocateSimplePropertyStorageWithInitialCapacity, scratchGPR1));8945 8945 8946 8946 storageResult(scratchGPR1, node); … … 8974 8974 GPRTemporary scratch2(this); 8975 8975 GPRTemporary scratch3(this); 8976 8976 8977 8977 GPRReg oldStorageGPR = oldStorage.gpr(); 8978 8978 GPRReg scratchGPR1 = scratch1.gpr(); … … 8984 8984 8985 8985 m_jit.addPtr(JITCompiler::TrustedImm32(newSize + sizeof(IndexingHeader)), scratchGPR1); 8986 8986 8987 addSlowPathGenerator( 8988 slowPathCall(slowPath, this, operationAllocateSimplePropertyStorage, scratchGPR1, newSize / sizeof(JSValue))); 8989 8987 8990 for (ptrdiff_t offset = oldSize; offset < static_cast<ptrdiff_t>(newSize); offset += sizeof(void*)) 8988 8991 m_jit.storePtr(TrustedImmPtr(nullptr), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*)))); 8989 8990 addSlowPathGenerator(8991 slowPathCall(slowPath, this, operationAllocateSimplePropertyStorage, scratchGPR1, newSize / sizeof(JSValue)));8992 8992 8993 8993 // We have scratchGPR1 = new storage, scratchGPR2 = scratch … … 8996 8996 m_jit.storePtr(scratchGPR2, JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*)))); 8997 8997 } 8998 8998 8999 8999 storageResult(scratchGPR1, node); 9000 9000 }
Note:
See TracChangeset
for help on using the changeset viewer.
