Changeset 240917 in webkit


Ignore:
Timestamp:
Feb 4, 2019, 12:15:46 AM (6 years ago)
Author:
mark.lam@apple.com
Message:

DFG's doesGC() is incorrect about the SameValue node's behavior.
https://bugs.webkit.org/show_bug.cgi?id=194211
<rdar://problem/47608913>

Reviewed by Saam Barati.

Only the DoubleRepUse case is guaranteed to not GC. The other case may GC because
it calls operationSameValue() which may allocate memory for resolving ropes.

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r240915 r240917  
     12019-02-04  Mark Lam  <mark.lam@apple.com>
     2
     3        DFG's doesGC() is incorrect about the SameValue node's behavior.
     4        https://bugs.webkit.org/show_bug.cgi?id=194211
     5        <rdar://problem/47608913>
     6
     7        Reviewed by Saam Barati.
     8
     9        Only the DoubleRepUse case is guaranteed to not GC.  The other case may GC because
     10        it calls operationSameValue() which may allocate memory for resolving ropes.
     11
     12        * dfg/DFGDoesGC.cpp:
     13        (JSC::DFG::doesGC):
     14
    1152019-02-03  Yusuke Suzuki  <ysuzuki@apple.com>
    216

  • trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

    r240616 r240917  
    156156    case CompareStrictEq:
    157157    case CompareEqPtr:
    158     case SameValue:
    159158    case Call:
    160159    case DirectCall:
     
    414413        return node->multiPutByOffsetData().reallocatesStorage();
    415414
     415    case SameValue:
     416        if (node->isBinaryUseKind(DoubleRepUse))
     417            return false;
     418        return true;
     419
    416420    case LastNodeType:
    417421        RELEASE_ASSERT_NOT_REACHED();
Note: See TracChangeset for help on using the changeset viewer.