Changeset 240991 in webkit

Timestamp:

Feb 5, 2019, 1:59:52 PM (6 years ago)

Author:

mark.lam@apple.com

Message:

Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
​https://bugs.webkit.org/show_bug.cgi?id=194298
<rdar://problem/47827555>

Reviewed by Saam Barati.

We do this for 3 reasons:

1. It's clearer when reading doesGC()'s code that these nodes will return true.
2. If things change in the future where clobberize() no longer reports these nodes as write(Heap), each node should be vetted first to make sure that it can never GC before being moved back to the doesGC() list that returns false.
3. This reduces the list of nodes that we need to audit to make sure doesGC() is correct in its claims about the nodes' GCing possibility.

The list of nodes moved are:

ArrayPush
ArrayPop
Call
CallEval
CallForwardVarargs
CallVarargs
Construct
ConstructForwardVarargs
ConstructVarargs
DefineDataProperty
DefineAccessorProperty
DeleteById
DeleteByVal
DirectCall
DirectConstruct
DirectTailCallInlinedCaller
GetById
GetByIdDirect
GetByIdDirectFlush
GetByIdFlush
GetByIdWithThis
GetByValWithThis
GetDirectPname
GetDynamicVar
HasGenericProperty
HasOwnProperty
HasStructureProperty
InById
InByVal
InstanceOf
InstanceOfCustom
LoadVarargs
NumberToStringWithRadix
PutById
PutByIdDirect
PutByIdFlush
PutByIdWithThis
PutByOffset
PutByValWithThis
PutDynamicVar
PutGetterById
PutGetterByVal
PutGetterSetterById
PutSetterById
PutSetterByVal
PutStack
PutToArguments
RegExpExec
RegExpTest
ResolveScope
ResolveScopeForHoistingFuncDeclInEval
TailCall
TailCallForwardVarargsInlinedCaller
TailCallInlinedCaller
TailCallVarargsInlinedCaller
ToNumber
ToPrimitive
ValueNegate

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGDoesGC.cpp (modified) (11 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-02-05  Mark Lam  <mark.lam@apple.com>
+
+        Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
+        https://bugs.webkit.org/show_bug.cgi?id=194298
+        <rdar://problem/47827555>
+
+        Reviewed by Saam Barati.
+
+        We do this for 3 reasons:
+        1. It's clearer when reading doesGC()'s code that these nodes will return true.
+        2. If things change in the future where clobberize() no longer reports these nodes
+           as write(Heap), each node should be vetted first to make sure that it can never
+           GC before being moved back to the doesGC() list that returns false.
+        3. This reduces the list of nodes that we need to audit to make sure doesGC() is
+           correct in its claims about the nodes' GCing possibility.
+
+        The list of nodes moved are:
+
+            ArrayPush
+            ArrayPop
+            Call
+            CallEval
+            CallForwardVarargs
+            CallVarargs
+            Construct
+            ConstructForwardVarargs
+            ConstructVarargs
+            DefineDataProperty
+            DefineAccessorProperty
+            DeleteById
+            DeleteByVal
+            DirectCall
+            DirectConstruct
+            DirectTailCallInlinedCaller
+            GetById
+            GetByIdDirect
+            GetByIdDirectFlush
+            GetByIdFlush
+            GetByIdWithThis
+            GetByValWithThis
+            GetDirectPname
+            GetDynamicVar
+            HasGenericProperty
+            HasOwnProperty
+            HasStructureProperty
+            InById
+            InByVal
+            InstanceOf
+            InstanceOfCustom
+            LoadVarargs
+            NumberToStringWithRadix
+            PutById
+            PutByIdDirect
+            PutByIdFlush
+            PutByIdWithThis
+            PutByOffset
+            PutByValWithThis
+            PutDynamicVar
+            PutGetterById
+            PutGetterByVal
+            PutGetterSetterById
+            PutSetterById
+            PutSetterByVal
+            PutStack
+            PutToArguments
+            RegExpExec
+            RegExpTest
+            ResolveScope
+            ResolveScopeForHoistingFuncDeclInEval
+            TailCall
+            TailCallForwardVarargsInlinedCaller
+            TailCallInlinedCaller
+            TailCallVarargsInlinedCaller
+            ToNumber
+            ToPrimitive
+            ValueNegate
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+
 2019-02-05  Yusuke Suzuki  <ysuzuki@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

@@ -98 +98 @@
     case ArithFRound:
     case ArithUnary:
-    case ValueNegate:
     case TryGetById:
-    case GetById:
-    case GetByIdFlush:
-    case GetByIdWithThis:
-    case GetByIdDirect:
-    case GetByIdDirectFlush:
-    case PutById:
-    case PutByIdFlush:
-    case PutByIdWithThis:
-    case PutByValWithThis:
-    case PutByIdDirect:
-    case PutGetterById:
-    case PutSetterById:
-    case PutGetterSetterById:
-    case PutGetterByVal:
-    case PutSetterByVal:
-    case DefineDataProperty:
-    case DefineAccessorProperty:
-    case DeleteById:
-    case DeleteByVal:
     case CheckStructure:
     case CheckStructureOrEmpty:
@@ -142 +122 @@
     case AssertNotEmpty:
     case CheckStringIdent:
-    case RegExpExec:
     case RegExpExecNonGlobalOrSticky:
-    case RegExpTest:
     case RegExpMatchFast:
     case RegExpMatchFastGlobal:
@@ -156 +134 @@
     case CompareStrictEq:
     case CompareEqPtr:
-    case Call:
-    case DirectCall:
-    case TailCallInlinedCaller:
-    case DirectTailCallInlinedCaller:
-    case Construct:
-    case DirectConstruct:
-    case CallVarargs:
-    case CallEval:
-    case TailCallVarargsInlinedCaller:
-    case ConstructVarargs:
-    case LoadVarargs:
-    case CallForwardVarargs:
-    case ConstructForwardVarargs:
     case TailCallForwardVarargs:
-    case TailCallForwardVarargsInlinedCaller:
     case ProfileType:
     case ProfileControlFlow:
     case OverridesHasInstance:
-    case InstanceOf:
-    case InstanceOfCustom:
     case IsEmpty:
     case IsUndefined:
@@ -189 +151 @@
     case TypeOf:
     case LogicalNot:
-    case ToPrimitive:
-    case ToNumber:
-    case NumberToStringWithRadix:
     case NumberToStringWithValidRadixConstant:
-    case InByVal:
-    case InById:
-    case HasOwnProperty:
     case Jump:
     case Branch:
@@ -201 +157 @@
     case EntrySwitch:
     case Return:
-    case TailCall:
     case DirectTailCall:
     case TailCallVarargs:
@@ -246 +201 @@
     case GetSetter:
     case GetByVal:
-    case GetByValWithThis:
     case GetArrayLength:
     case GetVectorLength:
-    case ArrayPush:
-    case ArrayPop:
     case StringCharAt:
     case StringCharCodeAt:
@@ -261 +213 @@
     case GetByOffset:
     case GetGetterSetterByOffset:
-    case PutByOffset:
     case GetEnumerableLength:
-    case HasGenericProperty:
-    case HasStructureProperty:
     case HasIndexedProperty:
-    case GetDirectPname:
     case FiatInt52:
     case BooleanToNumber:
@@ -288 +236 @@
     case ForwardVarargs:
     case PutHint:
-    case PutStack:
     case KillStack:
     case GetStack:
     case GetFromArguments:
-    case PutToArguments:
     case GetArgument:
     case LogShadowChickenPrologue:
     case LogShadowChickenTail:
-    case GetDynamicVar:
-    case PutDynamicVar:
-    case ResolveScopeForHoistingFuncDeclInEval:
-    case ResolveScope:
     case NukeStructureAndSetButterfly:
     case AtomicsAdd:
@@ -321 +263 @@
         return false;
 
+    case ArrayPush:
+    case ArrayPop:
     case PushWithScope:
     case CreateActivation:
@@ -326 +270 @@
     case CreateScopedArguments:
     case CreateClonedArguments:
+    case Call:
+    case CallEval:
+    case CallForwardVarargs:
     case CallObjectConstructor:
+    case CallVarargs:
+    case Construct:
+    case ConstructForwardVarargs:
+    case ConstructVarargs:
+    case DefineDataProperty:
+    case DefineAccessorProperty:
+    case DeleteById:
+    case DeleteByVal:
+    case DirectCall:
+    case DirectConstruct:
+    case DirectTailCallInlinedCaller:
+    case GetById:
+    case GetByIdDirect:
+    case GetByIdDirectFlush:
+    case GetByIdFlush:
+    case GetByIdWithThis:
+    case GetByValWithThis:
+    case GetDirectPname:
+    case GetDynamicVar:
+    case HasGenericProperty:
+    case HasOwnProperty:
+    case HasStructureProperty:
+    case InById:
+    case InByVal:
+    case InstanceOf:
+    case InstanceOfCustom:
+    case LoadVarargs:
+    case NumberToStringWithRadix:
+    case PutById:
+    case PutByIdDirect:
+    case PutByIdFlush:
+    case PutByIdWithThis:
+    case PutByOffset:
+    case PutByValWithThis:
+    case PutDynamicVar:
+    case PutGetterById:
+    case PutGetterByVal:
+    case PutGetterSetterById:
+    case PutSetterById:
+    case PutSetterByVal:
+    case PutStack:
+    case PutToArguments:
+    case RegExpExec:
+    case RegExpTest:
+    case ResolveScope:
+    case ResolveScopeForHoistingFuncDeclInEval:
+    case TailCall:
+    case TailCallForwardVarargsInlinedCaller:
+    case TailCallInlinedCaller:
+    case TailCallVarargsInlinedCaller:
+    case ToNumber:
     case ToObject:
+    case ToPrimitive:
     case ToThis:
     case CreateThis:
@@ -380 +379 @@
     case ValueMul:
     case ValueDiv:
+    case ValueNegate:
         return true;