Changeset 241210 in webkit
- Timestamp:
- Feb 8, 2019 2:32:00 PM (5 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r241201 r241210 1 2019-02-08 Mark Lam <mark.lam@apple.com> 2 3 Fix DFG's doesGC() for CheckTierUp*, GetByVal, PutByVal*, and StringCharAt nodes. 4 https://bugs.webkit.org/show_bug.cgi?id=194446 5 <rdar://problem/47926792> 6 7 Reviewed by Saam Barati. 8 9 Fix doesGC() for the following nodes: 10 11 CheckTierUpAtReturn: 12 Calls triggerTierUpNow(), which calls triggerFTLReplacementCompile(), 13 which calls Worklist::completeAllReadyPlansForVM(), which uses DeferGC. 14 15 CheckTierUpInLoop: 16 Calls triggerTierUpNowInLoop(), which calls tierUpCommon(), which calls 17 Worklist::completeAllReadyPlansForVM(), which uses DeferGC. 18 19 CheckTierUpAndOSREnter: 20 Calls triggerOSREntryNow(), which calls tierUpCommon(), which calls 21 Worklist::completeAllReadyPlansForVM(), which uses DeferGC. 22 23 GetByVal: 24 case Array::String calls operationSingleCharacterString(), which calls 25 jsSingleCharacterString(), which can allocate a string. 26 27 PutByValDirect: 28 PutByVal: 29 PutByValAlias: 30 For the DFG only, the integer TypeArrays calls compilePutByValForIntTypedArray(), 31 which may call slow paths operationPutByValDirectStrict(), operationPutByValDirectNonStrict(), 32 operationPutByValStrict(), or operationPutByValNonStrict(). All of these 33 slow paths call putByValInternal(), which may create exception objects, or 34 call the generic JSValue::put() which may execute arbitrary code. 35 36 StringCharAt: 37 Can call operationSingleCharacterString(), which calls jsSingleCharacterString(), 38 which can allocate a string. 39 40 Also fix DFG::SpeculativeJIT::compileGetByValOnString() and FTL's compileStringCharAt() 41 to use the maxSingleCharacterString constant instead of a literal constant. 42 43 * dfg/DFGDoesGC.cpp: 44 (JSC::DFG::doesGC): 45 * dfg/DFGSpeculativeJIT.cpp: 46 (JSC::DFG::SpeculativeJIT::compileGetByValOnString): 47 * dfg/DFGSpeculativeJIT64.cpp: 48 (JSC::DFG::SpeculativeJIT::compile): 49 * ftl/FTLLowerDFGToB3.cpp: 50 (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal): 51 (JSC::FTL::DFG::LowerDFGToB3::compilePutByVal): 52 (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt): 53 1 54 2019-02-08 Yusuke Suzuki <ysuzuki@apple.com> 2 55 -
trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp
r241140 r241210 54 54 // such as between Array types. 55 55 // 5. Calls to a JS function, which can execute arbitrary code including allocating objects. 56 // 6. Calls operations that uses DeferGC, because it may GC in its destructor. 56 57 57 58 switch (node->op()) { … … 178 179 case ExtractCatchLocal: 179 180 case ClearCatchLocals: 180 case CheckTierUpInLoop:181 case CheckTierUpAtReturn:182 case CheckTierUpAndOSREnter:183 181 case LoopHint: 184 182 case StoreBarrier: … … 197 195 case GetGetter: 198 196 case GetSetter: 199 case GetByVal:200 197 case GetArrayLength: 201 198 case GetVectorLength: 202 case StringCharAt:203 199 case StringCharCodeAt: 204 200 case GetTypedArrayByteOffset: 205 201 case GetPrototypeOf: 206 case PutByValDirect:207 case PutByVal:208 case PutByValAlias:209 202 case PutStructure: 210 203 case GetByOffset: … … 273 266 case CallObjectConstructor: 274 267 case CallVarargs: 268 case CheckTierUpAndOSREnter: 269 case CheckTierUpAtReturn: 270 case CheckTierUpInLoop: 275 271 case Construct: 276 272 case ConstructForwardVarargs: … … 326 322 case ResolveScopeForHoistingFuncDeclInEval: 327 323 case Return: 324 case StringCharAt: 328 325 case TailCall: 329 326 case TailCallForwardVarargs: … … 413 410 414 411 case GetIndexedPropertyStorage: 412 case GetByVal: 415 413 if (node->arrayMode().type() == Array::String) 416 414 return true; 415 return false; 416 417 case PutByValDirect: 418 case PutByVal: 419 case PutByValAlias: 420 if (!graph.m_plan.isFTL()) { 421 switch (node->arrayMode().modeForPut().type()) { 422 case Array::Int8Array: 423 case Array::Int16Array: 424 case Array::Int32Array: 425 case Array::Uint8Array: 426 case Array::Uint8ClampedArray: 427 case Array::Uint16Array: 428 case Array::Uint32Array: 429 return true; 430 default: 431 break; 432 } 433 } 417 434 return false; 418 435 -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r240327 r241210 2345 2345 case GetByVal: { 2346 2346 switch (node->arrayMode().type()) { 2347 case Array::AnyTypedArray: 2348 case Array::ForceExit: 2349 case Array::SelectUsingArguments: 2347 2350 case Array::SelectUsingPredictions: 2348 case Array:: ForceExit:2351 case Array::Unprofiled: 2349 2352 DFG_CRASH(m_jit.graph(), node, "Bad array mode type"); 2350 2353 break; … … 2567 2570 compileGetByValOnScopedArguments(node); 2568 2571 break; 2569 default: { 2572 case Array::Int8Array: 2573 case Array::Int16Array: 2574 case Array::Int32Array: 2575 case Array::Uint8Array: 2576 case Array::Uint8ClampedArray: 2577 case Array::Uint16Array: 2578 case Array::Uint32Array: 2579 case Array::Float32Array: 2580 case Array::Float64Array: { 2570 2581 TypedArrayType type = node->arrayMode().typedArrayType(); 2571 2582 if (isInt(type)) … … 2801 2812 } 2802 2813 2803 default: { 2814 case Array::Int8Array: 2815 case Array::Int16Array: 2816 case Array::Int32Array: 2817 case Array::Uint8Array: 2818 case Array::Uint8ClampedArray: 2819 case Array::Uint16Array: 2820 case Array::Uint32Array: 2821 case Array::Float32Array: 2822 case Array::Float64Array: { 2804 2823 TypedArrayType type = arrayMode.typedArrayType(); 2805 2824 if (isInt(type)) … … 2807 2826 else 2808 2827 compilePutByValForFloatTypedArray(base.gpr(), property.gpr(), node, type); 2809 } } 2810 2828 break; 2829 } 2830 2831 case Array::AnyTypedArray: 2832 case Array::String: 2833 case Array::DirectArguments: 2834 case Array::ForceExit: 2835 case Array::Generic: 2836 case Array::ScopedArguments: 2837 case Array::SelectUsingArguments: 2838 case Array::SelectUsingPredictions: 2839 case Array::Undecided: 2840 case Array::Unprofiled: 2841 RELEASE_ASSERT_NOT_REACHED(); 2842 } 2811 2843 break; 2812 2844 } -
trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
r240998 r241210 4164 4164 } 4165 4165 4166 default: { 4166 case Array::Int8Array: 4167 case Array::Int16Array: 4168 case Array::Int32Array: 4169 case Array::Uint8Array: 4170 case Array::Uint8ClampedArray: 4171 case Array::Uint16Array: 4172 case Array::Uint32Array: 4173 case Array::Float32Array: 4174 case Array::Float64Array: { 4167 4175 LValue index = lowInt32(m_graph.varArgChild(m_node, 1)); 4168 4176 LValue storage = lowStorage(m_graph.varArgChild(m_node, 2)); 4169 4177 4170 4178 TypedArrayType type = m_node->arrayMode().typedArrayType(); 4171 4172 if (isTypedView(type)){4179 ASSERT(isTypedView(type)); 4180 { 4173 4181 TypedPointer pointer = pointerIntoTypedArray(storage, index, type); 4174 4182 … … 4197 4205 return; 4198 4206 } 4199 4207 } 4208 4209 case Array::AnyTypedArray: 4210 case Array::ForceExit: 4211 case Array::SelectUsingArguments: 4212 case Array::SelectUsingPredictions: 4213 case Array::Unprofiled: 4200 4214 DFG_CRASH(m_graph, m_node, "Bad array type"); 4201 4215 return; 4202 } }4216 } 4203 4217 } 4204 4218 … … 4489 4503 } 4490 4504 4491 default: { 4505 case Array::Int8Array: 4506 case Array::Int16Array: 4507 case Array::Int32Array: 4508 case Array::Uint8Array: 4509 case Array::Uint8ClampedArray: 4510 case Array::Uint16Array: 4511 case Array::Uint32Array: 4512 case Array::Float32Array: 4513 case Array::Float64Array: { 4492 4514 TypedArrayType type = arrayMode.typedArrayType(); 4493 4515 4494 if (isTypedView(type)) { 4516 ASSERT(isTypedView(type)); 4517 { 4495 4518 TypedPointer pointer = TypedPointer( 4496 4519 m_heaps.typedArrayProperties, … … 4545 4568 return; 4546 4569 } 4547 4570 } 4571 4572 case Array::AnyTypedArray: 4573 case Array::String: 4574 case Array::DirectArguments: 4575 case Array::ForceExit: 4576 case Array::Generic: 4577 case Array::ScopedArguments: 4578 case Array::SelectUsingArguments: 4579 case Array::SelectUsingPredictions: 4580 case Array::Undecided: 4581 case Array::Unprofiled: 4548 4582 DFG_CRASH(m_graph, m_node, "Bad array type"); 4549 4583 break; 4550 }4551 4584 } 4552 4585 }
Note: See TracChangeset
for help on using the changeset viewer.