Changeset 274942 in webkit


Ignore:
Timestamp:
Mar 24, 2021, 9:56:42 AM (4 years ago)
Author:
sbarati@apple.com
Message:

r271034 added code in constant folding phase that's unreachable given current invariants of our ICs and PutByIdStatus
https://bugs.webkit.org/show_bug.cgi?id=223625

Reviewed by Yusuke Suzuki.

The code was doing a lot of wrong things by making bad assumptions about the
invariants of PutByIdVariants. Replace PutByIdVariants never have object
property condition sets, since we always replace on the self object (and don't
look at the prototype chain). This patch clears up the code to make it
clearer what the invariants are.

With respect to the original fix about not emitting a PutByOffset for a
Replace on a Structure that has an unfired replacement watchpoint set,
that was already handled by the PutByIdStatus::computeFor variant we're
calling inside of constant folding. It will return TakesSlowPathif it
encounters a Replace where the Structure still has an unfired watchpoint.

  • dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r274935 r274942  
     12021-03-24  Saam Barati  <sbarati@apple.com>
     2
     3        r271034 added code in constant folding phase that's unreachable given current invariants of our ICs and PutByIdStatus
     4        https://bugs.webkit.org/show_bug.cgi?id=223625
     5
     6        Reviewed by Yusuke Suzuki.
     7
     8        The code was doing a lot of wrong things by making bad assumptions about the
     9        invariants of PutByIdVariants. Replace PutByIdVariants never have object
     10        property condition sets, since we always replace on the self object (and don't
     11        look at the prototype chain). This patch clears up the code to make it
     12        clearer what the invariants are.
     13       
     14        With respect to the original fix about not emitting a PutByOffset for a
     15        Replace on a Structure that has an unfired replacement watchpoint set,
     16        that was already handled by the PutByIdStatus::computeFor variant we're
     17        calling inside of constant folding. It will return TakesSlowPathif it
     18        encounters a Replace where the Structure still has an unfired watchpoint.
     19
     20        * dfg/DFGConstantFoldingPhase.cpp:
     21        (JSC::DFG::ConstantFoldingPhase::tryFoldAsPutByOffset):
     22
    1232021-03-24  Yusuke Suzuki  <ysuzuki@apple.com>
    224

  • trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

    r271034 r274942  
    14201420        TransitionVector transitions;
    14211421        for (const PutByIdVariant& variant : status.variants()) {
    1422             for (const ObjectPropertyCondition& condition : variant.conditionSet()) {
    1423                 if (m_graph.watchCondition(condition))
    1424                     continue;
    1425 
    1426                 Structure* structure = condition.object()->structure(m_graph.m_vm);
    1427                 if (!condition.structureEnsuresValidity(structure))
    1428                     return;
    1429 
    1430                 if (variant.kind() == PutByIdVariant::Replace) {
    1431                     auto* watchpoints = structure->propertyReplacementWatchpointSet(condition.offset());
    1432                     if (!watchpoints || watchpoints->isStillValid())
     1422            if (variant.kind() == PutByIdVariant::Transition) {
     1423                for (const ObjectPropertyCondition& condition : variant.conditionSet()) {
     1424                    if (m_graph.watchCondition(condition))
     1425                        continue;
     1426
     1427                    Structure* structure = condition.object()->structure(m_graph.m_vm);
     1428                    if (!condition.structureEnsuresValidity(structure))
    14331429                        return;
    1434                 }
    1435 
    1436                 m_insertionSet.insertNode(
    1437                     indexInBlock, SpecNone, CheckStructure, node->origin,
    1438                     OpInfo(m_graph.addStructureSet(structure)),
    1439                     m_insertionSet.insertConstantForUse(
    1440                         indexInBlock, node->origin, condition.object(), KnownCellUse));
    1441             }
    1442 
    1443             if (variant.kind() == PutByIdVariant::Transition) {
     1430
     1431                    m_insertionSet.insertNode(
     1432                        indexInBlock, SpecNone, CheckStructure, node->origin,
     1433                        OpInfo(m_graph.addStructureSet(structure)),
     1434                        m_insertionSet.insertConstantForUse(
     1435                            indexInBlock, node->origin, condition.object(), KnownCellUse));
     1436                }
     1437
    14441438                ASSERT(privateFieldPutKind.isNone() || privateFieldPutKind.isDefine());
    14451439                RegisteredStructure newStructure = m_graph.registerStructure(variant.newStructure());
     
    14511445                ASSERT(variant.kind() == PutByIdVariant::Replace);
    14521446                ASSERT(privateFieldPutKind.isNone() || privateFieldPutKind.isSet());
     1447                DFG_ASSERT(m_graph, node, variant.conditionSet().isEmpty());
    14531448                newSet.merge(*m_graph.addStructureSet(variant.oldStructure()));
    14541449            }
Note: See TracChangeset for help on using the changeset viewer.