Changeset 147816 in webkit
- Timestamp:
- Apr 5, 2013 4:52:20 PM (11 years ago)
- Location:
- trunk
- Files:
-
- 3 added
- 3 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/js/jit-set-profiling-access-type-only-for-get-by-id-self-expected.txt (added)
-
LayoutTests/fast/js/jit-set-profiling-access-type-only-for-get-by-id-self.html (added)
-
LayoutTests/fast/js/script-tests/jit-set-profiling-access-type-only-for-get-by-id-self.js (added)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/jit/JITStubs.cpp (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r147802 r147816 1 2013-04-05 Mark Hahnenberg <mhahnenberg@apple.com> 2 3 tryCacheGetByID sets StructureStubInfo accessType to an incorrect value 4 https://bugs.webkit.org/show_bug.cgi?id=114068 5 6 Reviewed by Geoffrey Garen. 7 8 In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to 9 get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to 10 incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, 11 which leads to loading a GetterSetter directly out of an object. 12 13 * fast/js/jit-set-profiling-access-type-only-for-get-by-id-self-expected.txt: Added. 14 * fast/js/jit-set-profiling-access-type-only-for-get-by-id-self.html: Added. 15 * fast/js/script-tests/jit-set-profiling-access-type-only-for-get-by-id-self.js: Added. 16 1 17 2013-04-05 Chris Fleizach <cfleizach@apple.com> 2 18 -
trunk/Source/JavaScriptCore/ChangeLog
r147798 r147816 1 2013-04-05 Mark Hahnenberg <mhahnenberg@apple.com> 2 3 tryCacheGetByID sets StructureStubInfo accessType to an incorrect value 4 https://bugs.webkit.org/show_bug.cgi?id=114068 5 6 Reviewed by Geoffrey Garen. 7 8 In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to 9 get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to 10 incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, 11 which leads to loading a GetterSetter directly out of an object. 12 13 * jit/JITStubs.cpp: 14 (JSC::tryCacheGetByID): 15 (JSC::DEFINE_STUB_FUNCTION): 16 1 17 2013-04-05 Filip Pizlo <fpizlo@apple.com> 2 18 -
trunk/Source/JavaScriptCore/jit/JITStubs.cpp
r147184 r147816 941 941 942 942 if (slot.slotBase() == baseValue) { 943 stubInfo->initGetByIdSelf(callFrame->globalData(), codeBlock->ownerExecutable(), structure);943 RELEASE_ASSERT(stubInfo->accessType == access_unset); 944 944 if ((slot.cachedPropertyType() != PropertySlot::Value) 945 945 || !MacroAssembler::isCompactPtrAlignedAddressOffset(maxOffsetRelativeToPatchedStorage(slot.cachedOffset()))) 946 946 ctiPatchCallByReturnAddress(codeBlock, returnAddress, FunctionPtr(cti_op_get_by_id_self_fail)); 947 else 947 else { 948 948 JIT::patchGetByIdSelf(codeBlock, stubInfo, structure, slot.cachedOffset(), returnAddress); 949 stubInfo->initGetByIdSelf(callFrame->globalData(), codeBlock->ownerExecutable(), structure); 950 } 949 951 return; 950 952 } … … 1592 1594 PolymorphicAccessStructureList* polymorphicStructureList; 1593 1595 int listIndex = 1; 1596 1597 if (stubInfo->accessType == access_unset) 1598 stubInfo->initGetByIdSelf(callFrame->globalData(), codeBlock->ownerExecutable(), baseValue.asCell()->structure()); 1594 1599 1595 1600 if (stubInfo->accessType == access_get_by_id_self) {
Note: See TracChangeset
for help on using the changeset viewer.
