Context Navigation

← Previous Changeset
Next Changeset →

Changeset 155730 in webkit

Timestamp:

Sep 13, 2013 4:18:19 PM (11 years ago)

Author:

fpizlo@apple.com

Message:

DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
https://bugs.webkit.org/show_bug.cgi?id=121330

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg and Oliver Hunt.

Also print whether a function is strict mode in debug dumps.

bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpAssumingJITType):

bytecode/CodeOrigin.cpp:

(JSC::InlineCallFrame::dumpInContext):

dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::::executeEffects):

dfg/DFGOperations.cpp:
dfg/DFGOperations.h:
dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Tools:

Reviewed by Mark Hahnenberg and Oliver Hunt.

We should run tests even if they don't have expected files yet.

Scripts/run-layout-jsc:

LayoutTests:

Reviewed by Mark Hahnenberg and Oliver Hunt.

js/dfg-strict-mode-to-this-expected.txt: Added.
js/dfg-strict-mode-to-this.html: Added.
js/jsc-test-list:
js/script-tests/dfg-strict-mode-to-this.js: Added.

(thingy.bar):
(thingy.foo):
(thingy):

Location:

trunk

Files:

: 3 added
: 12 edited

LayoutTests/ChangeLog (modified) (1 diff)
LayoutTests/js/dfg-strict-mode-to-this-expected.txt (added)
LayoutTests/js/dfg-strict-mode-to-this.html (added)
LayoutTests/js/jsc-test-list (modified) (1 diff)
LayoutTests/js/script-tests/dfg-strict-mode-to-this.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/bytecode/CodeBlock.cpp (modified) (1 diff)
Source/JavaScriptCore/bytecode/CodeOrigin.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGOperations.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGOperations.h (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
Tools/ChangeLog (modified) (1 diff)
Tools/Scripts/run-layout-jsc (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/LayoutTests/ChangeLog

-                      r155728
+                      r155730
+-09-13  Filip Pizlo  <fpizlo@apple.com>
+        DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
+        https://bugs.webkit.org/show_bug.cgi?id=121330
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+        * js/dfg-strict-mode-to-this-expected.txt: Added.
+        * js/dfg-strict-mode-to-this.html: Added.
+        * js/jsc-test-list:
+        * js/script-tests/dfg-strict-mode-to-this.js: Added.
+        (thingy.bar):
+        (thingy.foo):
+        (thingy):
 -09-13  Alexey Proskuryakov  <ap@apple.com>

trunk/LayoutTests/js/jsc-test-list

r155452	r155730
226	226	js/dfg-side-effect-assignment-osr-exit
227	227	js/dfg-sqrt-backwards-propagation
	228	js/dfg-strict-mode-to-this
228	229	js/dfg-string-out-of-bounds-check-structure
229	230	js/dfg-string-out-of-bounds-cse

trunk/Source/JavaScriptCore/ChangeLog

-                      r155729
+                      r155730
+-09-13  Filip Pizlo  <fpizlo@apple.com>
+        DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
+        https://bugs.webkit.org/show_bug.cgi?id=121330
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+        Also print whether a function is strict mode in debug dumps.
+        * bytecode/CodeBlock.cpp:
+        (JSC::CodeBlock::dumpAssumingJITType):
+        * bytecode/CodeOrigin.cpp:
+        (JSC::InlineCallFrame::dumpInContext):
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::::executeEffects):
+        * dfg/DFGOperations.cpp:
+        * dfg/DFGOperations.h:
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
 -09-13  Anders Carlsson  <andersca@apple.com>

trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

r155711	r155730
140	140	if (ownerExecutable()->neverInline())
141	141	out.print(" (NeverInline)");
	142	if (ownerExecutable()->isStrictMode())
	143	out.print(" (StrictMode)");
142	144	out.print("]");
143	145	}

trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp

-                      r154935
+                      r155730
 void InlineCallFrame::dumpInContext(PrintStream& out, DumpContext* context) const
+{
+    out.print(briefFunctionInformation(), ":<", RawPointer(executable.get()), ", bc#", caller.bytecodeIndex, ", ", specializationKind());
+    out.print(briefFunctionInformation(), ":<", RawPointer(executable.get()));
+    if (executable->isStrictMode())
+        out.print(" (StrictMode)");
+    out.print(", bc#", caller.bytecodeIndex, ", ", specializationKind());
     if (callee)
         out.print(", known callee: ", inContext(JSValue(callee.get()), context));

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

-                      r155567
+                      r155730
         AbstractValue& destination = forNode(node);
+        destination = source;
+        destination.merge(SpecObject);
+        if (m_graph.executableFor(node->codeOrigin)->isStrictMode())
+            destination.makeHeapTop();
+        else {
+            destination = source;
+            destination.merge(SpecObject);
+        }
         break;
+    }

trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

-                      r155711
+                      r155730
     NativeCallFrameTracer tracer(vm, exec);
+    return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, exec->codeBlock()->isStrictMode() ? StrictMode : NotStrictMode));
+    return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, NotStrictMode));
+}
+EncodedJSValue DFG_OPERATION operationToThisStrict(ExecState* exec, EncodedJSValue encodedOp)
+{
+    VM* vm = &exec->vm();
+    NativeCallFrameTracer tracer(vm, exec);
+    return JSValue::encode(JSValue::decode(encodedOp).toThis(exec, StrictMode));
+}

trunk/Source/JavaScriptCore/dfg/DFGOperations.h

r155243	r155730
137	137	JSCell* DFG_OPERATION operationCreateThis(ExecState, JSObject constructor, int32_t inlineCapacity) WTF_INTERNAL;
138	138	EncodedJSValue DFG_OPERATION operationToThis(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
	139	EncodedJSValue DFG_OPERATION operationToThisStrict(ExecState*, EncodedJSValue encodedOp1) WTF_INTERNAL;
139	140	EncodedJSValue DFG_OPERATION operationValueAdd(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;
140	141	EncodedJSValue DFG_OPERATION operationValueAddNotNumber(ExecState*, EncodedJSValue encodedOp1, EncodedJSValue encodedOp2) WTF_INTERNAL;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

-                      r155711
+                      r155730
         m_jit.move(thisValuePayloadGPR, tempGPR);
         m_jit.move(thisValueTagGPR, tempTagGPR);
+        J_DFGOperation_EJ function;
+        if (m_jit.graph().executableFor(node->codeOrigin)->isStrictMode())
+            function = operationToThisStrict;
+        else
+            function = operationToThis;
         addSlowPathGenerator(
             slowPathCall(
                 slowCases, this, operationToThis,
+                slowCases, this, function,
                 JSValueRegs(tempTagGPR, tempGPR), thisValueTagGPR, thisValuePayloadGPR));

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

-                      r155711
+                      r155730
             TrustedImm32(FinalObjectType)));
         m_jit.move(thisValueGPR, tempGPR);
+        J_DFGOperation_EJ function;
+        if (m_jit.graph().executableFor(node->codeOrigin)->isStrictMode())
+            function = operationToThisStrict;
+        else
+            function = operationToThis;
         addSlowPathGenerator(
             slowPathCall(slowCases, this, operationToThis, tempGPR, thisValueGPR));
+            slowPathCall(slowCases, this, function, tempGPR, thisValueGPR));
         jsValueResult(tempGPR, node);

trunk/Tools/ChangeLog

-                      r155729
+                      r155730
+-09-13  Filip Pizlo  <fpizlo@apple.com>
+        DFG AI assumes that ToThis can never return non-object if it is passed an object, and operationToThis will get the wrong value of isStrictMode() if there's inlining
+        https://bugs.webkit.org/show_bug.cgi?id=121330
+        Reviewed by Mark Hahnenberg and Oliver Hunt.
+        We should run tests even if they don't have expected files yet.
+        * Scripts/run-layout-jsc:
 -09-13  Anders Carlsson  <andersca@apple.com>

trunk/Tools/Scripts/run-layout-jsc

r155479	r155730
107	107	fi
108	108
109		if [ -f $~~expectedOut -a -f $~~jsTest ]
	109	if [ -f $jsTest ]
110	110	then
111	111	if [ `uname` = 'Darwin' ]; then

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 155730 in webkit

Legend:

Download in other formats: