Changeset 172794 in webkit

Timestamp:

Aug 19, 2014 7:38:46 PM (10 years ago)

Author:

fpizlo@apple.com

Message:

REGRESSION(r172401): for-in optimization no longer works at all
​https://bugs.webkit.org/show_bug.cgi?id=136056

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
would instacrash every time.

• bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):

• bytecompiler/BytecodeGenerator.h:

(JSC::ForInContext::ForInContext):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::ForInContext::base): Deleted.

• bytecompiler/NodesCodegen.cpp:

(JSC::ForInNode::emitMultiLoopBytecode):

• runtime/JSProxy.cpp:

(JSC::JSProxy::getStructurePropertyNames):
(JSC::JSProxy::getGenericPropertyNames):

• tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.

(foo):

• tests/stress/for-in-base-reassigned-later.js: Added.

(foo):

• tests/stress/for-in-base-reassigned.js: Added.

(foo):

• tests/stress/for-in-proxy-target-changed-structure.js: Added.

(deleteAll):
(foo):

• tests/stress/for-in-proxy.js: Added.

(foo):

LayoutTests:

This just needs a rebase because the number of calls into the DOM has changed and so the
number of console messages about security stuff has now changed.

• http/tests/security/cross-frame-access-enumeration-expected.txt:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp (modified) (3 diffs)
• Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h (modified) (5 diffs)
• Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/JSProxy.cpp (modified) (2 diffs)
• Source/JavaScriptCore/tests/stress/for-in-base-reassigned-later-and-change-structure.js (added)
• Source/JavaScriptCore/tests/stress/for-in-base-reassigned-later.js (added)
• Source/JavaScriptCore/tests/stress/for-in-base-reassigned.js (added)
• Source/JavaScriptCore/tests/stress/for-in-proxy-target-changed-structure.js (added)
• Source/JavaScriptCore/tests/stress/for-in-proxy.js (added)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2014-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION(r172401): for-in optimization no longer works at all
+        https://bugs.webkit.org/show_bug.cgi?id=136056
+
+        Reviewed by Geoffrey Garen.
+        
+        This just needs a rebase because the number of calls into the DOM has changed and so the
+        number of console messages about security stuff has now changed.
+
+        * http/tests/security/cross-frame-access-enumeration-expected.txt:
+
 2014-08-19  Bem Jones-Bey  <bjonesbe@adobe.com>
 

trunk/LayoutTests/http/tests/security/cross-frame-access-enumeration-expected.txt

@@ -1 @@
-CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.
 CONSOLE MESSAGE: Blocked a frame with origin "http://127.0.0.1:8000" from accessing a frame with origin "http://localhost:8000". Protocols, domains, and ports must match.

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2014-08-19  Filip Pizlo  <fpizlo@apple.com>
+
+        REGRESSION(r172401): for-in optimization no longer works at all
+        https://bugs.webkit.org/show_bug.cgi?id=136056
+
+        Reviewed by Geoffrey Garen.
+        
+        Roll this back in, along with a fix to make proxies work. Previously, for-in over proxies
+        would instacrash every time.
+
+        * bytecompiler/BytecodeGenerator.cpp:
+        (JSC::BytecodeGenerator::emitGetByVal):
+        (JSC::BytecodeGenerator::pushIndexedForInScope):
+        (JSC::BytecodeGenerator::pushStructureForInScope):
+        * bytecompiler/BytecodeGenerator.h:
+        (JSC::ForInContext::ForInContext):
+        (JSC::StructureForInContext::StructureForInContext):
+        (JSC::IndexedForInContext::IndexedForInContext):
+        (JSC::ForInContext::base): Deleted.
+        * bytecompiler/NodesCodegen.cpp:
+        (JSC::ForInNode::emitMultiLoopBytecode):
+        * runtime/JSProxy.cpp:
+        (JSC::JSProxy::getStructurePropertyNames):
+        (JSC::JSProxy::getGenericPropertyNames):
+        * tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
+        (foo):
+        * tests/stress/for-in-base-reassigned-later.js: Added.
+        (foo):
+        * tests/stress/for-in-base-reassigned.js: Added.
+        (foo):
+        * tests/stress/for-in-proxy-target-changed-structure.js: Added.
+        (deleteAll):
+        (foo):
+        * tests/stress/for-in-proxy.js: Added.
+        (foo):
+
 2014-08-19  Jaehun Lim  <ljaehun.lim@samsung.com>
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp

@@ -1423 +1423 @@
     for (size_t i = m_forInContextStack.size(); i > 0; i--) {
         ForInContext* context = m_forInContextStack[i - 1].get();
-        if (context->base() != base)
-            continue;
-
         if (context->local() != property)
             continue;
@@ -2587 +2584 @@
 }
 
-void BytecodeGenerator::pushIndexedForInScope(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister)
+void BytecodeGenerator::pushIndexedForInScope(RegisterID* localRegister, RegisterID* indexRegister)
 {
     if (!localRegister)
         return;
-    m_forInContextStack.append(std::make_unique<IndexedForInContext>(baseRegister, localRegister, indexRegister));
+    m_forInContextStack.append(std::make_unique<IndexedForInContext>(localRegister, indexRegister));
 }
 
@@ -2601 +2598 @@
 }
 
-void BytecodeGenerator::pushStructureForInScope(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+void BytecodeGenerator::pushStructureForInScope(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
 {
     if (!localRegister)
         return;
-    m_forInContextStack.append(std::make_unique<StructureForInContext>(baseRegister, localRegister, indexRegister, propertyRegister, enumeratorRegister));
+    m_forInContextStack.append(std::make_unique<StructureForInContext>(localRegister, indexRegister, propertyRegister, enumeratorRegister));
 }
 

trunk/Source/JavaScriptCore/bytecompiler/BytecodeGenerator.h

@@ -100 +100 @@
     class ForInContext {
     public:
-        ForInContext(RegisterID* baseRegister, RegisterID* localRegister)
-            : m_baseRegister(baseRegister)
-            , m_localRegister(localRegister)
+        ForInContext(RegisterID* localRegister)
+            : m_localRegister(localRegister)
             , m_isValid(true)
         {
@@ -120 +119 @@
         virtual ForInContextType type() const = 0;
 
-        RegisterID* base() const { return m_baseRegister.get(); }
         RegisterID* local() const { return m_localRegister.get(); }
 
     private:
-        RefPtr<RegisterID> m_baseRegister;
         RefPtr<RegisterID> m_localRegister;
         bool m_isValid;
@@ -131 +128 @@
     class StructureForInContext : public ForInContext {
     public:
-        StructureForInContext(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
-            : ForInContext(baseRegister, localRegister)
+        StructureForInContext(RegisterID* localRegister, RegisterID* indexRegister, RegisterID* propertyRegister, RegisterID* enumeratorRegister)
+            : ForInContext(localRegister)
             , m_indexRegister(indexRegister)
             , m_propertyRegister(propertyRegister)
@@ -156 +153 @@
     class IndexedForInContext : public ForInContext {
     public:
-        IndexedForInContext(RegisterID* baseRegister, RegisterID* localRegister, RegisterID* indexRegister)
-            : ForInContext(baseRegister, localRegister)
+        IndexedForInContext(RegisterID* localRegister, RegisterID* indexRegister)
+            : ForInContext(localRegister)
             , m_indexRegister(indexRegister)
         {
@@ -528 +525 @@
         void popFinallyContext();
 
-        void pushIndexedForInScope(RegisterID* base, RegisterID* local, RegisterID* index);
+        void pushIndexedForInScope(RegisterID* local, RegisterID* index);
         void popIndexedForInScope(RegisterID* local);
-        void pushStructureForInScope(RegisterID* base, RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
+        void pushStructureForInScope(RegisterID* local, RegisterID* index, RegisterID* property, RegisterID* enumerator);
         void popStructureForInScope(RegisterID* local);
         void invalidateForInContextForLocal(RegisterID* local);

trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

@@ -2071 +2071 @@
         this->emitLoopHeader(generator, propertyName.get());
 
-        generator.pushIndexedForInScope(base.get(), local.get(), i.get());
+        generator.pushIndexedForInScope(local.get(), i.get());
         generator.emitNode(dst, m_statement);
         generator.popIndexedForInScope(local.get());
@@ -2105 +2105 @@
         this->emitLoopHeader(generator, propertyName.get());
 
-        generator.pushStructureForInScope(base.get(), local.get(), i.get(), propertyName.get(), structureEnumerator.get());
+        generator.pushStructureForInScope(local.get(), i.get(), propertyName.get(), structureEnumerator.get());
         generator.emitNode(dst, m_statement);
         generator.popStructureForInScope(local.get());

trunk/Source/JavaScriptCore/runtime/JSProxy.cpp

@@ -121 +121 @@
 }
 
-void JSProxy::getStructurePropertyNames(JSObject* object, ExecState* exec, PropertyNameArray& propertyNames, EnumerationMode mode)
+void JSProxy::getStructurePropertyNames(JSObject*, ExecState*, PropertyNameArray&, EnumerationMode)
 {
-    JSProxy* thisObject = jsCast<JSProxy*>(object);
-    thisObject->target()->methodTable(exec->vm())->getStructurePropertyNames(thisObject->target(), exec, propertyNames, mode);
+    // Skip the structure loop, since it is invalid for proxies.
 }
 
@@ -130 +129 @@
 {
     JSProxy* thisObject = jsCast<JSProxy*>(object);
-    thisObject->target()->methodTable(exec->vm())->getGenericPropertyNames(thisObject->target(), exec, propertyNames, mode);
+    // Get *all* of the property names, not just the generic ones, since we skipped the structure
+    // ones above.
+    thisObject->target()->methodTable(exec->vm())->getPropertyNames(thisObject->target(), exec, propertyNames, mode);
 }