Changeset 183691 in webkit


Ignore:
Timestamp:
May 1, 2015 3:33:32 PM (9 years ago)
Author:
basile_clement@apple.com
Message:

Function allocation sinking shouldn't be performed on singleton functions
https://bugs.webkit.org/show_bug.cgi?id=144166

Reviewed by Geoffrey Garen.

Function allocations usually are free of any other side effects, but
this is not the case for allocations performed while the underlying
FunctionExecutable is still a singleton (as this allogation will fire
watchpoints invalidating code that depends on it being a singleton).
As the object allocation sinking phase assumes object allocation is
free of side-effects, sinking these allocations is not correct.

This also means that when materializing a function allocation on OSR
exit, that function's executable will never be a singleton, and we don't have
to worry about its watchpoint, allowing us to use
JSFunction::createWithInvalidatedRellocationWatchpoint instead of
JSFunction::create.

  • dfg/DFGObjectAllocationSinkingPhase.cpp:

(JSC::DFG::ObjectAllocationSinkingPhase::handleNode):

  • ftl/FTLOperations.cpp:

(JSC::FTL::operationMaterializeObjectInOSR):

Location:
trunk/Source/JavaScriptCore
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r183659 r183691  
     12015-05-01  Basile Clement  <basile_clement@apple.com>
     2
     3        Function allocation sinking shouldn't be performed on singleton functions
     4        https://bugs.webkit.org/show_bug.cgi?id=144166
     5
     6        Reviewed by Geoffrey Garen.
     7
     8        Function allocations usually are free of any other side effects, but
     9        this is not the case for allocations performed while the underlying
     10        FunctionExecutable is still a singleton (as this allogation will fire
     11        watchpoints invalidating code that depends on it being a singleton).
     12        As the object allocation sinking phase assumes object allocation is
     13        free of side-effects, sinking these allocations is not correct.
     14
     15        This also means that when materializing a function allocation on OSR
     16        exit, that function's executable will never be a singleton, and we don't have
     17        to worry about its watchpoint, allowing us to use
     18        JSFunction::createWithInvalidatedRellocationWatchpoint instead of
     19        JSFunction::create.
     20
     21        * dfg/DFGObjectAllocationSinkingPhase.cpp:
     22        (JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
     23        * ftl/FTLOperations.cpp:
     24        (JSC::FTL::operationMaterializeObjectInOSR):
     25
    1262015-04-30  Jon Davis  <jond@apple.com>
    227

  • trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

    r183564 r183691  
    787787
    788788        case NewFunction:
    789             sinkCandidate();
     789            if (!node->castOperand<FunctionExecutable*>()->singletonFunction()->isStillValid())
     790                sinkCandidate();
    790791            m_graph.doToChildren(
    791792                node,

  • trunk/Source/JavaScriptCore/ftl/FTLOperations.cpp

    r183235 r183691  
    107107        RELEASE_ASSERT(executable && activation);
    108108
    109         JSFunction* result = JSFunction::create(vm, executable, activation);
     109        JSFunction* result = JSFunction::createWithInvalidatedReallocationWatchpoint(vm, executable, activation);
    110110
    111111        return result;
Note: See TracChangeset for help on using the changeset viewer.