Changeset 220783 in webkit


Ignore:
Timestamp:
Aug 15, 2017 7:49:04 PM (7 years ago)
Author:
commit-queue@webkit.org
Message:

We are too conservative about the effects of PushWithScope
https://bugs.webkit.org/show_bug.cgi?id=175584

Patch by Robin Morisset <rmorisset@apple.com> on 2017-08-15
Reviewed by Saam Barati.

PushWithScope converts its argument to an object (this can throw a type error,
but has no other observable effect), and allocates a new scope, that it then
makes the new current scope. We were a bit too
conservative in saying that it clobbers the world.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

Location:
trunk/Source/JavaScriptCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r220782 r220783  
     12017-08-15  Robin Morisset  <rmorisset@apple.com>
     2
     3        We are too conservative about the effects of PushWithScope
     4        https://bugs.webkit.org/show_bug.cgi?id=175584
     5
     6        Reviewed by Saam Barati.
     7
     8        PushWithScope converts its argument to an object (this can throw a type error,
     9        but has no other observable effect), and allocates a new scope, that it then
     10        makes the new current scope. We were a bit too
     11        conservative in saying that it clobbers the world.
     12
     13        * dfg/DFGAbstractInterpreterInlines.h:
     14        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     15        * dfg/DFGClobberize.h:
     16        (JSC::DFG::clobberize):
     17        * dfg/DFGDoesGC.cpp:
     18        (JSC::DFG::doesGC):
     19
    1202017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
    221

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r220735 r220783  
    20652065
    20662066    case PushWithScope:
    2067         clobberWorld(node->origin.semantic, clobberLimit);
    2068 
    20692067        // We don't use the more precise withScopeStructure() here because it is a LazyProperty and may not yet be allocated.
    20702068        forNode(node).setType(m_graph, SpecObjectOther);

  • trunk/Source/JavaScriptCore/dfg/DFGClobberize.h

    r220735 r220783  
    472472        return;
    473473
     474    case PushWithScope: {
     475        read(World);
     476        write(HeapObjectCount);
     477        return;
     478    }
     479
    474480    case CreateActivation: {
    475481        SymbolTable* table = node->castOperand<SymbolTable*>();
     
    606612    case ResolveScopeForHoistingFuncDeclInEval:
    607613    case ResolveScope:
    608     case PushWithScope:
    609614        read(World);
    610615        write(Heap);

  • trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

    r220735 r220783  
    281281    case AtomicsXor:
    282282    case AtomicsIsLockFree:
     283        return false;
     284
    283285    case PushWithScope:
    284         return false;
    285 
    286286    case CreateActivation:
    287287    case CreateDirectArguments:
Note: See TracChangeset for help on using the changeset viewer.