Changeset 238510 in webkit


Ignore:
Timestamp:
Nov 26, 2018 12:14:41 PM (5 years ago)
Author:
sbarati@apple.com
Message:

Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
https://bugs.webkit.org/show_bug.cgi?id=191958
<rdar://problem/46221877>

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.

(x):
(foo):

Source/JavaScriptCore:

There may be more entries in an activation than unique variables
in a symbol table's hashmap. For example, if you have two parameters
to a function, and they both are the same name, and the function
uses eval, we'll end up with two scope slots, but only a single
entry in the hashmap in the symbol table. Object allocation sinking
phase was previously iterating over the hashmap, assuming these
values were equivalent. This is wrong in the above case. Instead,
we need to iterate over each scope offset.

  • dfg/DFGObjectAllocationSinkingPhase.cpp:
  • runtime/GenericOffset.h:

(JSC::GenericOffset::operator+=):
(JSC::GenericOffset::operator-=):

Location:
trunk
Files:
1 added
4 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r238509 r238510  
     12018-11-26  Saam barati  <sbarati@apple.com>
     2
     3        Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
     4        https://bugs.webkit.org/show_bug.cgi?id=191958
     5        <rdar://problem/46221877>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.
     10        (x):
     11        (foo):
     12
    1132018-11-26  Mark Lam  <mark.lam@apple.com>
    214
  • trunk/Source/JavaScriptCore/ChangeLog

    r238509 r238510  
     12018-11-26  Saam barati  <sbarati@apple.com>
     2
     3        Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
     4        https://bugs.webkit.org/show_bug.cgi?id=191958
     5        <rdar://problem/46221877>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        There may be more entries in an activation than unique variables
     10        in a symbol table's hashmap. For example, if you have two parameters
     11        to a function, and they both are the same name, and the function
     12        uses eval, we'll end up with two scope slots, but only a single
     13        entry in the hashmap in the symbol table. Object allocation sinking
     14        phase was previously iterating over the hashmap, assuming these
     15        values were equivalent. This is wrong in the above case. Instead,
     16        we need to iterate over each scope offset.
     17
     18        * dfg/DFGObjectAllocationSinkingPhase.cpp:
     19        * runtime/GenericOffset.h:
     20        (JSC::GenericOffset::operator+=):
     21        (JSC::GenericOffset::operator-=):
     22
    1232018-11-26  Mark Lam  <mark.lam@apple.com>
    224
  • trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

    r234086 r238510  
    878878            {
    879879                SymbolTable* symbolTable = node->castOperand<SymbolTable*>();
    880                 ConcurrentJSLocker locker(symbolTable->m_lock);
    881880                LazyNode initialValue(m_graph.freeze(node->initializationValueForActivation()));
    882                 for (auto iter = symbolTable->begin(locker), end = symbolTable->end(locker); iter != end; ++iter) {
     881                for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1) {
    883882                    writes.add(
    884                         PromotedLocationDescriptor(ClosureVarPLoc, iter->value.scopeOffset().offset()),
     883                        PromotedLocationDescriptor(ClosureVarPLoc, offset.offset()),
    885884                        initialValue);
    886885                }
  • trunk/Source/JavaScriptCore/runtime/GenericOffset.h

    r206525 r238510  
    9696    T& operator+=(int value)
    9797    {
    98         return *this = *this + value;
     98        return *static_cast<T*>(this) = *this + value;
    9999    }
    100100    T& operator-=(int value)
    101101    {
    102         return *this = *this - value;
     102        return *static_cast<T*>(this) = *this - value;
    103103    }
    104104   
Note: See TracChangeset for help on using the changeset viewer.