Changeset 238510 in webkit
- Timestamp:
- Nov 26, 2018 12:14:41 PM (5 years ago)
- Location:
- trunk
- Files:
-
- 1 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/JSTests/ChangeLog
r238509 r238510 1 2018-11-26 Saam barati <sbarati@apple.com> 2 3 Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation 4 https://bugs.webkit.org/show_bug.cgi?id=191958 5 <rdar://problem/46221877> 6 7 Reviewed by Yusuke Suzuki. 8 9 * stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added. 10 (x): 11 (foo): 12 1 13 2018-11-26 Mark Lam <mark.lam@apple.com> 2 14 -
trunk/Source/JavaScriptCore/ChangeLog
r238509 r238510 1 2018-11-26 Saam barati <sbarati@apple.com> 2 3 Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation 4 https://bugs.webkit.org/show_bug.cgi?id=191958 5 <rdar://problem/46221877> 6 7 Reviewed by Yusuke Suzuki. 8 9 There may be more entries in an activation than unique variables 10 in a symbol table's hashmap. For example, if you have two parameters 11 to a function, and they both are the same name, and the function 12 uses eval, we'll end up with two scope slots, but only a single 13 entry in the hashmap in the symbol table. Object allocation sinking 14 phase was previously iterating over the hashmap, assuming these 15 values were equivalent. This is wrong in the above case. Instead, 16 we need to iterate over each scope offset. 17 18 * dfg/DFGObjectAllocationSinkingPhase.cpp: 19 * runtime/GenericOffset.h: 20 (JSC::GenericOffset::operator+=): 21 (JSC::GenericOffset::operator-=): 22 1 23 2018-11-26 Mark Lam <mark.lam@apple.com> 2 24 -
trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
r234086 r238510 878 878 { 879 879 SymbolTable* symbolTable = node->castOperand<SymbolTable*>(); 880 ConcurrentJSLocker locker(symbolTable->m_lock);881 880 LazyNode initialValue(m_graph.freeze(node->initializationValueForActivation())); 882 for ( auto iter = symbolTable->begin(locker), end = symbolTable->end(locker); iter != end; ++iter) {881 for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1) { 883 882 writes.add( 884 PromotedLocationDescriptor(ClosureVarPLoc, iter->value.scopeOffset().offset()),883 PromotedLocationDescriptor(ClosureVarPLoc, offset.offset()), 885 884 initialValue); 886 885 } -
trunk/Source/JavaScriptCore/runtime/GenericOffset.h
r206525 r238510 96 96 T& operator+=(int value) 97 97 { 98 return * this= *this + value;98 return *static_cast<T*>(this) = *this + value; 99 99 } 100 100 T& operator-=(int value) 101 101 { 102 return * this= *this - value;102 return *static_cast<T*>(this) = *this - value; 103 103 } 104 104
Note: See TracChangeset
for help on using the changeset viewer.