Changeset 53341 in webkit

Timestamp:

Jan 15, 2010 12:48:52 PM (14 years ago)

Author:

ggaren@apple.com

Message:

2010-01-14 Geoffrey Garen <​ggaren@apple.com>

Reviewed by Oliver Hunt.

REGRESISON: Google maps buttons not working properly
​https://bugs.webkit.org/show_bug.cgi?id=31871

REGRESSION(r52948): JavaScript exceptions thrown on Google Maps when
getting directions for a second time
​https://bugs.webkit.org/show_bug.cgi?id=33446

SunSpider and v8 report no change.

• interpreter/Interpreter.cpp: (JSC::Interpreter::tryCacheGetByID): Update our cached offset in case flattening the dictionary changed any of its offsets.

• jit/JITStubs.cpp: (JSC::JITThunks::tryCacheGetByID): (JSC::DEFINE_STUB_FUNCTION):
• runtime/Operations.h: (JSC::normalizePrototypeChain): ditto

2010-01-15 Geoffrey Garen <​ggaren@apple.com>

Reviewed by Oliver Hunt.

REGRESISON: Google maps buttons not working properly
​https://bugs.webkit.org/show_bug.cgi?id=31871

REGRESSION(r52948): JavaScript exceptions thrown on Google Maps when
getting directions for a second time
​https://bugs.webkit.org/show_bug.cgi?id=33446

Added a test for these bugs.

• fast/js/pic/undictionary-expected.txt: Added.
• fast/js/pic/undictionary.html: Added.

Location:

trunk

Files:

• JavaScriptCore/ChangeLog (modified) (1 diff)
• JavaScriptCore/interpreter/Interpreter.cpp (modified) (4 diffs)
• JavaScriptCore/jit/JITStubs.cpp (modified) (7 diffs)
• JavaScriptCore/runtime/Operations.h (modified) (2 diffs)
• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/pic/undictionary-expected.txt (added)
• LayoutTests/fast/js/pic/undictionary.html (added)

trunk/JavaScriptCore/ChangeLog

@@ +1 @@
+2010-01-14  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        REGRESISON: Google maps buttons not working properly
+        https://bugs.webkit.org/show_bug.cgi?id=31871
+
+        REGRESSION(r52948): JavaScript exceptions thrown on Google Maps when
+        getting directions for a second time
+        https://bugs.webkit.org/show_bug.cgi?id=33446
+        
+        SunSpider and v8 report no change.
+
+        * interpreter/Interpreter.cpp:
+        (JSC::Interpreter::tryCacheGetByID): Update our cached offset in case
+        flattening the dictionary changed any of its offsets.
+
+        * jit/JITStubs.cpp:
+        (JSC::JITThunks::tryCacheGetByID):
+        (JSC::DEFINE_STUB_FUNCTION):
+        * runtime/Operations.h:
+        (JSC::normalizePrototypeChain): ditto
+
 2010-01-14  Gavin Barraclough  <barraclough@apple.com>
 

trunk/JavaScriptCore/interpreter/Interpreter.cpp

@@ -1045 +1045 @@
 
         JSObject* baseObject = asObject(slot.slotBase());
+        size_t offset = slot.cachedOffset();
 
         // Since we're accessing a prototype in a loop, it's a good bet that it
         // should not be treated as a dictionary.
-        if (baseObject->structure()->isDictionary())
+        if (baseObject->structure()->isDictionary()) {
             baseObject->flattenDictionaryObject();
+            offset = baseObject->structure()->get(propertyName);
+        }
 
         ASSERT(!baseObject->structure()->isUncacheableDictionary());
@@ -1055 +1058 @@
         vPC[0] = getOpcode(op_get_by_id_proto);
         vPC[5] = baseObject->structure();
-        vPC[6] = slot.cachedOffset();
+        vPC[6] = offset;
 
         codeBlock->refStructures(vPC);
@@ -1061 +1064 @@
     }
 
-    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase());
+    size_t offset = slot.cachedOffset();
+    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase(), propertyName, offset);
     if (!count) {
         vPC[0] = getOpcode(op_get_by_id_generic);
@@ -1071 +1075 @@
     vPC[5] = structure->prototypeChain(callFrame);
     vPC[6] = count;
-    vPC[7] = slot.cachedOffset();
+    vPC[7] = offset;
     codeBlock->refStructures(vPC);
 }

trunk/JavaScriptCore/jit/JITStubs.cpp

@@ -890 +890 @@
 
         JSObject* slotBaseObject = asObject(slot.slotBase());
-
+        size_t offset = slot.cachedOffset();
+        
         // Since we're accessing a prototype in a loop, it's a good bet that it
         // should not be treated as a dictionary.
-        if (slotBaseObject->structure()->isDictionary())
+        if (slotBaseObject->structure()->isDictionary()) {
             slotBaseObject->flattenDictionaryObject();
+            offset = slotBaseObject->structure()->get(propertyName);
+        }
         
         stubInfo->initGetByIdProto(structure, slotBaseObject->structure());
@@ -900 +903 @@
         ASSERT(!structure->isDictionary());
         ASSERT(!slotBaseObject->structure()->isDictionary());
-        JIT::compileGetByIdProto(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, slotBaseObject->structure(), slot.cachedOffset(), returnAddress);
+        JIT::compileGetByIdProto(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, slotBaseObject->structure(), offset, returnAddress);
         return;
     }
 
-    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase());
+    size_t offset = slot.cachedOffset();
+    size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase(), propertyName, offset);
     if (!count) {
         stubInfo->accessType = access_get_by_id_generic;
@@ -912 +916 @@
     StructureChain* prototypeChain = structure->prototypeChain(callFrame);
     stubInfo->initGetByIdChain(structure, prototypeChain);
-    JIT::compileGetByIdChain(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, prototypeChain, count, slot.cachedOffset(), returnAddress);
+    JIT::compileGetByIdChain(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, structure, prototypeChain, count, offset, returnAddress);
 }
 
@@ -1437 +1441 @@
 
     CallFrame* callFrame = stackFrame.callFrame;
+    const Identifier& propertyName = stackFrame.args[1].identifier();
 
     JSValue baseValue = stackFrame.args[0].jsValue();
     PropertySlot slot(baseValue);
-    JSValue result = baseValue.get(callFrame, stackFrame.args[1].identifier(), slot);
+    JSValue result = baseValue.get(callFrame, propertyName, slot);
 
     CHECK_FOR_EXCEPTION();
@@ -1455 +1460 @@
     ASSERT(slot.slotBase().isObject());
     JSObject* slotBaseObject = asObject(slot.slotBase());
+    
+    size_t offset = slot.cachedOffset();
 
     if (slot.slotBase() == baseValue)
@@ -1462 +1469 @@
         // Since we're accessing a prototype in a loop, it's a good bet that it
         // should not be treated as a dictionary.
-        if (slotBaseObject->structure()->isDictionary())
+        if (slotBaseObject->structure()->isDictionary()) {
             slotBaseObject->flattenDictionaryObject();
+            offset = slotBaseObject->structure()->get(propertyName);
+        }
 
         int listIndex;
         PolymorphicAccessStructureList* prototypeStructureList = getPolymorphicAccessStructureListSlot(stubInfo, listIndex);
 
-        JIT::compileGetByIdProtoList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, slotBaseObject->structure(), slot.cachedOffset());
+        JIT::compileGetByIdProtoList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, slotBaseObject->structure(), offset);
 
         if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1))
             ctiPatchCallByReturnAddress(codeBlock, STUB_RETURN_ADDRESS, FunctionPtr(cti_op_get_by_id_proto_list_full));
-    } else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase())) {
+    } else if (size_t count = normalizePrototypeChain(callFrame, baseValue, slot.slotBase(), propertyName, offset)) {
         ASSERT(!asCell(baseValue)->structure()->isDictionary());
         int listIndex;
@@ -1478 +1487 @@
 
         StructureChain* protoChain = structure->prototypeChain(callFrame);
-        JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, protoChain, count, slot.cachedOffset());
+        JIT::compileGetByIdChainList(callFrame->scopeChain()->globalData, callFrame, codeBlock, stubInfo, prototypeStructureList, listIndex, structure, protoChain, count, offset);
 
         if (listIndex == (POLYMORPHIC_LIST_CACHE_SIZE - 1))

trunk/JavaScriptCore/runtime/Operations.h

@@ -340 +340 @@
     }
 
-    inline size_t normalizePrototypeChain(CallFrame* callFrame, JSValue base, JSValue slotBase)
+    inline size_t normalizePrototypeChain(CallFrame* callFrame, JSValue base, JSValue slotBase, const Identifier& propertyName, size_t& slotOffset)
     {
         JSCell* cell = asCell(base);
@@ -358 +358 @@
             // Since we're accessing a prototype in a loop, it's a good bet that it
             // should not be treated as a dictionary.
-            if (cell->structure()->isDictionary())
+            if (cell->structure()->isDictionary()) {
                 asObject(cell)->flattenDictionaryObject();
+                if (slotBase == cell)
+                    slotOffset = cell->structure()->get(propertyName); 
+            }
 
             ++count;

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2010-01-15  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed by Oliver Hunt.
+
+        REGRESISON: Google maps buttons not working properly
+        https://bugs.webkit.org/show_bug.cgi?id=31871
+
+        REGRESSION(r52948): JavaScript exceptions thrown on Google Maps when
+        getting directions for a second time
+        https://bugs.webkit.org/show_bug.cgi?id=33446
+        
+        Added a test for these bugs.
+
+        * fast/js/pic/undictionary-expected.txt: Added.
+        * fast/js/pic/undictionary.html: Added.
+
 2010-01-15  Ojan Vafai  <ojan@chromium.org>