Changeset 90875 in webkit
- Timestamp:
- Jul 12, 2011 5:53:17 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 8 edited
-
LayoutTests/ChangeLog (modified) (1 diff)
-
LayoutTests/fast/js/script-tests/method-check.js (modified) (1 diff)
-
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
-
Source/JavaScriptCore/bytecode/CodeBlock.h (modified) (1 diff)
-
Source/JavaScriptCore/dfg/DFGRepatch.cpp (modified) (2 diffs)
-
Source/JavaScriptCore/jit/JIT.h (modified) (1 diff)
-
Source/JavaScriptCore/jit/JITPropertyAccess.cpp (modified) (1 diff)
-
Source/JavaScriptCore/jit/JITStubs.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r90870 r90875 1 2011-07-12 Oliver Hunt <oliver@apple.com> 2 3 Overzealous type validation in method_check 4 https://bugs.webkit.org/show_bug.cgi?id=64415 5 6 Reviewed by Gavin Barraclough. 7 8 Make sure we don't trip any assertions when caching access 9 to an InternalFunction 10 11 * fast/js/script-tests/method-check.js: 12 1 13 2011-07-12 Joseph Pecoraro <joepeck@webkit.org> 2 14 -
trunk/LayoutTests/fast/js/script-tests/method-check.js
r55379 r90875 54 54 shouldBe('total', '200'); 55 55 56 // Check that we don't assert when method_check is applied to a non-JSFunction 57 for (var i = 0; i < 10000; i++) 58 Array.constructor(1); 59 56 60 var successfullyParsed = true; -
trunk/Source/JavaScriptCore/ChangeLog
r90865 r90875 1 2011-07-12 Oliver Hunt <oliver@apple.com> 2 3 Overzealous type validation in method_check 4 https://bugs.webkit.org/show_bug.cgi?id=64415 5 6 Reviewed by Gavin Barraclough. 7 8 method_check is essentially just a value look up 9 optimisation, but it internally stores the value 10 as a JSFunction, even though it never relies on 11 this fact. Under GC validation however we end up 12 trying to enforce that assumption. The fix is 13 simply to store the value as a correct supertype. 14 15 * bytecode/CodeBlock.h: 16 * dfg/DFGRepatch.cpp: 17 (JSC::DFG::dfgRepatchGetMethodFast): 18 (JSC::DFG::tryCacheGetMethod): 19 * jit/JIT.h: 20 * jit/JITPropertyAccess.cpp: 21 (JSC::JIT::patchMethodCallProto): 22 * jit/JITStubs.cpp: 23 (JSC::DEFINE_STUB_FUNCTION): 24 1 25 2011-07-12 Filip Pizlo <fpizlo@apple.com> 2 26 -
trunk/Source/JavaScriptCore/bytecode/CodeBlock.h
r90529 r90875 147 147 JITWriteBarrier<Structure> cachedStructure; 148 148 JITWriteBarrier<Structure> cachedPrototypeStructure; 149 JITWriteBarrier<JSFunction> cachedFunction; 149 // We'd like this to actually be JSFunction, but InternalFunction and JSFunction 150 // don't have a common parent class and we allow specialisation on both 151 JITWriteBarrier<JSObjectWithGlobalObject> cachedFunction; 150 152 JITWriteBarrier<JSObject> cachedPrototype; 151 153 bool seen; -
trunk/Source/JavaScriptCore/dfg/DFGRepatch.cpp
r90854 r90875 162 162 } 163 163 164 static void dfgRepatchGetMethodFast(JSGlobalData* globalData, CodeBlock* codeBlock, MethodCallLinkInfo& methodInfo, JS Function* callee, Structure* structure, JSObject* slotBaseObject)164 static void dfgRepatchGetMethodFast(JSGlobalData* globalData, CodeBlock* codeBlock, MethodCallLinkInfo& methodInfo, JSObjectWithGlobalObject* callee, Structure* structure, JSObject* slotBaseObject) 165 165 { 166 166 ScriptExecutable* owner = codeBlock->ownerExecutable(); … … 191 191 && specific) { 192 192 193 JS Function* callee = (JSFunction*)specific;193 JSObjectWithGlobalObject* callee = (JSObjectWithGlobalObject*)specific; 194 194 195 195 // Since we're accessing a prototype in a loop, it's a good bet that it -
trunk/Source/JavaScriptCore/jit/JIT.h
r90414 r90875 239 239 static void patchGetByIdSelf(CodeBlock* codeblock, StructureStubInfo*, Structure*, size_t cachedOffset, ReturnAddressPtr returnAddress); 240 240 static void patchPutByIdReplace(CodeBlock* codeblock, StructureStubInfo*, Structure*, size_t cachedOffset, ReturnAddressPtr returnAddress, bool direct); 241 static void patchMethodCallProto(JSGlobalData&, CodeBlock* codeblock, MethodCallLinkInfo&, JS Function*, Structure*, JSObject*, ReturnAddressPtr);241 static void patchMethodCallProto(JSGlobalData&, CodeBlock* codeblock, MethodCallLinkInfo&, JSObjectWithGlobalObject*, Structure*, JSObject*, ReturnAddressPtr); 242 242 243 243 static void compilePatchGetArrayLength(JSGlobalData* globalData, CodeBlock* codeBlock, ReturnAddressPtr returnAddress) -
trunk/Source/JavaScriptCore/jit/JITPropertyAccess.cpp
r90193 r90875 1037 1037 } 1038 1038 1039 void JIT::patchMethodCallProto(JSGlobalData& globalData, CodeBlock* codeBlock, MethodCallLinkInfo& methodCallLinkInfo, JS Function* callee, Structure* structure, JSObject* proto, ReturnAddressPtr returnAddress)1039 void JIT::patchMethodCallProto(JSGlobalData& globalData, CodeBlock* codeBlock, MethodCallLinkInfo& methodCallLinkInfo, JSObjectWithGlobalObject* callee, Structure* structure, JSObject* proto, ReturnAddressPtr returnAddress) 1040 1040 { 1041 1041 RepatchBuffer repatchBuffer(codeBlock); -
trunk/Source/JavaScriptCore/jit/JITStubs.cpp
r90414 r90875 1530 1530 ) { 1531 1531 1532 JS Function* callee = (JSFunction*)specific;1532 JSObjectWithGlobalObject* callee = (JSObjectWithGlobalObject*)specific; 1533 1533 1534 1534 // Since we're accessing a prototype in a loop, it's a good bet that it
Note: See TracChangeset
for help on using the changeset viewer.
