[webkit-changes] [WebKit/WebKit] 34e32f: [JSC] Bound function should propagate tail-call in...

Yusuke Suzuki noreply at github.com
Thu Feb 23 01:06:04 PST 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 34e32f7614d691d6bf29ac7e30678728e052cc07
      https://github.com/WebKit/WebKit/commit/34e32f7614d691d6bf29ac7e30678728e052cc07
  Author: Yusuke Suzuki <ysuzuki at apple.com>
  Date:   2023-02-23 (Thu, 23 Feb 2023)

  Changed paths:
    A JSTests/stress/bound-function-tail-call.js
    M Source/JavaScriptCore/bytecode/InlineCallFrame.cpp
    M Source/JavaScriptCore/bytecode/InlineCallFrame.h
    M Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
    M Source/JavaScriptCore/runtime/JSBoundFunction.cpp

  Log Message:
  -----------
  [JSC] Bound function should propagate tail-call information
https://bugs.webkit.org/show_bug.cgi?id=252726
rdar://105763999

Reviewed by Justin Michaud.

When bound function is called in a tail-call form and DFG inlines it,
we should make it a bound-function-tail-call. Otherwise, when reconstructing
frames on OSR exit, we accidentally compute the wrong frame (bound function's return place gets its frame
while it is doing a tail-call).
The attached program is doing,

    entry -call-> test4 -tail-call-> test3 -tail-call-> bound function -call-> test2 (OSR exit)

And DFG wipes bound function and make it,

    entry -call-> test4 -tail-call-> test3 -bound-function-tail-call-> test2
                  [              one DFG function                           ]

Then, the reconstructed frame on OSR exit should be

    entry -call-> test2

since test2 should return to entry (test4, test3 are tail calls, and bound function is completely inlined and diminished).

We also fix bound function's construct's newTarget compuation (which caused test262 failures).

* JSTests/stress/bound-function-tail-call.js: Added.
(shouldBe):
(entry.test):
(entry.test2):
(entry.test3):
(entry.test4):
(entry):
* Source/JavaScriptCore/bytecode/InlineCallFrame.cpp:
(WTF::printInternal):
* Source/JavaScriptCore/bytecode/InlineCallFrame.h:
(JSC::InlineCallFrame::callModeFor):
(JSC::InlineCallFrame::specializationKindFor):
(JSC::InlineCallFrame::isTail):
* Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::inlineCall):
(JSC::DFG::ByteCodeParser::handleIntrinsicCall):
* Source/JavaScriptCore/runtime/JSBoundFunction.cpp:
(JSC::JSC_DEFINE_HOST_FUNCTION):

Canonical link: https://commits.webkit.org/260733@main

More information about the webkit-changes mailing list