<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[209638] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/209638">209638</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2016-12-09 17:22:15 -0800 (Fri, 09 Dec 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>GC might be forced to look at a nuked object due to ordering of AllocatePropertyStorage, MaterializeNewObject, and PutStructure
https://bugs.webkit.org/show_bug.cgi?id=165672
Reviewed by Geoffrey Garen.
We need to make sure that the shady stuff in a property put happens after the
PutByOffset, since the PutByOffset is the place where we materialize. More generally, we
should strive to not have any fenceposts between Nodes where a GC would be illegal.
This gets us most of the way there by separating NukeStructureAndSetButterfly from
[Re]AllocatePropertyStorage. A transitioning put will now look something like:
GetButterfly
ReallocatePropertyStorage
PutByOffset
NukeStructureAndSetButterfly
PutStructure
Previously the structure would get nuked by ReallocatePropertyStorage, so if we placed
an object materialization just after it (before the PutByOffset) then any GC that
completed at that safepoint would encounter an unresolved visit race due to seeing a
nuked structure. We cannot have nuked structures at safepoints, and this change makes
sure that we don't - at least until someone tries to sink to the PutStructure. We will
eventually have to create a combined SetStructureAndButterfly node, but we don't need it
yet.
This also fixes a goof where the DFG's AllocatePropertyStorage was nulling the structure
instead of nuking it. This could easily have caused many crashes in GC.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handlePutById):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGClobbersExitState.cpp:
(JSC::DFG::clobbersExitState):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGMayExit.cpp:
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
(JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGStoreBarrierInsertionPhase.cpp:
* dfg/DFGTypeCheckHoistingPhase.cpp:
(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileNukeStructureAndSetButterfly):
(JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
(JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
* runtime/Options.cpp:
(JSC::recomputeDependentOptions):
* runtime/Options.h: Fix a bug - make it possible to turn on concurrent GC optionally again.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobbersExitStatecpp">trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGDoesGCcpp">trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFixupPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMayExitcpp">trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGNodeTypeh">trunk/Source/JavaScriptCore/dfg/DFGNodeType.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationscpp">trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOperationsh">trunk/Source/JavaScriptCore/dfg/DFGOperations.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSafeToExecuteh">trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITh">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStoreBarrierInsertionPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGTypeCheckHoistingPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp">trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOptionscpp">trunk/Source/JavaScriptCore/runtime/Options.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreruntimeOptionsh">trunk/Source/JavaScriptCore/runtime/Options.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -1,3 +1,80 @@
</span><ins>+2016-12-09 Filip Pizlo <fpizlo@apple.com>
+
+ GC might be forced to look at a nuked object due to ordering of AllocatePropertyStorage, MaterializeNewObject, and PutStructure
+ https://bugs.webkit.org/show_bug.cgi?id=165672
+
+ Reviewed by Geoffrey Garen.
+
+ We need to make sure that the shady stuff in a property put happens after the
+ PutByOffset, since the PutByOffset is the place where we materialize. More generally, we
+ should strive to not have any fenceposts between Nodes where a GC would be illegal.
+
+ This gets us most of the way there by separating NukeStructureAndSetButterfly from
+ [Re]AllocatePropertyStorage. A transitioning put will now look something like:
+
+ GetButterfly
+ ReallocatePropertyStorage
+ PutByOffset
+ NukeStructureAndSetButterfly
+ PutStructure
+
+ Previously the structure would get nuked by ReallocatePropertyStorage, so if we placed
+ an object materialization just after it (before the PutByOffset) then any GC that
+ completed at that safepoint would encounter an unresolved visit race due to seeing a
+ nuked structure. We cannot have nuked structures at safepoints, and this change makes
+ sure that we don't - at least until someone tries to sink to the PutStructure. We will
+ eventually have to create a combined SetStructureAndButterfly node, but we don't need it
+ yet.
+
+ This also fixes a goof where the DFG's AllocatePropertyStorage was nulling the structure
+ instead of nuking it. This could easily have caused many crashes in GC.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::handlePutById):
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * dfg/DFGClobbersExitState.cpp:
+ (JSC::DFG::clobbersExitState):
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::emitPutByOffset):
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGMayExit.cpp:
+ * dfg/DFGNodeType.h:
+ * dfg/DFGOperations.cpp:
+ * dfg/DFGOperations.h:
+ * dfg/DFGPredictionPropagationPhase.cpp:
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::safeToExecute):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
+ (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGStoreBarrierInsertionPhase.cpp:
+ * dfg/DFGTypeCheckHoistingPhase.cpp:
+ (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileNode):
+ (JSC::FTL::DFG::LowerDFGToB3::compileNukeStructureAndSetButterfly):
+ (JSC::FTL::DFG::LowerDFGToB3::storageForTransition):
+ (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorage):
+ (JSC::FTL::DFG::LowerDFGToB3::reallocatePropertyStorage):
+ (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
+ * runtime/Options.cpp:
+ (JSC::recomputeDependentOptions):
+ * runtime/Options.h: Fix a bug - make it possible to turn on concurrent GC optionally again.
+
</ins><span class="cx"> 2016-12-09 Chris Dumez <cdumez@apple.com>
</span><span class="cx">
</span><span class="cx"> Inline JSCell::toObject()
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -2309,6 +2309,7 @@
</span><span class="cx"> case GetButterfly:
</span><span class="cx"> case AllocatePropertyStorage:
</span><span class="cx"> case ReallocatePropertyStorage:
</span><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> // FIXME: We don't model the fact that the structureID is nuked, simply because currently
</span><span class="cx"> // nobody would currently benefit from having that information. But it's a bug nonetheless.
</span><span class="cx"> forNode(node).clear(); // The result is not a JS value.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -3594,6 +3594,13 @@
</span><span class="cx"> data->inferredType = variant.requiredType();
</span><span class="cx"> m_graph.registerInferredType(data->inferredType);
</span><span class="cx">
</span><ins>+ // NOTE: We could GC at this point because someone could insert an operation that GCs.
+ // That's fine because:
+ // - Things already in the structure will get scanned because we haven't messed with
+ // the object yet.
+ // - The value we are fixing to put is going to be kept live by OSR exit handling. So
+ // if the GC does a conservative scan here it will see the new value.
+
</ins><span class="cx"> addToGraph(
</span><span class="cx"> PutByOffset,
</span><span class="cx"> OpInfo(data),
</span><span class="lines">@@ -3600,6 +3607,9 @@
</span><span class="cx"> propertyStorage,
</span><span class="cx"> base,
</span><span class="cx"> value);
</span><ins>+
+ if (variant.reallocatesStorage())
+ addToGraph(NukeStructureAndSetButterfly, base, propertyStorage);
</ins><span class="cx">
</span><span class="cx"> // FIXME: PutStructure goes last until we fix either
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=142921 or
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -891,7 +891,7 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> case PutStructure:
</span><del>- read(JSObject_butterfly); // This is a store-store fence.
</del><ins>+ read(JSObject_butterfly);
</ins><span class="cx"> write(JSCell_structureID);
</span><span class="cx"> write(JSCell_typeInfoType);
</span><span class="cx"> write(JSCell_typeInfoFlags);
</span><span class="lines">@@ -899,16 +899,15 @@
</span><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> case AllocatePropertyStorage:
</span><del>- write(JSObject_butterfly);
- write(JSCell_structureID);
- def(HeapLocation(ButterflyLoc, JSObject_butterfly, node->child1()), LazyNode(node));
</del><ins>+ case ReallocatePropertyStorage:
+ read(HeapObjectCount);
+ write(HeapObjectCount);
</ins><span class="cx"> return;
</span><span class="cx">
</span><del>- case ReallocatePropertyStorage:
- read(JSObject_butterfly);
</del><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> write(JSObject_butterfly);
</span><span class="cx"> write(JSCell_structureID);
</span><del>- def(HeapLocation(ButterflyLoc, JSObject_butterfly, node->child1()), LazyNode(node));
</del><ins>+ def(HeapLocation(ButterflyLoc, JSObject_butterfly, node->child1()), LazyNode(node->child2().node()));
</ins><span class="cx"> return;
</span><span class="cx">
</span><span class="cx"> case GetButterfly:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobbersExitStatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobbersExitState.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -68,6 +68,8 @@
</span><span class="cx"> case CountExecution:
</span><span class="cx"> case StoreBarrier:
</span><span class="cx"> case FencedStoreBarrier:
</span><ins>+ case AllocatePropertyStorage:
+ case ReallocatePropertyStorage:
</ins><span class="cx"> // These do clobber memory, but nothing that is observable. It may be nice to separate the
</span><span class="cx"> // heaps into those that are observable and those that aren't, but we don't do that right now.
</span><span class="cx"> // FIXME: https://bugs.webkit.org/show_bug.cgi?id=148440
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -766,6 +766,7 @@
</span><span class="cx">
</span><span class="cx"> DFG_ASSERT(m_graph, node, origin.exitOK);
</span><span class="cx"> bool canExit = true;
</span><ins>+ bool didAllocateStorage = false;
</ins><span class="cx">
</span><span class="cx"> if (isInlineOffset(variant.offset()))
</span><span class="cx"> propertyStorage = childEdge;
</span><span class="lines">@@ -777,8 +778,9 @@
</span><span class="cx"> ASSERT(!isInlineOffset(variant.offset()));
</span><span class="cx"> Node* allocatePropertyStorage = m_insertionSet.insertNode(
</span><span class="cx"> indexInBlock, SpecNone, AllocatePropertyStorage,
</span><del>- origin.takeValidExit(canExit), OpInfo(transition), childEdge);
</del><ins>+ origin, OpInfo(transition), childEdge);
</ins><span class="cx"> propertyStorage = Edge(allocatePropertyStorage);
</span><ins>+ didAllocateStorage = true;
</ins><span class="cx"> } else {
</span><span class="cx"> ASSERT(variant.oldStructureForTransition()->outOfLineCapacity());
</span><span class="cx"> ASSERT(variant.newStructure()->outOfLineCapacity() > variant.oldStructureForTransition()->outOfLineCapacity());
</span><span class="lines">@@ -785,11 +787,12 @@
</span><span class="cx"> ASSERT(!isInlineOffset(variant.offset()));
</span><span class="cx">
</span><span class="cx"> Node* reallocatePropertyStorage = m_insertionSet.insertNode(
</span><del>- indexInBlock, SpecNone, ReallocatePropertyStorage, origin.takeValidExit(canExit),
</del><ins>+ indexInBlock, SpecNone, ReallocatePropertyStorage, origin,
</ins><span class="cx"> OpInfo(transition), childEdge,
</span><span class="cx"> Edge(m_insertionSet.insertNode(
</span><span class="cx"> indexInBlock, SpecNone, GetButterfly, origin, childEdge)));
</span><span class="cx"> propertyStorage = Edge(reallocatePropertyStorage);
</span><ins>+ didAllocateStorage = true;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> StorageAccessData& data = *m_graph.m_storageAccessData.add();
</span><span class="lines">@@ -800,6 +803,12 @@
</span><span class="cx"> node->origin.exitOK = canExit;
</span><span class="cx">
</span><span class="cx"> if (variant.kind() == PutByIdVariant::Transition) {
</span><ins>+ if (didAllocateStorage) {
+ m_insertionSet.insertNode(
+ indexInBlock + 1, SpecNone, NukeStructureAndSetButterfly,
+ origin.withInvalidExit(), childEdge, propertyStorage);
+ }
+
</ins><span class="cx"> // FIXME: PutStructure goes last until we fix either
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=142921 or
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=142924.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGDoesGCcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -267,6 +267,7 @@
</span><span class="cx"> case GetDynamicVar:
</span><span class="cx"> case PutDynamicVar:
</span><span class="cx"> case ResolveScope:
</span><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> return false;
</span><span class="cx">
</span><span class="cx"> case CreateActivation:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFixupPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -1199,6 +1199,11 @@
</span><span class="cx"> fixEdge<KnownCellUse>(node->child1());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case NukeStructureAndSetButterfly: {
+ fixEdge<KnownCellUse>(node->child1());
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> case TryGetById: {
</span><span class="cx"> if (node->child1()->shouldSpeculateCell())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMayExitcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -91,6 +91,7 @@
</span><span class="cx"> case PutByOffset:
</span><span class="cx"> case PutClosureVar:
</span><span class="cx"> case RecordRegExpCachedResult:
</span><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> case StrCat:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGNodeTypeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGNodeType.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGNodeType.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -208,6 +208,7 @@
</span><span class="cx"> macro(AllocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
</span><span class="cx"> macro(ReallocatePropertyStorage, NodeMustGenerate | NodeResultStorage) \
</span><span class="cx"> macro(GetButterfly, NodeResultStorage) \
</span><ins>+ macro(NukeStructureAndSetButterfly, NodeMustGenerate) \
</ins><span class="cx"> macro(CheckArray, NodeMustGenerate) \
</span><span class="cx"> macro(Arrayify, NodeMustGenerate) \
</span><span class="cx"> macro(ArrayifyToStructure, NodeMustGenerate) \
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -1480,7 +1480,7 @@
</span><span class="cx"> return static_cast<int32_t>(TypeofType::Object);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-char* JIT_OPERATION operationAllocatePropertyStorageWithInitialCapacity(ExecState* exec)
</del><ins>+char* JIT_OPERATION operationAllocateSimplePropertyStorageWithInitialCapacity(ExecState* exec)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="lines">@@ -1489,7 +1489,7 @@
</span><span class="cx"> Butterfly::createUninitialized(vm, 0, 0, initialOutOfLineCapacity, false, 0));
</span><span class="cx"> }
</span><span class="cx">
</span><del>-char* JIT_OPERATION operationAllocatePropertyStorage(ExecState* exec, size_t newSize)
</del><ins>+char* JIT_OPERATION operationAllocateSimplePropertyStorage(ExecState* exec, size_t newSize)
</ins><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span><span class="cx"> NativeCallFrameTracer tracer(&vm, exec);
</span><span class="lines">@@ -1498,6 +1498,25 @@
</span><span class="cx"> Butterfly::createUninitialized(vm, 0, 0, newSize, false, 0));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+char* JIT_OPERATION operationAllocateComplexPropertyStorageWithInitialCapacity(ExecState* exec, JSObject* object)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ ASSERT(!object->structure()->outOfLineCapacity());
+ return reinterpret_cast<char*>(
+ object->allocateMoreOutOfLineStorage(vm, 0, initialOutOfLineCapacity));
+}
+
+char* JIT_OPERATION operationAllocateComplexPropertyStorage(ExecState* exec, JSObject* object, size_t newSize)
+{
+ VM& vm = exec->vm();
+ NativeCallFrameTracer tracer(&vm, exec);
+
+ return reinterpret_cast<char*>(
+ object->allocateMoreOutOfLineStorage(vm, object->structure()->outOfLineCapacity(), newSize));
+}
+
</ins><span class="cx"> char* JIT_OPERATION operationEnsureInt32(ExecState* exec, JSCell* cell)
</span><span class="cx"> {
</span><span class="cx"> VM& vm = exec->vm();
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOperationsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOperations.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOperations.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGOperations.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -146,8 +146,10 @@
</span><span class="cx"> size_t JIT_OPERATION operationObjectIsFunction(ExecState*, JSGlobalObject*, JSCell*) WTF_INTERNAL;
</span><span class="cx"> JSCell* JIT_OPERATION operationTypeOfObject(ExecState*, JSGlobalObject*, JSCell*) WTF_INTERNAL;
</span><span class="cx"> int32_t JIT_OPERATION operationTypeOfObjectAsTypeofType(ExecState*, JSGlobalObject*, JSCell*) WTF_INTERNAL;
</span><del>-char* JIT_OPERATION operationAllocatePropertyStorageWithInitialCapacity(ExecState*) WTF_INTERNAL;
-char* JIT_OPERATION operationAllocatePropertyStorage(ExecState*, size_t newSize) WTF_INTERNAL;
</del><ins>+char* JIT_OPERATION operationAllocateSimplePropertyStorageWithInitialCapacity(ExecState*) WTF_INTERNAL;
+char* JIT_OPERATION operationAllocateSimplePropertyStorage(ExecState*, size_t newSize) WTF_INTERNAL;
+char* JIT_OPERATION operationAllocateComplexPropertyStorageWithInitialCapacity(ExecState*, JSObject*) WTF_INTERNAL;
+char* JIT_OPERATION operationAllocateComplexPropertyStorage(ExecState*, JSObject*, size_t newSize) WTF_INTERNAL;
</ins><span class="cx"> char* JIT_OPERATION operationEnsureInt32(ExecState*, JSCell*);
</span><span class="cx"> char* JIT_OPERATION operationEnsureDouble(ExecState*, JSCell*);
</span><span class="cx"> char* JIT_OPERATION operationEnsureContiguous(ExecState*, JSCell*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPredictionPropagationPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -1105,6 +1105,7 @@
</span><span class="cx"> case LoadVarargs:
</span><span class="cx"> case ForwardVarargs:
</span><span class="cx"> case PutDynamicVar:
</span><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> break;
</span><span class="cx">
</span><span class="cx"> // This gets ignored because it only pretends to produce a value.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSafeToExecuteh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGSafeToExecute.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -389,6 +389,8 @@
</span><span class="cx">
</span><span class="cx"> case StoreBarrier:
</span><span class="cx"> case FencedStoreBarrier:
</span><ins>+ case PutStructure:
+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> // We conservatively assume that these cannot be put anywhere, which forces the compiler to
</span><span class="cx"> // keep them exactly where they were. This is sort of overkill since the clobberize effects
</span><span class="cx"> // already force these things to be ordered precisely. I'm just not confident enough in my
</span><span class="lines">@@ -413,7 +415,6 @@
</span><span class="cx"> return node->arrayMode().modeForPut().alreadyChecked(
</span><span class="cx"> graph, node, state.forNode(graph.varArgChild(node, 0)));
</span><span class="cx">
</span><del>- case PutStructure:
</del><span class="cx"> case AllocatePropertyStorage:
</span><span class="cx"> case ReallocatePropertyStorage:
</span><span class="cx"> return state.forNode(node->child1()).m_structure.isSubsetOf(
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -7389,7 +7389,7 @@
</span><span class="cx"> flushRegisters();
</span><span class="cx">
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationReallocateButterflyToHavePropertyStorageWithInitialCapacity, result.gpr(), baseGPR);
</del><ins>+ callOperation(operationAllocateComplexPropertyStorageWithInitialCapacity, result.gpr(), baseGPR);
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> storageResult(result.gpr(), node);
</span><span class="lines">@@ -7396,12 +7396,10 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- SpeculateCellOperand base(this, node->child1());
</del><span class="cx"> GPRTemporary scratch1(this);
</span><span class="cx"> GPRTemporary scratch2(this);
</span><span class="cx"> GPRTemporary scratch3(this);
</span><span class="cx">
</span><del>- GPRReg baseGPR = base.gpr();
</del><span class="cx"> GPRReg scratchGPR1 = scratch1.gpr();
</span><span class="cx"> GPRReg scratchGPR2 = scratch2.gpr();
</span><span class="cx"> GPRReg scratchGPR3 = scratch3.gpr();
</span><span class="lines">@@ -7415,11 +7413,8 @@
</span><span class="cx"> m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
</span><span class="cx">
</span><span class="cx"> addSlowPathGenerator(
</span><del>- slowPathCall(slowPath, this, operationAllocatePropertyStorageWithInitialCapacity, scratchGPR1));
</del><ins>+ slowPathCall(slowPath, this, operationAllocateSimplePropertyStorageWithInitialCapacity, scratchGPR1));
</ins><span class="cx">
</span><del>- m_jit.store32(TrustedImm32(0), JITCompiler::Address(baseGPR, JSCell::structureIDOffset()));
- m_jit.storeButterfly(scratchGPR1, baseGPR);
-
</del><span class="cx"> storageResult(scratchGPR1, node);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -7439,7 +7434,7 @@
</span><span class="cx"> flushRegisters();
</span><span class="cx">
</span><span class="cx"> GPRFlushedCallResult result(this);
</span><del>- callOperation(operationReallocateButterflyToGrowPropertyStorage, result.gpr(), baseGPR, newSize / sizeof(JSValue));
</del><ins>+ callOperation(operationAllocateComplexPropertyStorage, result.gpr(), baseGPR, newSize / sizeof(JSValue));
</ins><span class="cx"> m_jit.exceptionCheck();
</span><span class="cx">
</span><span class="cx"> storageResult(result.gpr(), node);
</span><span class="lines">@@ -7446,13 +7441,11 @@
</span><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- SpeculateCellOperand base(this, node->child1());
</del><span class="cx"> StorageOperand oldStorage(this, node->child2());
</span><span class="cx"> GPRTemporary scratch1(this);
</span><span class="cx"> GPRTemporary scratch2(this);
</span><span class="cx"> GPRTemporary scratch3(this);
</span><span class="cx">
</span><del>- GPRReg baseGPR = base.gpr();
</del><span class="cx"> GPRReg oldStorageGPR = oldStorage.gpr();
</span><span class="cx"> GPRReg scratchGPR1 = scratch1.gpr();
</span><span class="cx"> GPRReg scratchGPR2 = scratch2.gpr();
</span><span class="lines">@@ -7468,7 +7461,7 @@
</span><span class="cx"> m_jit.storePtr(TrustedImmPtr(0), JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
</span><span class="cx">
</span><span class="cx"> addSlowPathGenerator(
</span><del>- slowPathCall(slowPath, this, operationAllocatePropertyStorage, scratchGPR1, newSize / sizeof(JSValue)));
</del><ins>+ slowPathCall(slowPath, this, operationAllocateSimplePropertyStorage, scratchGPR1, newSize / sizeof(JSValue)));
</ins><span class="cx">
</span><span class="cx"> // We have scratchGPR1 = new storage, scratchGPR2 = scratch
</span><span class="cx"> for (ptrdiff_t offset = 0; offset < static_cast<ptrdiff_t>(oldSize); offset += sizeof(void*)) {
</span><span class="lines">@@ -7476,11 +7469,22 @@
</span><span class="cx"> m_jit.storePtr(scratchGPR2, JITCompiler::Address(scratchGPR1, -(offset + sizeof(JSValue) + sizeof(void*))));
</span><span class="cx"> }
</span><span class="cx">
</span><del>- m_jit.nukeStructureAndStoreButterfly(scratchGPR1, baseGPR);
-
</del><span class="cx"> storageResult(scratchGPR1, node);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void SpeculativeJIT::compileNukeStructureAndSetButterfly(Node* node)
+{
+ SpeculateCellOperand base(this, node->child1());
+ StorageOperand storage(this, node->child2());
+
+ GPRReg baseGPR = base.gpr();
+ GPRReg storageGPR = storage.gpr();
+
+ m_jit.nukeStructureAndStoreButterfly(storageGPR, baseGPR);
+
+ noResult(node);
+}
+
</ins><span class="cx"> void SpeculativeJIT::compileGetButterfly(Node* node)
</span><span class="cx"> {
</span><span class="cx"> SpeculateCellOperand base(this, node->child1());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -2579,6 +2579,7 @@
</span><span class="cx">
</span><span class="cx"> void compileAllocatePropertyStorage(Node*);
</span><span class="cx"> void compileReallocatePropertyStorage(Node*);
</span><ins>+ void compileNukeStructureAndSetButterfly(Node*);
</ins><span class="cx"> void compileGetButterfly(Node*);
</span><span class="cx"> void compileCallDOMGetter(Node*);
</span><span class="cx"> void compileCallDOM(Node*);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -4429,6 +4429,10 @@
</span><span class="cx"> compileReallocatePropertyStorage(node);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case NukeStructureAndSetButterfly:
+ compileNukeStructureAndSetButterfly(node);
+ break;
+
</ins><span class="cx"> case GetButterfly:
</span><span class="cx"> compileGetButterfly(node);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -4395,6 +4395,10 @@
</span><span class="cx"> compileReallocatePropertyStorage(node);
</span><span class="cx"> break;
</span><span class="cx">
</span><ins>+ case NukeStructureAndSetButterfly:
+ compileNukeStructureAndSetButterfly(node);
+ break;
+
</ins><span class="cx"> case GetButterfly:
</span><span class="cx"> compileGetButterfly(node);
</span><span class="cx"> break;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStoreBarrierInsertionPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGStoreBarrierInsertionPhase.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -296,6 +296,11 @@
</span><span class="cx"> considerBarrier(m_node->child1(), m_node->child2());
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ case NukeStructureAndSetButterfly: {
+ considerBarrier(m_node->child1());
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="lines">@@ -322,17 +327,13 @@
</span><span class="cx"> case NewFunction:
</span><span class="cx"> case NewGeneratorFunction:
</span><span class="cx"> case NewAsyncFunction:
</span><ins>+ case AllocatePropertyStorage:
+ case ReallocatePropertyStorage:
</ins><span class="cx"> // Nodes that allocate get to set their epoch because for those nodes we know
</span><span class="cx"> // that they will be the newest object in the heap.
</span><span class="cx"> m_node->setEpoch(m_currentEpoch);
</span><span class="cx"> break;
</span><span class="cx">
</span><del>- case AllocatePropertyStorage:
- case ReallocatePropertyStorage:
- insertBarrier(m_nodeIndex + 1, m_node->child1());
- m_node->setEpoch(Epoch());
- break;
-
</del><span class="cx"> case Upsilon:
</span><span class="cx"> // Assume the worst for Phis so that we don't have to worry about Phi shadows.
</span><span class="cx"> m_node->phi()->setEpoch(Epoch());
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGTypeCheckHoistingPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/dfg/DFGTypeCheckHoistingPhase.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -246,6 +246,7 @@
</span><span class="cx"> case PutStructure:
</span><span class="cx"> case AllocatePropertyStorage:
</span><span class="cx"> case ReallocatePropertyStorage:
</span><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> case GetButterfly:
</span><span class="cx"> case GetByVal:
</span><span class="cx"> case PutByValDirect:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -139,6 +139,7 @@
</span><span class="cx"> case StringFromCharCode:
</span><span class="cx"> case AllocatePropertyStorage:
</span><span class="cx"> case ReallocatePropertyStorage:
</span><ins>+ case NukeStructureAndSetButterfly:
</ins><span class="cx"> case GetTypedArrayByteOffset:
</span><span class="cx"> case NotifyWrite:
</span><span class="cx"> case StoreBarrier:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLLowerDFGToB3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -753,6 +753,9 @@
</span><span class="cx"> case ReallocatePropertyStorage:
</span><span class="cx"> compileReallocatePropertyStorage();
</span><span class="cx"> break;
</span><ins>+ case NukeStructureAndSetButterfly:
+ compileNukeStructureAndSetButterfly();
+ break;
</ins><span class="cx"> case ToNumber:
</span><span class="cx"> compileToNumber();
</span><span class="cx"> break;
</span><span class="lines">@@ -4752,6 +4755,11 @@
</span><span class="cx"> reallocatePropertyStorage(
</span><span class="cx"> object, oldStorage, transition->previous, transition->next));
</span><span class="cx"> }
</span><ins>+
+ void compileNukeStructureAndSetButterfly()
+ {
+ nukeStructureAndSetButterfly(lowStorage(m_node->child2()), lowCell(m_node->child1()));
+ }
</ins><span class="cx">
</span><span class="cx"> void compileToNumber()
</span><span class="cx"> {
</span><span class="lines">@@ -9406,6 +9414,7 @@
</span><span class="cx"> previousStructure, nextStructure);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ nukeStructureAndSetButterfly(result, object);
</ins><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -9475,8 +9484,7 @@
</span><span class="cx"> if (previousStructure->couldHaveIndexingHeader()) {
</span><span class="cx"> return vmCall(
</span><span class="cx"> pointerType(),
</span><del>- m_out.operation(
- operationReallocateButterflyToHavePropertyStorageWithInitialCapacity),
</del><ins>+ m_out.operation(operationAllocateComplexPropertyStorageWithInitialCapacity),
</ins><span class="cx"> m_callFrame, object);
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -9487,7 +9495,6 @@
</span><span class="cx"> m_out.constInt32(-initialOutOfLineCapacity - 1), m_out.constInt32(-1),
</span><span class="cx"> m_out.int64Zero, m_heaps.properties.atAnyNumber());
</span><span class="cx">
</span><del>- nukeStructureAndSetButterfly(result, object);
</del><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -9501,7 +9508,7 @@
</span><span class="cx">
</span><span class="cx"> if (previous->couldHaveIndexingHeader()) {
</span><span class="cx"> LValue newAllocSize = m_out.constIntPtr(newSize);
</span><del>- return vmCall(pointerType(), m_out.operation(operationReallocateButterflyToGrowPropertyStorage), m_callFrame, object, newAllocSize);
</del><ins>+ return vmCall(pointerType(), m_out.operation(operationAllocateComplexPropertyStorage), m_callFrame, object, newAllocSize);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LValue result = allocatePropertyStorageWithSizeImpl(newSize);
</span><span class="lines">@@ -9520,8 +9527,6 @@
</span><span class="cx"> m_out.constInt32(-newSize - 1), m_out.constInt32(-oldSize - 1),
</span><span class="cx"> m_out.int64Zero, m_heaps.properties.atAnyNumber());
</span><span class="cx">
</span><del>- nukeStructureAndSetButterfly(result, object);
-
</del><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -9546,7 +9551,7 @@
</span><span class="cx"> slowButterflyValue = lazySlowPath(
</span><span class="cx"> [=] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
</span><span class="cx"> return createLazyCallGenerator(
</span><del>- operationAllocatePropertyStorageWithInitialCapacity,
</del><ins>+ operationAllocateSimplePropertyStorageWithInitialCapacity,
</ins><span class="cx"> locations[0].directGPR());
</span><span class="cx"> });
</span><span class="cx"> } else {
</span><span class="lines">@@ -9553,7 +9558,7 @@
</span><span class="cx"> slowButterflyValue = lazySlowPath(
</span><span class="cx"> [=] (const Vector<Location>& locations) -> RefPtr<LazySlowPath::Generator> {
</span><span class="cx"> return createLazyCallGenerator(
</span><del>- operationAllocatePropertyStorage, locations[0].directGPR(),
</del><ins>+ operationAllocateSimplePropertyStorage, locations[0].directGPR(),
</ins><span class="cx"> CCallHelpers::TrustedImmPtr(sizeInValues));
</span><span class="cx"> });
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOptionscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Options.cpp (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Options.cpp 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/runtime/Options.cpp 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -332,7 +332,7 @@
</span><span class="cx"> Options::useFTLJIT() = false;
</span><span class="cx"> #endif
</span><span class="cx">
</span><del>-#if 1 || (!CPU(X86_64) && !CPU(ARM64))
</del><ins>+#if !CPU(X86_64) && !CPU(ARM64)
</ins><span class="cx"> Options::useConcurrentGC() = false;
</span><span class="cx"> #endif
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreruntimeOptionsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/runtime/Options.h (209637 => 209638)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/runtime/Options.h 2016-12-10 00:06:10 UTC (rev 209637)
+++ trunk/Source/JavaScriptCore/runtime/Options.h 2016-12-10 01:22:15 UTC (rev 209638)
</span><span class="lines">@@ -184,7 +184,7 @@
</span><span class="cx"> v(bool, verboseSanitizeStack, false, Normal, nullptr) \
</span><span class="cx"> v(bool, useGenerationalGC, true, Normal, nullptr) \
</span><span class="cx"> v(bool, useConcurrentBarriers, true, Normal, nullptr) \
</span><del>- v(bool, useConcurrentGC, true, Normal, nullptr) \
</del><ins>+ v(bool, useConcurrentGC, false, Normal, nullptr) \
</ins><span class="cx"> v(bool, collectContinuously, false, Normal, nullptr) \
</span><span class="cx"> v(double, collectContinuouslyPeriodMS, 1, Normal, nullptr) \
</span><span class="cx"> v(bool, forceFencedBarrier, false, Normal, nullptr) \
</span></span></pre>
</div>
</div>
</body>
</html>