<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[279596] branches/safari-612.1.22.1-branch/Source/JavaScriptCore</title>
</head>
<body>

<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt;  }
#msg dl a { font-weight: bold}
#msg dl a:link    { color:#fc3; }
#msg dl a:active  { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff  {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/279596">279596</a></dd>
<dt>Author</dt> <dd>rubent_22@apple.com</dd>
<dt>Date</dt> <dd>2021-07-06 10:38:48 -0700 (Tue, 06 Jul 2021)</dd>
</dl>

<h3>Log Message</h3>
<pre>Cherry-pick <a href="http://trac.webkit.org/projects/webkit/changeset/279560">r279560</a>. rdar://problem/80212179

    ActiveScratchBufferScope should take the buffer as argument
    https://bugs.webkit.org/show_bug.cgi?id=227670
    rdar://80011612

    Reviewed by Mark Lam.

    https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
    It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
    The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.

    A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
    In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).

    * dfg/DFGOSRExit.cpp:
    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
    * dfg/DFGOSRExit.h:
    * dfg/DFGOperations.cpp:
    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
    * dfg/DFGSpeculativeJIT.cpp:
    (JSC::DFG::SpeculativeJIT::compileNewArray):
    * dfg/DFGThunks.cpp:
    (JSC::DFG::osrExitGenerationThunkGenerator):
    * runtime/JSGlobalObject.cpp:
    (JSC::JSGlobalObject::haveABadTime):
    * runtime/VM.h:
    (JSC::ScratchBuffer::fromData):
    * runtime/VMInlines.h:
    (JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
    (JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):

    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279560 268f45cc-cd09-0410-ab3c-d52691b4dbfc</pre>

<h3>Modified Paths</h3>
<ul>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoreChangeLog">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoredfgDFGOSRExitcpp">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.cpp</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoredfgDFGOSRExith">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.h</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoredfgDFGOperationscpp">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoredfgDFGThunkscpp">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGThunks.cpp</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoreruntimeVMh">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VM.h</a></li>
<li><a href="#branchessafari6121221branchSourceJavaScriptCoreruntimeVMInlinesh">branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VMInlines.h</a></li>
</ul>

</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchessafari6121221branchSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/ChangeLog (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/ChangeLog        2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/ChangeLog   2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -1,3 +1,72 @@
</span><ins>+2021-07-06  Ruben Turcios  <rubent_22@apple.com>
+
+        Cherry-pick r279560. rdar://problem/80212179
+
+    ActiveScratchBufferScope should take the buffer as argument
+    https://bugs.webkit.org/show_bug.cgi?id=227670
+    rdar://80011612
+    
+    Reviewed by Mark Lam.
+    
+    https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
+    It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
+    The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.
+    
+    A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
+    In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).
+    
+    * dfg/DFGOSRExit.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * dfg/DFGOSRExit.h:
+    * dfg/DFGOperations.cpp:
+    (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+    * dfg/DFGSpeculativeJIT.cpp:
+    (JSC::DFG::SpeculativeJIT::compileNewArray):
+    * dfg/DFGThunks.cpp:
+    (JSC::DFG::osrExitGenerationThunkGenerator):
+    * runtime/JSGlobalObject.cpp:
+    (JSC::JSGlobalObject::haveABadTime):
+    * runtime/VM.h:
+    (JSC::ScratchBuffer::fromData):
+    * runtime/VMInlines.h:
+    (JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
+    (JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):
+    
+    
+    git-svn-id: https://svn.webkit.org/repository/webkit/trunk@279560 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+    2021-07-04  Robin Morisset  <rmorisset@apple.com>
+
+            ActiveScratchBufferScope should take the buffer as argument
+            https://bugs.webkit.org/show_bug.cgi?id=227670
+            rdar://80011612
+
+            Reviewed by Mark Lam.
+
+            https://bugs.webkit.org/show_bug.cgi?id=227013 created ActiveScratchBufferScope.
+            It is used by operations that can cause the GC to run, to mark as roots the contents of the scratch buffer that is live during that time (if any).
+            The bug is that it simply asks the VM for a scratch buffer of the right size, but this will always return the last scratch buffer, and not necessarily the one that the operation is actually using.
+
+            A fairly simple fix is to pass it directly the scratch buffer, since the operation normally can get it easily enough.
+            In most cases the operation has access to the m_buffer field of the ScratchBuffer, but getting a pointer to the entire structure from that is fairly simple (I added ScratchBuffer::fromData() to do so).
+
+            * dfg/DFGOSRExit.cpp:
+            (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+            * dfg/DFGOSRExit.h:
+            * dfg/DFGOperations.cpp:
+            (JSC::DFG::JSC_DEFINE_JIT_OPERATION):
+            * dfg/DFGSpeculativeJIT.cpp:
+            (JSC::DFG::SpeculativeJIT::compileNewArray):
+            * dfg/DFGThunks.cpp:
+            (JSC::DFG::osrExitGenerationThunkGenerator):
+            * runtime/JSGlobalObject.cpp:
+            (JSC::JSGlobalObject::haveABadTime):
+            * runtime/VM.h:
+            (JSC::ScratchBuffer::fromData):
+            * runtime/VMInlines.h:
+            (JSC::ActiveScratchBufferScope::ActiveScratchBufferScope):
+            (JSC::ActiveScratchBufferScope::~ActiveScratchBufferScope):
+
</ins><span class="cx"> 2021-06-30  Alan Coon  <alancoon@apple.com>
</span><span class="cx"> 
</span><span class="cx">         Revert r279249. rdar://problem/79987808
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoredfgDFGOSRExitcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.cpp (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.cpp       2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.cpp  2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -141,11 +141,11 @@
</span><span class="cx">     }
</span><span class="cx"> }
</span><span class="cx"> 
</span><del>-JSC_DEFINE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame* callFrame))
</del><ins>+JSC_DEFINE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame* callFrame, void* bufferToPreserve))
</ins><span class="cx"> {
</span><span class="cx">     VM& vm = callFrame->deprecatedVM();
</span><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><del>-    ActiveScratchBufferScope activeScratchBufferScope(vm, GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
</del><ins>+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(bufferToPreserve), GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
</ins><span class="cx"> 
</span><span class="cx">     if constexpr (validateDFGDoesGC) {
</span><span class="cx">         // We're about to exit optimized code. So, there's no longer any optimized
</span><span class="lines">@@ -930,7 +930,7 @@
</span><span class="cx"> {
</span><span class="cx">     VM& vm = callFrame->deprecatedVM();
</span><span class="cx">     NativeCallFrameTracer tracer(vm, callFrame);
</span><del>-    ActiveScratchBufferScope activeScratchBufferScope(vm, GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
</del><ins>+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(scratch), GPRInfo::numberOfRegisters + FPRInfo::numberOfRegisters);
</ins><span class="cx"> 
</span><span class="cx">     SpeculationFailureDebugInfo* debugInfo = static_cast<SpeculationFailureDebugInfo*>(debugInfoRaw);
</span><span class="cx">     CodeBlock* codeBlock = debugInfo->codeBlock;
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoredfgDFGOSRExith"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.h (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.h 2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOSRExit.h    2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -138,7 +138,7 @@
</span><span class="cx">     Profiler::OSRExit* profilerExit { nullptr };
</span><span class="cx"> };
</span><span class="cx"> 
</span><del>-JSC_DECLARE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame*));
</del><ins>+JSC_DECLARE_JIT_OPERATION(operationCompileOSRExit, void, (CallFrame*, void*));
</ins><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationDebugPrintSpeculationFailure, void, (CallFrame*, void*, void*));
</span><span class="cx"> JSC_DECLARE_JIT_OPERATION(operationMaterializeOSRExitSideState, void, (VM*, const OSRExitBase*, EncodedJSValue*));
</span><span class="cx"> 
</span><span class="lines">@@ -149,7 +149,7 @@
</span><span class="cx"> struct OSRExit : public OSRExitBase {
</span><span class="cx">     OSRExit(ExitKind, JSValueSource, MethodOfGettingAValueProfile, SpeculativeJIT*, unsigned streamIndex, unsigned recoveryIndex = UINT_MAX);
</span><span class="cx"> 
</span><del>-    friend void JIT_OPERATION_ATTRIBUTES operationCompileOSRExit(CallFrame*);
</del><ins>+    friend void JIT_OPERATION_ATTRIBUTES operationCompileOSRExit(CallFrame*, void*);
</ins><span class="cx"> 
</span><span class="cx">     CodeLocationLabel<JSInternalPtrTag> m_patchableJumpLocation;
</span><span class="cx">     MacroAssemblerCodeRef<OSRExitPtrTag> m_code;
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoredfgDFGOperationscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp    2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGOperations.cpp       2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -1039,9 +1039,10 @@
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
</span><span class="cx">     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</span><del>-    ActiveScratchBufferScope activeScratchBufferScope(vm, elementCount);
</del><ins>+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(buffer), elementCount);
</ins><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx"> 
</span><ins>+
</ins><span class="cx">     // We assume that multiple JSArray::push calls with ArrayWithInt32/ArrayWithContiguous do not cause JS traps.
</span><span class="cx">     // If it can cause any JS interactions, we can call the caller JS function of this function and overwrite the
</span><span class="cx">     // content of ScratchBuffer. If the IndexingType is now ArrayWithInt32/ArrayWithContiguous, we can ensure
</span><span class="lines">@@ -1734,7 +1735,7 @@
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
</span><span class="cx">     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</span><del>-    ActiveScratchBufferScope activeScratchBufferScope(vm, size);
</del><ins>+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(buffer), size);
</ins><span class="cx"> 
</span><span class="cx">     return bitwise_cast<char*>(constructArray(globalObject, arrayStructure, static_cast<JSValue*>(buffer), size));
</span><span class="cx"> }
</span><span class="lines">@@ -3042,7 +3043,7 @@
</span><span class="cx">     VM& vm = globalObject->vm();
</span><span class="cx">     CallFrame* callFrame = DECLARE_CALL_FRAME(vm);
</span><span class="cx">     JITOperationPrologueCallFrameTracer tracer(vm, callFrame);
</span><del>-    ActiveScratchBufferScope activeScratchBufferScope(vm, numItems);
</del><ins>+    ActiveScratchBufferScope activeScratchBufferScope(ScratchBuffer::fromData(buffer), numItems);
</ins><span class="cx">     auto scope = DECLARE_THROW_SCOPE(vm);
</span><span class="cx"> 
</span><span class="cx">     EncodedJSValue* values = static_cast<EncodedJSValue*>(buffer);
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp        2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp   2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -9238,13 +9238,14 @@
</span><span class="cx">     flushRegisters();
</span><span class="cx"> 
</span><span class="cx">     GPRFlushedCallResult result(this);
</span><ins>+    GPRReg resultGPR = result.gpr();
</ins><span class="cx"> 
</span><span class="cx">     callOperation(
</span><del>-        operationNewArray, result.gpr(), TrustedImmPtr::weakPointer(m_graph, globalObject), m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())),
</del><ins>+        operationNewArray, resultGPR, TrustedImmPtr::weakPointer(m_graph, globalObject), m_jit.graph().registerStructure(globalObject->arrayStructureForIndexingTypeDuringAllocation(node->indexingType())),
</ins><span class="cx">         static_cast<void*>(buffer), size_t(node->numChildren()));
</span><span class="cx">     m_jit.exceptionCheck();
</span><span class="cx"> 
</span><del>-    cellResult(result.gpr(), node, UseChildrenCalledExplicitly);
</del><ins>+    cellResult(resultGPR, node, UseChildrenCalledExplicitly);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> void SpeculativeJIT::compileNewArrayWithSpread(Node* node)
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoredfgDFGThunkscpp"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGThunks.cpp (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGThunks.cpp        2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/dfg/DFGThunks.cpp   2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -89,8 +89,8 @@
</span><span class="cx">     }
</span><span class="cx">     storeSpooler.finalizeFPR();
</span><span class="cx"> 
</span><del>-    // Set up one argument.
-    jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
</del><ins>+    // This will implicitly pass GPRInfo::callFrameRegister as the first argument based on the operation type.
+    jit.setupArguments<decltype(operationCompileOSRExit)>(bufferGPR);
</ins><span class="cx">     jit.prepareCallOperation(vm);
</span><span class="cx"> 
</span><span class="cx">     MacroAssembler::Call functionCall = jit.call(OperationPtrTag);
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoreruntimeVMh"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VM.h (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VM.h     2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VM.h        2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -260,6 +260,11 @@
</span><span class="cx">         return result;
</span><span class="cx">     }
</span><span class="cx"> 
</span><ins>+    static ScratchBuffer* fromData(void* buffer)
+    {
+        return bitwise_cast<ScratchBuffer*>(static_cast<char*>(buffer) - OBJECT_OFFSETOF(ScratchBuffer, m_buffer));
+    }
+
</ins><span class="cx">     static size_t allocationSize(Checked<size_t> bufferSize) { return sizeof(ScratchBuffer) + bufferSize; }
</span><span class="cx">     void setActiveLength(size_t activeLength) { u.m_activeLength = activeLength; }
</span><span class="cx">     size_t activeLength() const { return u.m_activeLength; };
</span><span class="lines">@@ -282,7 +287,7 @@
</span><span class="cx"> 
</span><span class="cx"> class ActiveScratchBufferScope {
</span><span class="cx"> public:
</span><del>-    ActiveScratchBufferScope(VM&, size_t activeScratchBufferSizeInJSValues);
</del><ins>+    ActiveScratchBufferScope(ScratchBuffer*, size_t activeScratchBufferSizeInJSValues);
</ins><span class="cx">     ~ActiveScratchBufferScope();
</span><span class="cx"> 
</span><span class="cx"> private:
</span></span></pre></div>
<a id="branchessafari6121221branchSourceJavaScriptCoreruntimeVMInlinesh"></a>
<div class="modfile"><h4>Modified: branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VMInlines.h (279595 => 279596)</h4>
<pre class="diff"><span>
<span class="info">--- branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VMInlines.h      2021-07-06 17:34:06 UTC (rev 279595)
+++ branches/safari-612.1.22.1-branch/Source/JavaScriptCore/runtime/VMInlines.h 2021-07-06 17:38:48 UTC (rev 279596)
</span><span class="lines">@@ -32,12 +32,12 @@
</span><span class="cx"> 
</span><span class="cx"> namespace JSC {
</span><span class="cx"> 
</span><del>-inline ActiveScratchBufferScope::ActiveScratchBufferScope(VM& vm, size_t activeScratchBufferSizeInJSValues)
-    : m_scratchBuffer(vm.scratchBufferForSize(activeScratchBufferSizeInJSValues * sizeof(EncodedJSValue)))
</del><ins>+inline ActiveScratchBufferScope::ActiveScratchBufferScope(ScratchBuffer* buffer, size_t activeScratchBufferSizeInJSValues)
+    : m_scratchBuffer(buffer)
</ins><span class="cx"> {
</span><span class="cx">     // Tell GC mark phase how much of the scratch buffer is active during the call operation this scope is used in.
</span><span class="cx">     if (m_scratchBuffer)
</span><del>-        m_scratchBuffer->u.m_activeLength = activeScratchBufferSizeInJSValues * sizeof(EncodedJSValue);
</del><ins>+        m_scratchBuffer->setActiveLength(activeScratchBufferSizeInJSValues * sizeof(EncodedJSValue));
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> inline ActiveScratchBufferScope::~ActiveScratchBufferScope()
</span><span class="lines">@@ -44,7 +44,7 @@
</span><span class="cx"> {
</span><span class="cx">     // Tell the GC that we're not using the scratch buffer anymore.
</span><span class="cx">     if (m_scratchBuffer)
</span><del>-        m_scratchBuffer->u.m_activeLength = 0;
</del><ins>+        m_scratchBuffer->setActiveLength(0);
</ins><span class="cx"> }
</span><span class="cx"> 
</span><span class="cx"> bool VM::ensureStackCapacityFor(Register* newTopOfStack)
</span></span></pre>
</div>
</div>

</body>
</html>