WebKit Bugzilla
Attachment 360630 Details for
Bug 194050
: Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch
bug-194050-20190130150522.patch (text/plain), 3.82 KB, created by
Robin Morisset
on 2019-01-30 15:05:23 PST
(
hide
)
Description:
Patch
Filename:
MIME Type:
Creator:
Robin Morisset
Created:
2019-01-30 15:05:23 PST
Size:
3.82 KB
patch
obsolete
>Index: JSTests/ChangeLog >=================================================================== >--- JSTests/ChangeLog (revision 240732) >+++ JSTests/ChangeLog (working copy) >@@ -1,3 +1,15 @@ >+2019-01-30 Robin Morisset <rmorisset@apple.com> >+ >+ Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case >+ https://bugs.webkit.org/show_bug.cgi?id=194050 >+ <rdar://problem/47595592> >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * stress/object-keys-osr-exit.js: Added. >+ (foo): >+ (catch): >+ > 2019-01-29 Mark Lam <mark.lam@apple.com> > > ValueRecovery::recover() should purify NaN values it recovers. >Index: JSTests/stress/object-keys-osr-exit.js >=================================================================== >--- JSTests/stress/object-keys-osr-exit.js (nonexistent) >+++ JSTests/stress/object-keys-osr-exit.js (working copy) >@@ -0,0 +1,22 @@ >+//@ runDefault("--forceEagerCompilation=1", "--useConcurrentJIT=0") >+ >+function foo(x) { >+ if (x) { >+ return; >+ } >+ let obj = { >+ a: 0, >+ b: 0 >+ }; >+ foo(1); >+ let keys = Object.keys(obj); >+ foo(); >+ keys.length >+} >+ >+try { >+ foo(); >+} catch(e) { >+ if (e != "RangeError: Maximum call stack size exceeded.") >+ throw "FAILED"; >+} >Index: Source/JavaScriptCore/ChangeLog >=================================================================== >--- Source/JavaScriptCore/ChangeLog (revision 240726) >+++ Source/JavaScriptCore/ChangeLog (working copy) >@@ -1,3 +1,17 @@ >+2019-01-30 Robin Morisset <rmorisset@apple.com> >+ >+ Object.keys can now lead to a PhantomNewArrayBuffer, OSR exit from the FTL should know how to materialize a NewArrayBuffer in that case >+ https://bugs.webkit.org/show_bug.cgi?id=194050 >+ <rdar://problem/47595592> >+ >+ Following https://bugs.webkit.org/show_bug.cgi?id=190047, PhantomNewArrayBuffer is no longer guaranteed to originate from a NewArrayBuffer in the baseline jit. >+ It can now come from Object.keys, which is a function call. We must teach the FTL how to OSR exit in that case. >+ >+ Reviewed by NOBODY (OOPS!). >+ >+ * ftl/FTLOperations.cpp: >+ (JSC::FTL::operationMaterializeObjectInOSR): >+ > 2019-01-30 Yusuke Suzuki <ysuzuki@apple.com> > > Unreviewed, update the builtin test results >Index: Source/JavaScriptCore/ftl/FTLOperations.cpp >=================================================================== >--- Source/JavaScriptCore/ftl/FTLOperations.cpp (revision 240726) >+++ Source/JavaScriptCore/ftl/FTLOperations.cpp (working copy) >@@ -475,7 +475,13 @@ extern "C" JSCell* JIT_OPERATION operati > // and PhantomNewArrayBuffer are always bound to a specific op_new_array_buffer. > CodeBlock* codeBlock = baselineCodeBlockForOriginAndBaselineCodeBlock(materialization->origin(), exec->codeBlock()->baselineAlternative()); > const Instruction* currentInstruction = codeBlock->instructions().at(materialization->origin().bytecodeIndex).ptr(); >- RELEASE_ASSERT(currentInstruction->is<OpNewArrayBuffer>()); >+ if (!currentInstruction->is<OpNewArrayBuffer>()) { >+ // This case can happen if Object.keys, an OpCall is first converted into a NewArrayBuffer which is then converted into a PhantomNewArrayBuffer. >+ // There is no need to update the array allocation profile in that case. >+ RELEASE_ASSERT(currentInstruction->is<OpCall>()); >+ Structure* structure = exec->lexicalGlobalObject()->arrayStructureForIndexingTypeDuringAllocation(immutableButterfly->indexingMode()); >+ return CommonSlowPaths::allocateNewArrayBuffer(vm, structure, immutableButterfly); >+ } > auto newArrayBuffer = currentInstruction->as<OpNewArrayBuffer>(); > ArrayAllocationProfile* profile = &newArrayBuffer.metadata(codeBlock).m_arrayAllocationProfile; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=360630">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Formatted Diff
|
Diff
Attachments on
bug 194050
: 360630