Changeset 147816 in webkit for trunk/Source/JavaScriptCore/ChangeLog

Timestamp:

Apr 5, 2013, 4:52:20 PM (12 years ago)

Author:

[email protected]

Message:

tryCacheGetByID sets StructureStubInfo accessType to an incorrect value
​https://bugs.webkit.org/show_bug.cgi?id=114068

Reviewed by Geoffrey Garen.

In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to
get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to
incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById,
which leads to loading a GetterSetter directly out of an object.

Source/JavaScriptCore:

• jit/JITStubs.cpp:

(JSC::tryCacheGetByID):
(JSC::DEFINE_STUB_FUNCTION):

LayoutTests:

• fast/js/jit-set-profiling-access-type-only-for-get-by-id-self-expected.txt: Added.
• fast/js/jit-set-profiling-access-type-only-for-get-by-id-self.html: Added.
• fast/js/script-tests/jit-set-profiling-access-type-only-for-get-by-id-self.js: Added.

File:

• trunk/Source/JavaScriptCore/ChangeLog (modified) (1 diff)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2013-04-05  Mark Hahnenberg  <[email protected]>
+
+        tryCacheGetByID sets StructureStubInfo accessType to an incorrect value
+        https://bugs.webkit.org/show_bug.cgi?id=114068
+
+        Reviewed by Geoffrey Garen.
+
+        In the case where we have a non-Value cacheable property, we set the StructureStubInfo accessType to 
+        get_by_id_self, but then we don't patch self and instead patch in a get_by_id_self_fail. This leads to 
+        incorrect profiling data so when the DFG compiles the function, it uses a GetByOffset rather than a GetById, 
+        which leads to loading a GetterSetter directly out of an object.
+
+        * jit/JITStubs.cpp:
+        (JSC::tryCacheGetByID):
+        (JSC::DEFINE_STUB_FUNCTION):
+
 2013-04-05  Filip Pizlo  <[email protected]>