Ignore:
Timestamp:
Aug 18, 2014, 7:48:00 PM (11 years ago)
Author:
[email protected]
Message:

REGRESSION(r172401): for-in optimization no longer works at all
https://bugs.webkit.org/show_bug.cgi?id=136056

Reviewed by Mark Hahnenberg.

This is a partial roll-out of r172401. It turns out that the fix wasn't actually fixing a
real bug (since it's fine to use op_get_direct_pname on the wrong base because it has a
structure check) and it was actually breaking the entire for-in optimization (since there is
no way that we can statically prove that the base matches, because the base we see is a
newly created temporary, and anyway doing it right would be really hard in our bytecode
because it's 3AC form).

But, I added a new test for the problem, and kept the original test. Both the old test and
the new test prove that r172401 wasn't fixing what it thought it was fixing. To the extent
that it resolved crashes it was because it just disabled the for-in optimization entirely.

  • bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitGetByVal):
(JSC::BytecodeGenerator::pushIndexedForInScope):
(JSC::BytecodeGenerator::pushStructureForInScope):

  • bytecompiler/BytecodeGenerator.h:

(JSC::ForInContext::ForInContext):
(JSC::StructureForInContext::StructureForInContext):
(JSC::IndexedForInContext::IndexedForInContext):
(JSC::ForInContext::base): Deleted.

  • bytecompiler/NodesCodegen.cpp:

(JSC::ForInNode::emitMultiLoopBytecode):

  • tests/stress/for-in-base-reassigned.js: Added.
  • tests/stress/for-in-base-reassigned-later.js: Added.
  • tests/stress/for-in-base-reassigned-later-and-change-structure.js: Added.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r172717 r172741  
    20712071        this->emitLoopHeader(generator, propertyName.get());
    20722072
    2073         generator.pushIndexedForInScope(base.get(), local.get(), i.get());
     2073        generator.pushIndexedForInScope(local.get(), i.get());
    20742074        generator.emitNode(dst, m_statement);
    20752075        generator.popIndexedForInScope(local.get());
     
    21052105        this->emitLoopHeader(generator, propertyName.get());
    21062106
    2107         generator.pushStructureForInScope(base.get(), local.get(), i.get(), propertyName.get(), structureEnumerator.get());
     2107        generator.pushStructureForInScope(local.get(), i.get(), propertyName.get(), structureEnumerator.get());
    21082108        generator.emitNode(dst, m_statement);
    21092109        generator.popStructureForInScope(local.get());
Note: See TracChangeset for help on using the changeset viewer.