[iOS8][ARMv7(s)] Optimized Object.create in 'use strict' context sometimes breaks.
https://bugs.webkit.org/show_bug.cgi?id=138038
Reviewed by Michael Saboff.
TL;DR: sometimes the baseline JIT could accidentally nuke the tag before calling
to C++, making put_by_id behave erratically.
The bug was that put_by_id would randomly not work correctly in 32bits. It happened
in the baseline JIT if we were unlucky enough:
-The code get hot enough and the structure is stable so we get a fast path for
put_by_id.
-We repatch the fast-path branch with a stub generated by
emitPutTransitionStubAndGetOldStructure().
-In emitPutTransitionStubAndGetOldStructure(), we only preserve the payload of the base
register, the tag register is ignored.
-emitPutTransitionStubAndGetOldStructure() allocate 2 to 3 registers. Any of those
could be the one used for the base's tag before the fast path and the value is trashed.
-If we hit one of the failure case, we fallback to the slow path, but we destroyed
the tag pointer.
-We now have unrelated bits in the tag, the most likely value type is now "double"
and we fail the put_by_id because we try to set a property on a number.
The most obvious solution would be to change emitPutTransitionStubAndGetOldStructure()
to preserve the tag register in addition to the value register.
I decided against that option because of the added complexity. The DFG does not need
that case, so I would have to add branches everywhere to distinguish the cases
were we need to preserve the tag or not.
Instead, I just load the tag back from memory in the slow path. The function in the slow
path is several order of magnitude slower than a load, it is not worth eliminating it,
especially in baseline JIT.
I also discovered 4 useless loads in the fast path, so even with my extra load, this patch
makes the baseline faster :)
- jit/JITPropertyAccess32_64.cpp:
(JSC::JIT::emitSlow_op_put_by_id):
(JSC::JIT::emit_op_put_by_id): Deleted.
- tests/stress/put-by-id-on-new-object-after-prototype-transition-non-strict.js: Added.
(opaqueNewObject):
(putValueOnNewObject):
- tests/stress/put-by-id-on-new-object-after-prototype-transition-strict.js: Added.
(string_appeared_here.opaqueNewObject):
(putValueOnNewObject):
