Ignore:
Timestamp:
Dec 14, 2015, 9:37:59 AM (10 years ago)
Author:
Chris Dumez
Message:

Roll out r193974 and follow-up fixes as it caused JSC crashes
https://bugs.webkit.org/show_bug.cgi?id=152256

Source/JavaScriptCore:

Unreviewed, Roll out r193974 and follow-up fixes as it caused JSC crashes.

  • API/JSCallbackObject.h:
  • builtins/FunctionPrototype.js:
  • bytecode/BytecodeBasicBlock.cpp:

(JSC::isBranch):

  • bytecode/BytecodeList.json:
  • bytecode/BytecodeUseDef.h:

(JSC::computeUsesForBytecodeOffset):
(JSC::computeDefsForBytecodeOffset):

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::dumpBytecode):

  • bytecode/ExitKind.cpp:

(JSC::exitKindToString): Deleted.

  • bytecode/ExitKind.h:
  • bytecode/PreciseJumpTargets.cpp:

(JSC::getJumpTargetsForBytecodeOffset):

  • bytecompiler/BytecodeGenerator.cpp:

(JSC::BytecodeGenerator::emitCheckHasInstance):
(JSC::BytecodeGenerator::emitGetById): Deleted.

  • bytecompiler/BytecodeGenerator.h:

(JSC::BytecodeGenerator::emitTypeOf): Deleted.

  • bytecompiler/NodesCodegen.cpp:

(JSC::InstanceOfNode::emitBytecode):
(JSC::LogicalOpNode::emitBytecode): Deleted.
(JSC::LogicalOpNode::emitBytecodeInConditionContext): Deleted.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

  • dfg/DFGCapabilities.cpp:

(JSC::DFG::capabilityLevel):

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGHeapLocation.cpp:

(WTF::printInternal):

  • dfg/DFGHeapLocation.h:
  • dfg/DFGNode.h:

(JSC::DFG::Node::hasCellOperand): Deleted.
(JSC::DFG::Node::hasTransition): Deleted.

  • dfg/DFGNodeType.h:
  • dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

  • dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileInstanceOf): Deleted.
(JSC::DFG::SpeculativeJIT::compileArithAdd): Deleted.

  • dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::callOperation): Deleted.

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

  • ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

  • ftl/FTLIntrinsicRepository.h:
  • ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileNode):
(JSC::FTL::DFG::LowerDFGToLLVM::compileCheckHasInstance):
(JSC::FTL::DFG::LowerDFGToLLVM::compileInstanceOf): Deleted.
(JSC::FTL::DFG::LowerDFGToLLVM::compileHasIndexedProperty): Deleted.

  • jit/CCallHelpers.h:

(JSC::CCallHelpers::setupArguments): Deleted.
(JSC::CCallHelpers::setupArgumentsWithExecState): Deleted.

  • jit/JIT.cpp:

(JSC::JIT::privateCompileMainPass):
(JSC::JIT::privateCompileSlowCases):

  • jit/JIT.h:
  • jit/JITInlines.h:

(JSC::JIT::callOperationNoExceptionCheck): Deleted.
(JSC::JIT::callOperation): Deleted.

  • jit/JITOpcodes.cpp:

(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_is_undefined): Deleted.
(JSC::JIT::emitSlow_op_to_number): Deleted.
(JSC::JIT::emitSlow_op_to_string): Deleted.

  • jit/JITOpcodes32_64.cpp:

(JSC::JIT::emit_op_check_has_instance):
(JSC::JIT::emit_op_instanceof):
(JSC::JIT::emitSlow_op_check_has_instance):
(JSC::JIT::emitSlow_op_instanceof):
(JSC::JIT::emit_op_is_undefined): Deleted.

  • jit/JITOperations.cpp:
  • jit/JITOperations.h:
  • llint/LLIntData.cpp:

(JSC::LLInt::Data::performAssertions): Deleted.

  • llint/LLIntSlowPaths.cpp:

(JSC::LLInt::LLINT_SLOW_PATH_DECL):

  • llint/LLIntSlowPaths.h:
  • llint/LowLevelInterpreter32_64.asm:
  • llint/LowLevelInterpreter64.asm:
  • runtime/CommonIdentifiers.h:
  • runtime/ExceptionHelpers.cpp:

(JSC::invalidParameterInstanceofSourceAppender):
(JSC::createInvalidInstanceofParameterError):
(JSC::createError): Deleted.
(JSC::createNotAFunctionError): Deleted.
(JSC::createNotAnObjectError): Deleted.

  • runtime/ExceptionHelpers.h:
  • runtime/FunctionPrototype.cpp:

(JSC::FunctionPrototype::addFunctionProperties):

  • runtime/FunctionPrototype.h:
  • runtime/JSBoundFunction.cpp:

(JSC::JSBoundFunction::create): Deleted.
(JSC::JSBoundFunction::customHasInstance): Deleted.

  • runtime/JSBoundFunction.h:
  • runtime/JSGlobalObject.cpp:

(JSC::JSGlobalObject::init):
(JSC::JSGlobalObject::visitChildren): Deleted.

  • runtime/JSGlobalObject.h:

(JSC::JSGlobalObject::throwTypeErrorGetterSetter): Deleted.

  • runtime/JSObject.cpp:

(JSC::JSObject::hasInstance):
(JSC::JSObject::defaultHasInstance): Deleted.
(JSC::JSObject::getPropertyNames): Deleted.
(JSC::JSObject::getOwnPropertyNames): Deleted.

  • runtime/JSObject.h:

(JSC::JSFinalObject::create): Deleted.

  • runtime/JSTypeInfo.h:

(JSC::TypeInfo::TypeInfo):
(JSC::TypeInfo::overridesHasInstance):

  • runtime/WriteBarrier.h:

(JSC::WriteBarrierBase<Unknown>::slot):

  • tests/es6.yaml:
  • tests/stress/instanceof-custom-hasinstancesymbol.js: Removed.
  • tests/stress/symbol-hasInstance.js: Removed.

LayoutTests:

Unreviewed, roll out r193974 and follow-up fixes as it caused JSC crashes.

  • inspector/model/remote-object-get-properties-expected.txt:
  • js/Object-getOwnPropertyNames-expected.txt:
  • js/exception-for-nonobject-expected.txt:
  • js/exception-instanceof-expected.txt:
  • js/instance-of-immediates-expected.txt:
  • js/regress/instanceof-bound-expected.txt: Removed.
  • js/regress/instanceof-bound.html: Removed.
  • js/regress/script-tests/instanceof-bound.js: Removed.
  • js/script-tests/Object-getOwnPropertyNames.js:
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp

    r194021 r194036  
    16651665RegisterID* InstanceOfNode::emitBytecode(BytecodeGenerator& generator, RegisterID* dst)
    16661666{
    1667     RefPtr<RegisterID> hasInstanceValue = generator.newTemporary();
    1668     RefPtr<RegisterID> isObject = generator.newTemporary();
    1669     RefPtr<RegisterID> isCustom = generator.newTemporary();
     1667    RefPtr<RegisterID> src1 = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
     1668    RefPtr<RegisterID> src2 = generator.emitNode(m_expr2);
    16701669    RefPtr<RegisterID> prototype = generator.newTemporary();
    1671     RefPtr<RegisterID> value = generator.emitNodeForLeftHandSide(m_expr1, m_rightHasAssignments, m_expr2->isPure(generator));
    1672     RefPtr<RegisterID> constructor = generator.emitNode(m_expr2);
    1673     RefPtr<RegisterID> dstReg = generator.finalDestination(dst, value.get());
    1674     RefPtr<Label> custom = generator.newLabel();
    1675     RefPtr<Label> done = generator.newLabel();
    1676     RefPtr<Label> typeError = generator.newLabel();
     1670    RefPtr<RegisterID> dstReg = generator.finalDestination(dst, src1.get());
     1671    RefPtr<Label> target = generator.newLabel();
    16771672
    16781673    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1679     generator.emitIsObject(isObject.get(), constructor.get());
    1680     generator.emitJumpIfFalse(isObject.get(), typeError.get());
     1674    generator.emitCheckHasInstance(dstReg.get(), src1.get(), src2.get(), target.get());
    16811675
    16821676    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1683     generator.emitGetById(hasInstanceValue.get(), constructor.get(), generator.vm()->propertyNames->hasInstanceSymbol);
     1677    generator.emitGetById(prototype.get(), src2.get(), generator.vm()->propertyNames->prototype);
    16841678
    16851679    generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1686     generator.emitOverridesHasInstance(isCustom.get(), constructor.get(), hasInstanceValue.get());
    1687 
    1688     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1689     generator.emitJumpIfTrue(isCustom.get(), custom.get());
    1690 
    1691     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1692     generator.emitGetById(prototype.get(), constructor.get(), generator.vm()->propertyNames->prototype);
    1693 
    1694     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1695     generator.emitInstanceOf(dstReg.get(), value.get(), prototype.get());
    1696 
    1697     generator.emitJump(done.get());
    1698 
    1699     generator.emitLabel(typeError.get());
    1700     generator.emitThrowTypeError("Right hand side of instanceof is not an object");
    1701 
    1702     generator.emitLabel(custom.get());
    1703 
    1704     generator.emitExpressionInfo(divot(), divotStart(), divotEnd());
    1705     generator.emitInstanceOfCustom(dstReg.get(), value.get(), constructor.get(), hasInstanceValue.get());
    1706 
    1707     generator.emitLabel(done.get());
    1708 
    1709     return dstReg.get();
     1680    RegisterID* result = generator.emitInstanceOf(dstReg.get(), src1.get(), prototype.get());
     1681    generator.emitLabel(target.get());
     1682    return result;
    17101683}
    17111684
Note: See TracChangeset for help on using the changeset viewer.