Context Navigation

← Previous Change
Next Change →

DFGObjectAllocationSinkingPhase.cpp

Timestamp:

Nov 26, 2018, 12:14:41 PM (6 years ago)

Author:

Message:

Object allocation sinking phase needs to iterate each scope offset instead of just iterating the symbol table's hashmap when handling an activation
https://bugs.webkit.org/show_bug.cgi?id=191958
<rdar://problem/46221877>

Reviewed by Yusuke Suzuki.

JSTests:

stress/object-allocation-sinking-phase-needs-to-write-to-each-scope-offset.js: Added.

(x):
(foo):

Source/JavaScriptCore:

There may be more entries in an activation than unique variables
in a symbol table's hashmap. For example, if you have two parameters
to a function, and they both are the same name, and the function
uses eval, we'll end up with two scope slots, but only a single
entry in the hashmap in the symbol table. Object allocation sinking
phase was previously iterating over the hashmap, assuming these
values were equivalent. This is wrong in the above case. Instead,
we need to iterate over each scope offset.

dfg/DFGObjectAllocationSinkingPhase.cpp:
runtime/GenericOffset.h:

(JSC::GenericOffset::operator+=):
(JSC::GenericOffset::operator-=):

File:

: 1 edited

trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

-              r234086
+              r238510
+            {
                 SymbolTable* symbolTable = node->castOperand<SymbolTable*>();
-                ConcurrentJSLocker locker(symbolTable->m_lock);
                 LazyNode initialValue(m_graph.freeze(node->initializationValueForActivation()));
                 for (auto iter = symbolTable->begin(locker), end = symbolTable->end(locker); iter != end; ++iter) {
+                for (ScopeOffset offset { 0 }; offset <= symbolTable->maxScopeOffset(); offset += 1) {
                     writes.add(
                         PromotedLocationDescriptor(ClosureVarPLoc, iter->value.scopeOffset().offset()),
+                        PromotedLocationDescriptor(ClosureVarPLoc, offset.offset()),
                         initialValue);
+                }

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 238510 in webkit for trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

Legend:

trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

Download in other formats: