Ignore:
Timestamp:
Jul 27, 2011, 4:48:56 PM (14 years ago)
Author:
[email protected]
Message:

https://bugs.webkit.org/show_bug.cgi?id=65294
DFG JIT - may speculate based on wrong arguments.

Reviewed by Oliver Hunt

In the case of a DFG compiled function calling to and compiling a second function that
also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp),
we call compileFor passing the caller functions exec state, rather than the callee's.
This may lead to mis-optimization, since the DFG compiler will example the exec state's
arguments on the assumption that these will be passed to the callee - it is wanting the
callee exec state, not the caller's exec state.

Fixing this for all cases of compilation is tricksy, due to the way the numeric sort
function is compiled, & the structure of the calls in the Interpreter::execute methods.
Only fix for compilation from the JIT, in other calls don't speculate based on arguments
for now.

  • dfg/DFGOperations.cpp:
  • runtime/Executable.cpp:

(JSC::tryDFGCompile):
(JSC::tryDFGCompileFunction):
(JSC::FunctionExecutable::compileForCallInternal):

  • runtime/Executable.h:

(JSC::FunctionExecutable::compileForCall):
(JSC::FunctionExecutable::compileFor):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp

    r91607 r91883  
    530530        codePtr = executable->generatedJITCodeFor(kind).addressForCall();
    531531    else {
     532        execCallee->setScopeChain(callee->scope());
    532533        FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
    533         JSObject* error = functionExecutable->compileFor(exec, callee->scope(), kind);
     534        JSObject* error = functionExecutable->compileFor(execCallee, callee->scope(), kind);
    534535        if (error) {
    535536            globalData->exception = createStackOverflowError(exec);
     
    541542        else
    542543            codePtr = functionExecutable->generatedJITCodeWithArityCheckFor(kind);
    543         execCallee->setScopeChain(callee->scope());
    544544    }
    545545    CallLinkInfo& callLinkInfo = exec->codeBlock()->getCallLinkInfo(returnAddress);
     
    575575   
    576576    JSFunction* function = asFunction(calleeAsFunctionCell);
     577    execCallee->setScopeChain(function->scopeUnchecked());
    577578    ExecutableBase* executable = function->executable();
    578579    if (UNLIKELY(!executable->hasJITCodeFor(kind))) {
    579580        FunctionExecutable* functionExecutable = static_cast<FunctionExecutable*>(executable);
    580         JSObject* error = functionExecutable->compileFor(exec, function->scope(), kind);
     581        JSObject* error = functionExecutable->compileFor(execCallee, function->scope(), kind);
    581582        if (error) {
    582583            exec->globalData().exception = error;
     
    584585        }
    585586    }
    586     execCallee->setScopeChain(function->scopeUnchecked());
    587587    return executable->generatedJITCodeWithArityCheckFor(kind).executableAddress();
    588588}
Note: See TracChangeset for help on using the changeset viewer.