Changeset 91883 in webkit for trunk/Source/JavaScriptCore/runtime/Executable.h

Timestamp:

Jul 27, 2011, 4:48:56 PM (14 years ago)

Author:

[email protected]

Message:

​https://bugs.webkit.org/show_bug.cgi?id=65294
DFG JIT - may speculate based on wrong arguments.

Reviewed by Oliver Hunt

In the case of a DFG compiled function calling to and compiling a second function that
also compiles through the DFG JIT (i.e. compilation triggered with DFGOperations.cpp),
we call compileFor passing the caller functions exec state, rather than the callee's.
This may lead to mis-optimization, since the DFG compiler will example the exec state's
arguments on the assumption that these will be passed to the callee - it is wanting the
callee exec state, not the caller's exec state.

Fixing this for all cases of compilation is tricksy, due to the way the numeric sort
function is compiled, & the structure of the calls in the Interpreter::execute methods.
Only fix for compilation from the JIT, in other calls don't speculate based on arguments
for now.

• dfg/DFGOperations.cpp:
• runtime/Executable.cpp:

(JSC::tryDFGCompile):
(JSC::tryDFGCompileFunction):
(JSC::FunctionExecutable::compileForCallInternal):

• runtime/Executable.h:

(JSC::FunctionExecutable::compileForCall):
(JSC::FunctionExecutable::compileFor):

File:

• trunk/Source/JavaScriptCore/runtime/Executable.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/runtime/Executable.h

@@ -406 +406 @@
         }
 
-        JSObject* compileForCall(ExecState* exec, ScopeChainNode* scopeChainNode)
+        JSObject* compileForCall(ExecState* exec, ScopeChainNode* scopeChainNode, ExecState* calleeArgsExec = 0)
         {
             ASSERT(exec->globalData().dynamicGlobalObject);
             JSObject* error = 0;
             if (!m_codeBlockForCall)
-                error = compileForCallInternal(exec, scopeChainNode);
+                error = compileForCallInternal(exec, scopeChainNode, calleeArgsExec);
             ASSERT(!error == !!m_codeBlockForCall);
             return error;
@@ -450 +450 @@
         JSObject* compileFor(ExecState* exec, ScopeChainNode* scopeChainNode, CodeSpecializationKind kind)
         {
+            // compileFor should only be called with a callframe set up to call this function,
+            // since we will make speculative optimizations based on the arguments.
+            ASSERT(exec->callee());
+            ASSERT(exec->callee()->inherits(&JSFunction::s_info));
+            ASSERT(asFunction(exec->callee())->jsExecutable() == this);
+
             if (kind == CodeForCall)
-                return compileForCall(exec, scopeChainNode);
+                return compileForCall(exec, scopeChainNode, exec);
             ASSERT(kind == CodeForConstruct);
             return compileForConstruct(exec, scopeChainNode);
@@ -492 +498 @@
         FunctionExecutable(ExecState*, const Identifier& name, const SourceCode&, bool forceUsesArguments, FunctionParameters*, bool, int firstLine, int lastLine);
 
-        JSObject* compileForCallInternal(ExecState*, ScopeChainNode*);
+        JSObject* compileForCallInternal(ExecState*, ScopeChainNode*, ExecState* calleeArgsExec);
         JSObject* compileForConstructInternal(ExecState*, ScopeChainNode*);