[webkit-changes] [143553] trunk

Wed, 20 Feb 2013 18:41:37 -0800

Title: [143553] trunk
Revision
143553
Author
fpi...@apple.com
Date
2013-02-20 18:43:36 -0800 (Wed, 20 Feb 2013)

Log Message

DFG inlines Resolves that it doesn't know how to handle correctly
https://bugs.webkit.org/show_bug.cgi?id=110405

Source/_javascript_Core: 

Reviewed by Geoffrey Garen.
        
Don't try to be clever: if there's a failing resolve, we can't inline it, period.

* dfg/DFGCapabilities.h:
(JSC::DFG::canInlineResolveOperations):
(JSC::DFG::canInlineOpcode):

LayoutTests: 

Reviewed by Geoffrey Garen.

* fast/js/dfg-inline-resolve-expected.txt: Added.
* fast/js/dfg-inline-resolve.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (143552 => 143553)


--- trunk/LayoutTests/ChangeLog	2013-02-21 02:41:56 UTC (rev 143552)
+++ trunk/LayoutTests/ChangeLog	2013-02-21 02:43:36 UTC (rev 143553)
@@ -1,3 +1,13 @@
+2013-02-20  Filip Pizlo  <fpi...@apple.com>
+
+        DFG inlines Resolves that it doesn't know how to handle correctly
+        https://bugs.webkit.org/show_bug.cgi?id=110405
+
+        Reviewed by Geoffrey Garen.
+
+        * fast/js/dfg-inline-resolve-expected.txt: Added.
+        * fast/js/dfg-inline-resolve.html: Added.
+
 2013-02-20  Christian Biesinger  <cbiesin...@chromium.org>
 
         Convert residual-style.html test to a reftest (and fix typos)

Added: trunk/LayoutTests/fast/js/dfg-inline-resolve-expected.txt (0 => 143553)


--- trunk/LayoutTests/fast/js/dfg-inline-resolve-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-inline-resolve-expected.txt	2013-02-21 02:43:36 UTC (rev 143553)
@@ -0,0 +1,2 @@
+foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo foo
+TEST PASSED

Added: trunk/LayoutTests/fast/js/dfg-inline-resolve.html (0 => 143553)


--- trunk/LayoutTests/fast/js/dfg-inline-resolve.html	                        (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-inline-resolve.html	2013-02-21 02:43:36 UTC (rev 143553)
@@ -0,0 +1,49 @@
+<!DOCTYPE html>
+<html>
+    <head>
+        <title>Eval'ed Function losing scope</title>
+    </head>
+    <body>
+        <script type="text/_javascript_" charset="utf-8">
+            if (self.testRunner) {
+                testRunner.dumpAsText(self.enablePixelTesting);
+                testRunner.waitUntilDone();
+            }
+            
+            var counts = [0, 0, 0];
+            (function() {
+                var code = [
+                    "var div = document.createElement('div');",
+                    "document.body.appendChild(div);",
+                    "window.printFoo = function (counts) {",
+                        "++counts[1];",
+                        "div.innerHTML += 'foo ';",
+                        "++counts[2];",
+                    "};"
+                ].join('\n');
+                eval(code);
+            })();
+            
+            function callPrintFoo() {
+                window.printFoo(counts);
+            }
+
+            setInterval(function () {
+                if (counts[0] == 200) {
+                    var text;
+                    if (counts[0] == counts[1] && counts[1] == counts[2])
+                        text = "TEST PASSED";
+                    else
+                        text = "TEST FAILED: counts = " + counts;
+                    var div = document.createElement('div');
+                    document.body.appendChild(div);
+                    div.innerHTML = text;
+                    if (self.testRunner)
+                        testRunner.notifyDone();
+                }
+                ++counts[0];
+                callPrintFoo();
+            }, 5);
+        </script>
+    </body>
+</html>

Modified: trunk/Source/_javascript_Core/ChangeLog (143552 => 143553)


--- trunk/Source/_javascript_Core/ChangeLog	2013-02-21 02:41:56 UTC (rev 143552)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-02-21 02:43:36 UTC (rev 143553)
@@ -1,3 +1,16 @@
+2013-02-20  Filip Pizlo  <fpi...@apple.com>
+
+        DFG inlines Resolves that it doesn't know how to handle correctly
+        https://bugs.webkit.org/show_bug.cgi?id=110405
+
+        Reviewed by Geoffrey Garen.
+        
+        Don't try to be clever: if there's a failing resolve, we can't inline it, period.
+
+        * dfg/DFGCapabilities.h:
+        (JSC::DFG::canInlineResolveOperations):
+        (JSC::DFG::canInlineOpcode):
+
 2013-02-20  Roger Fong  <roger_f...@apple.com>
 
         Get VS2010 Solution B&I ready.

Modified: trunk/Source/_javascript_Core/dfg/DFGCapabilities.h (143552 => 143553)


--- trunk/Source/_javascript_Core/dfg/DFGCapabilities.h	2013-02-21 02:41:56 UTC (rev 143552)
+++ trunk/Source/_javascript_Core/dfg/DFGCapabilities.h	2013-02-21 02:43:36 UTC (rev 143553)
@@ -48,7 +48,7 @@
 bool mightInlineFunctionForConstruct(CodeBlock*);
 
 // Opcode checking.
-inline bool canInlineResolveOperations(OpcodeID opcode, ResolveOperations* operations)
+inline bool canInlineResolveOperations(ResolveOperations* operations)
 {
     for (unsigned i = 0; i < operations->size(); i++) {
         switch (operations->data()[i].m_operation) {
@@ -65,18 +65,9 @@
             continue;
 
         case ResolveOperation::Fail:
-            switch (opcode) {
-            case op_resolve_base_to_global_dynamic:
-            case op_resolve_base_to_scope_with_top_scope_check:
-            case op_resolve_base_to_global:
-            case op_resolve_base_to_scope:
-                CRASH();
-            case op_resolve_with_base:
-            case op_resolve_with_this:
-                return false;
-            default:
-                continue;
-            }
+            // Fall-back resolves don't know how to deal with the ExecState* having a different
+            // global object (and scope) than the inlined code that is invoking that resolve.
+            return false;
 
         case ResolveOperation::SkipTopScopeNode:
             // We don't inline code blocks that create activations. Creation of
@@ -235,7 +226,7 @@
     case op_resolve_scoped_var:
     case op_resolve_scoped_var_on_top_scope:
     case op_resolve_scoped_var_with_top_scope_check:
-        return canInlineResolveOperations(opcodeID, pc[3].u.resolveOperations);
+        return canInlineResolveOperations(pc[3].u.resolveOperations);
 
     case op_resolve_base_to_global:
     case op_resolve_base_to_global_dynamic:
@@ -244,7 +235,7 @@
     case op_resolve_base:
     case op_resolve_with_base:
     case op_resolve_with_this:
-        return canInlineResolveOperations(opcodeID, pc[4].u.resolveOperations);
+        return canInlineResolveOperations(pc[4].u.resolveOperations);
         
     // Inlining doesn't correctly remap regular _expression_ operands.
     case op_new_regexp:

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to