Attachment 339139 Details for Bug 185101 – Patch

[patch] Patch

bug-185101-20180430125844.patch (text/plain), 6.94 KB, created by Keith Miller on 2018-04-30 12:58:45 PDT

(hide)

Description:

Filename:

MIME Type:

Creator: Keith Miller

Created: 2018-04-30 12:58:45 PDT

Size: 6.94 KB

patch

obsolete

>Subversion Revision: 231156
>diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
>index 4d0f8b51c8cbf4852c01d20dc675d76451d2ab10..e80fa05571916ea58122a1b3e4714ccc412eaa20 100644
>--- a/Source/JavaScriptCore/ChangeLog
>+++ b/Source/JavaScriptCore/ChangeLog
>@@ -1,3 +1,28 @@
>+2018-04-30  Keith Miller  <keith_miller@apple.com>
>+
>+        Move StructureIsImmortal to out of line flags.
>+        https://bugs.webkit.org/show_bug.cgi?id=185101
>+
>+        Reviewed by NOBODY (OOPS!).
>+
>+        This will free up a bit in the inline flags where we can move the
>+        isPrototype bit to. This will, in turn, free a bit for use in
>+        implementing copy on write butterflies.
>+
>+        Also, this patch removes an assertion from Structure::typeInfo()
>+        that inadvertently makes the function invalid to call while
>+        cleaning up the vm.
>+
>+        * heap/HeapCellType.cpp:
>+        (JSC::DefaultDestroyFunc::operator() const):
>+        * runtime/JSCell.h:
>+        * runtime/JSCellInlines.h:
>+        (JSC::JSCell::callDestructor): Deleted.
>+        * runtime/JSTypeInfo.h:
>+        (JSC::TypeInfo::hasStaticPropertyTable):
>+        (JSC::TypeInfo::structureIsImmortal const):
>+        * runtime/Structure.h:
>+
> 2018-04-29  Filip Pizlo  <fpizlo@apple.com>
> 
>         B3 should run tail duplication at the bitter end
>diff --git a/Source/JavaScriptCore/heap/HeapCellType.cpp b/Source/JavaScriptCore/heap/HeapCellType.cpp
>index cb937c4f5491df836c2c91dba91a6cee16aed8ad..687b0d6d20c4ad6161d923cae18d3723daad08b8 100644
>--- a/Source/JavaScriptCore/heap/HeapCellType.cpp
>+++ b/Source/JavaScriptCore/heap/HeapCellType.cpp
>@@ -39,8 +39,8 @@ struct DefaultDestroyFunc {
>     ALWAYS_INLINE void operator()(VM& vm, JSCell* cell) const
>     {
>         ASSERT(cell->structureID());
>-        ASSERT(cell->inlineTypeFlags() & StructureIsImmortal);
>         Structure* structure = cell->structure(vm);
>+        ASSERT(structure->typeInfo().structureIsImmortal());
>         const ClassInfo* classInfo = structure->classInfo();
>         MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
>         destroy(cell);
>diff --git a/Source/JavaScriptCore/runtime/JSCell.h b/Source/JavaScriptCore/runtime/JSCell.h
>index 4796a315b676ae11377b4a048d4bc29a340d26d1..f8d5ac955f1b65ea2897ea88471bd106ae016741 100644
>--- a/Source/JavaScriptCore/runtime/JSCell.h
>+++ b/Source/JavaScriptCore/runtime/JSCell.h
>@@ -242,8 +242,6 @@ public:
>         return OBJECT_OFFSETOF(JSCell, m_cellState);
>     }
>     
>-    void callDestructor(VM&);
>-
>     static const TypedArrayType TypedArrayStorageType = NotTypedArray;
> protected:
> 
>diff --git a/Source/JavaScriptCore/runtime/JSCellInlines.h b/Source/JavaScriptCore/runtime/JSCellInlines.h
>index f6cb1cd9ea600b88d8c0a9922ced8d62bd80cb20..ad86c483dfba7388b516a18ea8150d863e54e9fb 100644
>--- a/Source/JavaScriptCore/runtime/JSCellInlines.h
>+++ b/Source/JavaScriptCore/runtime/JSCellInlines.h
>@@ -314,21 +314,6 @@ inline TriState JSCell::pureToBoolean() const
>     return MixedTriState;
> }
> 
>-inline void JSCell::callDestructor(VM& vm)
>-{
>-    if (isZapped())
>-        return;
>-    ASSERT(structureID());
>-    if (inlineTypeFlags() & StructureIsImmortal) {
>-        Structure* structure = this->structure(vm);
>-        const ClassInfo* classInfo = structure->classInfo();
>-        MethodTable::DestroyFunctionPtr destroy = classInfo->methodTable.destroy;
>-        destroy(this);
>-    } else
>-        static_cast<JSDestructibleObject*>(this)->classInfo()->methodTable.destroy(this);
>-    zap();
>-}
>-
> inline void JSCellLock::lock()
> {
>     Atomic<IndexingType>* lock = bitwise_cast<Atomic<IndexingType>*>(&m_indexingTypeAndMisc);
>diff --git a/Source/JavaScriptCore/runtime/JSTypeInfo.h b/Source/JavaScriptCore/runtime/JSTypeInfo.h
>index 94df229121dbf53a92af82087c63eb28b673d6b5..6f0a9b42e2fa1e27073b5dee950d458d17a1586e 100644
>--- a/Source/JavaScriptCore/runtime/JSTypeInfo.h
>+++ b/Source/JavaScriptCore/runtime/JSTypeInfo.h
>@@ -35,14 +35,17 @@ namespace JSC {
> 
> class LLIntOffsetsExtractor;
> 
>+// Inline flags.
>+
> static const unsigned MasqueradesAsUndefined = 1; // WebCore uses MasqueradesAsUndefined to make document.all undetectable.
> static const unsigned ImplementsDefaultHasInstance = 1 << 1;
> static const unsigned TypeOfShouldCallGetCallData = 1 << 2; // Need this flag if you override getCallData() and you want typeof to use this to determine if it should say "function". Currently we always set this flag when we override getCallData().
> static const unsigned OverridesGetOwnPropertySlot = 1 << 3;
>-static const unsigned StructureIsImmortal = 1 << 5;
> static const unsigned OverridesToThis = 1 << 6; // If this is false then this returns something other than 'this'. Non-object cells that are visible to JS have this set as do some exotic objects.
> static const unsigned HasStaticPropertyTable = 1 << 7;
> 
>+// Out of line flags.
>+
> static const unsigned ImplementsHasInstance = 1 << 8;
> static const unsigned OverridesGetPropertyNames = 1 << 9;
> static const unsigned ProhibitsPropertyCaching = 1 << 10;
>@@ -51,6 +54,7 @@ static const unsigned NewImpurePropertyFiresWatchpoints = 1 << 12;
> static const unsigned IsImmutablePrototypeExoticObject = 1 << 13;
> static const unsigned GetOwnPropertySlotIsImpureForPropertyAbsence = 1 << 14;
> static const unsigned InterceptsGetOwnPropertySlotByIndexEvenWhenLengthIsNotZero = 1 << 15;
>+static const unsigned StructureIsImmortal = 1 << 16;
> 
> class TypeInfo {
> public:
>@@ -84,8 +88,8 @@ public:
>     bool overridesGetOwnPropertySlot() const { return overridesGetOwnPropertySlot(inlineTypeFlags()); }
>     static bool overridesGetOwnPropertySlot(InlineTypeFlags flags) { return flags & OverridesGetOwnPropertySlot; }
>     static bool hasStaticPropertyTable(InlineTypeFlags flags) { return flags & HasStaticPropertyTable; }
>-    bool structureIsImmortal() const { return isSetOnFlags1(StructureIsImmortal); }
>     bool overridesToThis() const { return isSetOnFlags1(OverridesToThis); }
>+    bool structureIsImmortal() const { return isSetOnFlags2(StructureIsImmortal); }
>     bool overridesGetPropertyNames() const { return isSetOnFlags2(OverridesGetPropertyNames); }
>     bool prohibitsPropertyCaching() const { return isSetOnFlags2(ProhibitsPropertyCaching); }
>     bool getOwnPropertySlotIsImpure() const { return isSetOnFlags2(GetOwnPropertySlotIsImpure); }
>diff --git a/Source/JavaScriptCore/runtime/Structure.h b/Source/JavaScriptCore/runtime/Structure.h
>index 116ff3a5b823e49392556bed1ce8ee08150591b9..37696bb1d039c1be24507da409863a2b9bbe5805 100644
>--- a/Source/JavaScriptCore/runtime/Structure.h
>+++ b/Source/JavaScriptCore/runtime/Structure.h
>@@ -248,7 +248,7 @@ public:
>     }
>     
>     // Type accessors.
>-    TypeInfo typeInfo() const { ASSERT(structure()->classInfo() == info()); return m_blob.typeInfo(m_outOfLineTypeFlags); }
>+    TypeInfo typeInfo() const { return m_blob.typeInfo(m_outOfLineTypeFlags); }
>     bool isObject() const { return typeInfo().isObject(); }
> 
>     IndexingType indexingType() const { return m_blob.indexingTypeIncludingHistory() & AllArrayTypes; }

Actions: View | Formatted Diff | Diff

Attachments on bug 185101: 339046 | 339052 | 339137 | 339139 | 339140 | 339141 | 339142