| Summary: | RegExpMatchesArray doesn't know how to have a bad time | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Filip Pizlo <fpizlo> | ||||||||||||||
| Component: | JavaScriptCore | Assignee: | Filip Pizlo <fpizlo> | ||||||||||||||
| Status: | RESOLVED FIXED | ||||||||||||||||
| Severity: | Normal | CC: | barraclough, benjamin, commit-queue, ggaren, keith_miller, kling, mark.lam, mhahnenb, msaboff, oliver, saam, sam | ||||||||||||||
| Priority: | P2 | ||||||||||||||||
| Version: | WebKit Nightly Build | ||||||||||||||||
| Hardware: | All | ||||||||||||||||
| OS: | All | ||||||||||||||||
| Bug Depends on: | |||||||||||||||||
| Bug Blocks: | 155070, 154874 | ||||||||||||||||
| Attachments: |
|
||||||||||||||||
|
Description
Filip Pizlo
2016-03-05 14:08:53 PST
Created attachment 273119 [details]
work in progress
Created attachment 273122 [details]
more
Created attachment 273125 [details]
possibly done
Created attachment 273126 [details]
seems to work
Created attachment 273128 [details]
runs some things
Created attachment 273131 [details]
the patch
Attachment 273131 [details] did not pass style-queue:
ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1908: Place brace on its own line for function definitions. [whitespace/braces] [4]
Total errors found: 1 in 38 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 273131 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=273131&action=review Looks great. > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2175 > + Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset))); OK, we need to insert having a bad time watchpoint checking for the RegExp.prototype.exec's global object. > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:767 > + m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get()); OK. Switching the structure to slow put one, that is used when creating a new RegExp matches array. And existing one is switched by the following path. > Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js:3 > + Array.prototype.__defineSetter__("0", function(value) { count += value; }); Yeah, let's have a bad time! (In reply to comment #8) > Comment on attachment 273131 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=273131&action=review > > Looks great. > > > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2175 > > + Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset))); > > OK, we need to insert having a bad time watchpoint checking for the > RegExp.prototype.exec's global object. Note that we will only insert the haveABadTime watchpoint if the abstract interpreter discovers what the global object is and observes that it's not having a bad time. If either of those things don't happen, RegExpExec will simply make no promises about the kind of array it returns - so the CodeBlock doesn't need any watchpoints in that case. This works partly because createRegExpMatchesArray currently always does a check for isHavingABadTime each time it is executed. > > > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:767 > > + m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get()); > > OK. Switching the structure to slow put one, that is used when creating a > new RegExp matches array. > And existing one is switched by the following path. > > > Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js:3 > > + Array.prototype.__defineSetter__("0", function(value) { count += value; }); > > Yeah, let's have a bad time! Landed in http://trac.webkit.org/changeset/197641 |