Bug 175584

Summary: We are too conservative about the effects of PushWithScope
Product: WebKit Reporter: Robin Morisset <rmorisset>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Enhancement CC: buildbot, commit-queue, keith_miller, mark.lam, msaboff, saam, webkit-bug-importer
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Robin Morisset
Reported 2017-08-15 10:33:44 PDT
In https://bugs.webkit.org/show_bug.cgi?id=175470, Saam says that it is safe to remove the annotation that PushWithScope clobbers the world. This bug is just for tracking the removal of this annotation.
Attachments
Patch (1.47 KB, patch)
2017-08-15 10:35 PDT, Robin Morisset 		no flags
DetailsFormatted DiffDiff
Patch (3.43 KB, patch)
2017-08-15 18:13 PDT, Robin Morisset 		no flags
DetailsFormatted DiffDiff
Patch (3.39 KB, patch)
2017-08-15 19:06 PDT, Robin Morisset 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Robin Morisset
Comment 1 2017-08-15 10:35:00 PDT
Created attachment 318133 [details] Patch
Saam Barati
Comment 2 2017-08-15 11:19:47 PDT
Comment on attachment 318133 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=318133&action=review > Source/JavaScriptCore/ChangeLog:7 > + It's worth a sentence describing the reasoning here. Given the semantics of PushWithScope, I think it's also worth changing Clobberize and DoesGC (based on making Clobberize not report it clobbers things). Can you also add tests that would stress a few things: - we CSE around a PushWithScope - cases where PushWithScope throws an exception in the DFG because the "o" is null/undefined - cases where PushWithScope allocates (e.g, the "o" is a number/string/Symbol)
Robin Morisset
Comment 3 2017-08-15 18:13:18 PDT
Created attachment 318210 [details] Patch
Saam Barati
Comment 4 2017-08-15 18:15:28 PDT
Comment on attachment 318210 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=318210&action=review > Source/JavaScriptCore/dfg/DFGClobberize.h:475 > + read(ScopeProperties); This is not the case, this node does not read ScopeProperties. This heap kind is for GetClosureVar, PutClosureVar. Also, please add tests that stress the CSE this opens up.
Saam Barati
Comment 5 2017-08-15 18:18:44 PDT
Comment on attachment 318210 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=318210&action=review > Source/JavaScriptCore/dfg/DFGClobberize.h:476 > + read(HeapObjectCount); This reads more things. For example, it needs to read at least enough things to do a type check, to JSCell_typeInfo, JSCell_structureID, etc Maybe it's good to just say read(World) for now
Robin Morisset
Comment 6 2017-08-15 19:06:03 PDT
Created attachment 318216 [details] Patch
WebKit Commit Bot
Comment 7 2017-08-15 19:49:08 PDT
Comment on attachment 318216 [details] Patch Clearing flags on attachment: 318216 Committed r220783: <http://trac.webkit.org/changeset/220783>
WebKit Commit Bot
Comment 8 2017-08-15 19:49:09 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.