155069 – RegExpMatchesArray doesn't know how to have a bad time

Bug 155069 - RegExpMatchesArray doesn't know how to have a bad time

Summary: RegExpMatchesArray doesn't know how to have a bad time

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:

Depends on:
Blocks:	155070 154874
	Show dependency tree / graph

Reported:	2016-03-05 14:08 PST by Filip Pizlo
Modified:	2016-03-06 12:11 PST (History)
CC List:	12 users (show)

See Also:

Attachments
work in progress (24.98 KB, patch) 2016-03-05 19:33 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
more (39.95 KB, patch) 2016-03-05 20:44 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
possibly done (63.57 KB, patch) 2016-03-05 21:04 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
seems to work (66.10 KB, patch) 2016-03-05 21:50 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
runs some things (81.45 KB, patch) 2016-03-06 00:30 PST, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (84.89 KB, patch) 2016-03-06 01:25 PST, Filip Pizlo	ysuzuki: review+	Details \| Formatted Diff \| Diff
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2016-03-05 14:08:53 PST

Patch forthcoming.

Comment 1 Filip Pizlo 2016-03-05 19:33:44 PST

Created attachment 273119 [details]
work in progress

Comment 2 Filip Pizlo 2016-03-05 20:44:04 PST

Created attachment 273122 [details]
more

Comment 3 Filip Pizlo 2016-03-05 21:04:41 PST

Created attachment 273125 [details]
possibly done

Comment 4 Filip Pizlo 2016-03-05 21:50:30 PST

Created attachment 273126 [details]
seems to work

Comment 5 Filip Pizlo 2016-03-06 00:30:37 PST

Created attachment 273128 [details]
runs some things

Comment 6 Filip Pizlo 2016-03-06 01:25:12 PST

Created attachment 273131 [details]
the patch

Comment 7 WebKit Commit Bot 2016-03-06 01:27:33 PST

Attachment 273131 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:1908:  Place brace on its own line for function definitions.  [whitespace/braces] [4]
Total errors found: 1 in 38 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 8 Yusuke Suzuki 2016-03-06 12:02:29 PST

Comment on attachment 273131 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=273131&action=review

Looks great.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2175
> +        Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)));

OK, we need to insert having a bad time watchpoint checking for the RegExp.prototype.exec's global object.

> Source/JavaScriptCore/runtime/JSGlobalObject.cpp:767
> +    m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get());

OK. Switching the structure to slow put one, that is used when creating a new RegExp matches array.
And existing one is switched by the following path.

> Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js:3
> +    Array.prototype.__defineSetter__("0", function(value) { count += value; });

Yeah, let's have a bad time!

Comment 9 Filip Pizlo 2016-03-06 12:09:18 PST

(In reply to comment #8)
> Comment on attachment 273131 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=273131&action=review
> 
> Looks great.
> 
> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2175
> > +        Node* regExpExec = addToGraph(RegExpExec, OpInfo(0), OpInfo(prediction), addToGraph(GetGlobalObject, callee), get(virtualRegisterForArgument(0, registerOffset)), get(virtualRegisterForArgument(1, registerOffset)));
> 
> OK, we need to insert having a bad time watchpoint checking for the
> RegExp.prototype.exec's global object.

Note that we will only insert the haveABadTime watchpoint if the abstract interpreter discovers what the global object is and observes that it's not having a bad time.  If either of those things don't happen, RegExpExec will simply make no promises about the kind of array it returns - so the CodeBlock doesn't need any watchpoints in that case.

This works partly because createRegExpMatchesArray currently always does a check for isHavingABadTime each time it is executed.

> 
> > Source/JavaScriptCore/runtime/JSGlobalObject.cpp:767
> > +    m_regExpMatchesArrayStructure.set(vm, this, m_regExpMatchesArraySlowPutStructure.get());
> 
> OK. Switching the structure to slow put one, that is used when creating a
> new RegExp matches array.
> And existing one is switched by the following path.
> 
> > Source/JavaScriptCore/tests/stress/regexp-matches-array-slow-put.js:3
> > +    Array.prototype.__defineSetter__("0", function(value) { count += value; });
> 
> Yeah, let's have a bad time!

Comment 10 Filip Pizlo 2016-03-06 12:11:32 PST

Landed in http://trac.webkit.org/changeset/197641