158291 – canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints

Bug 158291 - canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints

Summary: canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-06-01 18:09 PDT by Keith Miller
Modified:	2016-06-01 21:24 PDT (History)
CC List:	4 users (show)

See Also:

Attachments
Patch (12.37 KB, patch) 2016-06-01 19:11 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch for landing (12.38 KB, patch) 2016-06-01 19:36 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Keith Miller 2016-06-01 18:09:13 PDT

canOptimizeStringObjectAccess should use ObjectPropertyConditions rather than structure watchpoints

Comment 1 Keith Miller 2016-06-01 19:11:25 PDT

Created attachment 280294 [details]
Patch

Comment 2 Keith Miller 2016-06-01 19:17:47 PDT

Comment on attachment 280294 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=280294&action=review

> Source/JavaScriptCore/bytecode/ObjectPropertyConditionSet.cpp:65
> +    return (numberOfConditionsWithKind(PropertyCondition::Presence) ^ numberOfConditionsWithKind(PropertyCondition::Equivalence)) == 1;

Whoops, this should be (numberOfConditionsWithKind(PropertyCondition::Presence) == 1) != (numberOfConditionsWithKind(PropertyCondition::Equivalence) == 1).

I'll fix before landing.

Comment 3 Keith Miller 2016-06-01 19:36:22 PDT

Created attachment 280296 [details]
Patch for landing

Comment 4 WebKit Commit Bot 2016-06-01 20:16:57 PDT

Comment on attachment 280296 [details]
Patch for landing

Clearing flags on attachment: 280296

Committed r201584: <http://trac.webkit.org/changeset/201584>

Comment 5 WebKit Commit Bot 2016-06-01 20:17:01 PDT

All reviewed patches have been landed.  Closing bug.

Comment 6 Filip Pizlo 2016-06-01 21:24:02 PDT

Comment on attachment 280296 [details]
Patch for landing

View in context: https://bugs.webkit.org/attachment.cgi?id=280296&action=review

Can you do a follow-up fix to clean up the API?

> Source/JavaScriptCore/bytecode/ObjectPropertyCondition.cpp:52
> -    return m_condition.isStillValidAssumingImpurePropertyWatchpoint(structure);
> +    return m_condition.isStillValidAssumingImpurePropertyWatchpoint(structure, m_object);

This part is wrong.

The documentation for structureEnsuresValidityAssumingImpurePropertyWatchpoint() says:

    // Checks if the object's structure claims that the property won't be intercepted. Validity
    // does not require watchpoints on the object.

Passing a non-null object to PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint() means that it will return true in cases where we actually need to set watchpoints on the object.

It may be that nobody calls isStillValidAssumingImpurePropertyWatchpoint() this way, but that's a super crazy assumption since the DFG assumes this meaning for structureEnsuresValidity(), which is supposed to only differ from structureEnsuresValidityAssumingImpurePropertyWatchpoint() in how it handles the impure property watchpoint thing.

So, this patch maybe causes a correctness bug somewhere (maybe not), but definitely makes the API inconsistent.  I don't think we want that.

Can you add a new method instead?  I guess it should be called ObjectPropertyCondition::isStillValidAssumingImpurePropertyWatchpoint()