RESOLVED FIXED 212519
[JSC] for-in should allocate new temporary register for base 
https://bugs.webkit.org/show_bug.cgi?id=212519
Summary [JSC] for-in should allocate new temporary register for base
Yusuke Suzuki
Reported 2020-05-29 04:28:50 PDT
[JSC] for-in should allocate new temporary register for base
Attachments
Patch (2.89 KB, patch)
2020-05-29 04:32 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (21.16 KB, patch)
2020-05-29 14:19 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
Patch for landing (23.00 KB, patch)
2020-05-29 16:48 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch for landing (23.12 KB, patch)
2020-05-30 18:45 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch for landing (23.10 KB, patch)
2020-05-30 18:47 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2020-05-29 04:32:54 PDT
Created attachment 400568 [details] Patch
Yusuke Suzuki
Comment 2 2020-05-29 04:33:43 PDT
<rdar://problem/63722044>
Yusuke Suzuki
Comment 3 2020-05-29 14:19:54 PDT
Created attachment 400615 [details] Patch
Saam Barati
Comment 4 2020-05-29 14:42:57 PDT
Comment on attachment 400615 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400615&action=review Nice! r=me > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1855 > + auto canUseFastHasOwnProperty = [&] { nice! > Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1865 > + return generator.variable(generator.propertyNames().thisIdentifier, ThisResolutionType::Local) == structureContext->baseVariable().value(); what happens for heap |this| inside arrow function? > Source/JavaScriptCore/parser/ASTBuilder.h:1454 > + && (dot->base()->isResolveNode() || dot->base()->isThisNode()) > + && (!dot->base()->isResolveNode() || static_cast<ResolveNode*>(dot->base())->identifier() != "Reflect")) { nit: you could make it: ((dot->base->isResolveNode() && ...->id() != "Reflect) || dot->base->isThisNode()) to avoid double vtable call
Yusuke Suzuki
Comment 5 2020-05-29 15:12:56 PDT
Comment on attachment 400615 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=400615&action=review >> Source/JavaScriptCore/bytecompiler/NodesCodegen.cpp:1865 >> + return generator.variable(generator.propertyNames().thisIdentifier, ThisResolutionType::Local) == structureContext->baseVariable().value(); > > what happens for heap |this| inside arrow function? Arrow function loads |this| from scope to its local m_thisRegister. m_thisRegister can point to |this| in CallFrame or a variable register which is allocated for allow function. So, after executing ensureThis(), m_thisRegister is always correct for |this|. >> Source/JavaScriptCore/parser/ASTBuilder.h:1454 >> + && (!dot->base()->isResolveNode() || static_cast<ResolveNode*>(dot->base())->identifier() != "Reflect")) { > > nit: you could make it: > ((dot->base->isResolveNode() && ...->id() != "Reflect) || dot->base->isThisNode()) > to avoid double vtable call Sounds nice! Fixed.
Yusuke Suzuki
Comment 6 2020-05-29 16:48:19 PDT
Created attachment 400634 [details] Patch for landing
Yusuke Suzuki
Comment 7 2020-05-30 18:45:55 PDT
Created attachment 400686 [details] Patch for landing
Yusuke Suzuki
Comment 8 2020-05-30 18:47:57 PDT
Created attachment 400687 [details] Patch for landing
EWS
Comment 9 2020-05-30 20:20:44 PDT
Committed r262354: <https://trac.webkit.org/changeset/262354> All reviewed patches have been landed. Closing bug and clearing flags on attachment 400687 [details].
Note You need to log in before you can comment on or make changes to this bug.