RESOLVED FIXED 229898
[JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise 
https://bugs.webkit.org/show_bug.cgi?id=229898
Summary [JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
Yusuke Suzuki
Reported 2021-09-03 15:00:44 PDT
[JSC] Make EnumeratorNextUpdateIndexAndMode clobberizing rule precise
Attachments
Patch (5.88 KB, patch)
2021-09-03 15:02 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2021-09-03 15:02:52 PDT
Created attachment 437319 [details] Patch
Yusuke Suzuki
Comment 2 2021-09-03 15:02:54 PDT
<rdar://problem/82714439>
Mark Lam
Comment 3 2021-09-03 17:38:06 PDT
Comment on attachment 437319 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437319&action=review > Source/JavaScriptCore/dfg/DFGClobberize.h:374 > - if (mode.isSaneChain()) { > + if (mode.isInBounds()) { After this change (and the ones below), all this code is identical to the case for HasIndexedProperty. Why not just make the EnumeratorNextUpdateIndexAndMode case do this instead? case EnumeratorNextUpdateIndexAndMode: { if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) { read(JSObject_butterfly); read(NamedProperties); read(JSCell_structureID); return; } if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) { read(JSObject_butterfly); clobberTop(); return; } FALLTHROUGH; } case HasIndexedProperty: { ...
Saam Barati
Comment 4 2021-09-03 17:49:34 PDT
Comment on attachment 437319 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437319&action=review >> Source/JavaScriptCore/dfg/DFGClobberize.h:374 >> + if (mode.isInBounds()) { > > After this change (and the ones below), all this code is identical to the case for HasIndexedProperty. Why not just make the EnumeratorNextUpdateIndexAndMode case do this instead? > > case EnumeratorNextUpdateIndexAndMode: { > if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) { > read(JSObject_butterfly); > read(NamedProperties); > read(JSCell_structureID); > return; > } > > if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) { > read(JSObject_butterfly); > clobberTop(); > return; > } > > FALLTHROUGH; > } > > case HasIndexedProperty: { > ... Or write a shared helper.
Mark Lam
Comment 5 2021-09-03 18:02:24 PDT
Comment on attachment 437319 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437319&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:4303 > + if (node->enumeratorMetadata() != JSPropertyNameEnumerator::OwnStructureMode || m_graph.varArgChild(node, 0).useKind() != CellUse) { > + if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) > + clobberWorld(); > + else { > + switch (arrayMode.type()) { > + case Array::Int32: > + case Array::Double: > + case Array::Contiguous: > + case Array::ArrayStorage: { > + if (arrayMode.isInBounds()) > + break; > + FALLTHROUGH; > + } > + default: { > + clobberWorld(); > + break; > + } > + } > + } > + } > setNonCellTypeForNode(node, SpecBytecodeNumber); Can't you also express this in a similar way as the implementation in clobberize() so that it's more obvious that this is meant to match that, and as so that you can re-use the code for HasIndexedProperty either via FALLTHROUGH, or via a helper function?
Yusuke Suzuki
Comment 6 2021-09-03 20:10:40 PDT
Comment on attachment 437319 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=437319&action=review >> Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:4303 >> setNonCellTypeForNode(node, SpecBytecodeNumber); > > Can't you also express this in a similar way as the implementation in clobberize() so that it's more obvious that this is meant to match that, and as so that you can re-use the code for HasIndexedProperty either via FALLTHROUGH, or via a helper function? A bit aligned it to the clobberizing's one. >>> Source/JavaScriptCore/dfg/DFGClobberize.h:374 >>> + if (mode.isInBounds()) { >> >> After this change (and the ones below), all this code is identical to the case for HasIndexedProperty. Why not just make the EnumeratorNextUpdateIndexAndMode case do this instead? >> >> case EnumeratorNextUpdateIndexAndMode: { >> if (node->enumeratorMetadata() == JSPropertyNameEnumerator::OwnStructureMode && graph.varArgChild(node, 0).useKind() == CellUse) { >> read(JSObject_butterfly); >> read(NamedProperties); >> read(JSCell_structureID); >> return; >> } >> >> if (node->enumeratorMetadata() != JSPropertyNameEnumerator::IndexedMode) { >> read(JSObject_butterfly); >> clobberTop(); >> return; >> } >> >> FALLTHROUGH; >> } >> >> case HasIndexedProperty: { >> ... > > Or write a shared helper. Merged both clauses into one.
Yusuke Suzuki
Comment 7 2021-09-03 20:24:25 PDT
Committed r282042 (241342@main): <https://commits.webkit.org/241342@main>
Brent Fulgham
Comment 8 2022-02-12 20:31:24 PST
*** Bug 229842 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.