Commit 62203aa3 authored by fpizlo@apple.com's avatar fpizlo@apple.com

ObjectAllocationProfile is racy and the DFG should be cool with that

https://bugs.webkit.org/show_bug.cgi?id=125172
<rdar://problem/15233487>

Reviewed by Mark Hahnenberg.
        
We would previously sometimes get a null Structure because checking if the profile is non-null and loading
the structure from it were two separate operations.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::setFuturePossibleStructure):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* runtime/JSFunction.h:
(JSC::JSFunction::allocationProfile):
(JSC::JSFunction::allocationStructure):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160038 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 5aef9889
2013-12-03 Filip Pizlo <fpizlo@apple.com>
ObjectAllocationProfile is racy and the DFG should be cool with that
https://bugs.webkit.org/show_bug.cgi?id=125172
<rdar://problem/15233487>
Reviewed by Mark Hahnenberg.
We would previously sometimes get a null Structure because checking if the profile is non-null and loading
the structure from it were two separate operations.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::setFuturePossibleStructure):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* runtime/JSFunction.h:
(JSC::JSFunction::allocationProfile):
(JSC::JSFunction::allocationStructure):
2013-12-03 peavo@outlook.com <peavo@outlook.com>
testapi test crashes on Windows in WTF::Vector<wchar_t,64,WTF::UnsafeVectorOverflow>::size()
......
......@@ -1136,6 +1136,7 @@ bool AbstractInterpreter<AbstractStateType>::executeEffects(unsigned clobberLimi
break;
case NewObject:
ASSERT(node->structure());
forNode(node).set(m_graph, node->structure());
m_state.setHaveStructures(true);
break;
......
......@@ -153,6 +153,7 @@ FiltrationResult AbstractValue::filterByValue(JSValue value)
void AbstractValue::setFuturePossibleStructure(Graph& graph, Structure* structure)
{
ASSERT(structure);
if (graph.watchpoints().isStillValid(structure->transitionWatchpointSet()))
m_futurePossibleStructure = structure;
else
......
......@@ -1916,19 +1916,18 @@ bool ByteCodeParser::parseBlock(unsigned limit)
ASSERT(cell->inherits(JSFunction::info()));
JSFunction* function = jsCast<JSFunction*>(cell);
ObjectAllocationProfile* allocationProfile = function->tryGetAllocationProfile();
if (allocationProfile) {
if (Structure* structure = function->allocationStructure()) {
addToGraph(AllocationProfileWatchpoint, OpInfo(function));
// The callee is still live up to this point.
addToGraph(Phantom, callee);
set(VirtualRegister(currentInstruction[1].u.operand),
addToGraph(NewObject, OpInfo(allocationProfile->structure())));
set(VirtualRegister(currentInstruction[1].u.operand), addToGraph(NewObject, OpInfo(structure)));
alreadyEmitted = true;
}
}
if (!alreadyEmitted)
if (!alreadyEmitted) {
set(VirtualRegister(currentInstruction[1].u.operand),
addToGraph(CreateThis, OpInfo(currentInstruction[3].u.operand), callee));
}
NEXT_OPCODE(op_create_this);
}
......
......@@ -137,22 +137,9 @@ namespace JSC {
return createAllocationProfile(exec, inlineCapacity);
return &m_allocationProfile;
}
ObjectAllocationProfile* tryGetAllocationProfile()
{
if (m_allocationProfile.isNull())
return 0;
if (m_allocationProfileWatchpoint.hasBeenInvalidated())
return 0;
return &m_allocationProfile;
}
void addAllocationProfileWatchpoint(Watchpoint* watchpoint)
{
ASSERT(tryGetAllocationProfile());
m_allocationProfileWatchpoint.add(watchpoint);
}
Structure* allocationStructure() { return m_allocationProfile.structure(); }
InlineWatchpointSet& allocationProfileWatchpointSet()
{
return m_allocationProfileWatchpoint;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment