Wpe 2.38 backport java script core jsc scoped arguments set index quickly#1668
Merged
aoikonomopoulos merged 3 commits intoWebPlatformForEmbedded:wpe-2.38from May 7, 2026
Conversation
…d across nested scopes https://bugs.webkit.org/show_bug.cgi?id=261934 rdar://114925088 rdar://117838992 Reviewed by Yusuke Suzuki. Fixed issue where an access to a named argument and a seperate access via its argument[i] counterpart weren't recognized throughout all JIT tiers as accesses to the same scoped value. The DFG bytecode parser can unknowingly constant fold the read access. Added aliasing via the SymbolTable and its ScopedArgumentsTable for both types of accesses of such values. related objects Added watchpoints for scoped arguments, and shared the watchpoint from the SymbolTableEntry for the named parameter with the ScopedArgument entry for the matching index. Tagged op_put_to_scope bytecodes with a new ScopedArgumentInitialization initialization type in GetPutInfo to signify this shared watchpoint case. Since currently all tiers write to scoped arguments via ScopedArguments::setIndexQuickly(), that is where we fire its watchpoint. Added a new test. * JSTests/stress/arrow-function-captured-arguments-aliased.js: Added. (createOptAll): (createOpt500): (createOpt2000): (createOpt5000): (main): * Source/JavaScriptCore/bytecode/CodeBlock.cpp: (JSC::CodeBlock::finishCreation): * Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp: (JSC::BytecodeGenerator::BytecodeGenerator): * Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp: (JSC::DFG::ByteCodeParser::parseBlock): * Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm: * Source/JavaScriptCore/llint/LowLevelInterpreter64.asm: * Source/JavaScriptCore/runtime/GetPutInfo.h: (JSC::initializationModeName): (JSC::isInitialization): * Source/JavaScriptCore/runtime/ScopedArguments.cpp: (JSC::ScopedArguments::unmapArgument): * Source/JavaScriptCore/runtime/ScopedArguments.h: * Source/JavaScriptCore/runtime/ScopedArgumentsTable.cpp: (JSC::ScopedArgumentsTable::tryCreate): (JSC::ScopedArgumentsTable::tryClone): (JSC::ScopedArgumentsTable::trySetLength): (JSC::ScopedArgumentsTable::trySetWatchpointSet): * Source/JavaScriptCore/runtime/ScopedArgumentsTable.h: * Source/JavaScriptCore/runtime/SymbolTable.cpp: (JSC::SymbolTable::cloneScopePart): * Source/JavaScriptCore/runtime/SymbolTable.h: Originally-landed-as: 272448.5@safari-7618-branch (97894699773c). rdar://124557495 Canonical link: https://commits.webkit.org/276437@main
… memory https://bugs.webkit.org/show_bug.cgi?id=255881 rdar://108438866 Reviewed by Yusuke Suzuki and Justin Michaud. It's intend to crash when a worker exhausting memory when constructing a VM. Use RELEASE_ASSERT_RESOURCE_AVAILABLE instead for these types of resource exhaustion to unblock fuzzer. * Source/JavaScriptCore/runtime/ResourceExhaustion.h: * Source/JavaScriptCore/runtime/VM.cpp: (JSC::VM::VM): Canonical link: https://commits.webkit.org/263328@main
…ps://bugs.webkit.org/show_bug.cgi?id=268409 rdar://121748005 Reviewed by Yusuke Suzuki. A code inspection of the symbol table and scoped arguments code revealed that SymbolTable::cloneScopePart() doesn't properly copy the ScopedArgumentsTable from the source. Since ScopedArguments point to the WatchpointSets in the related SymbolTable, we need to create new WatchpointSets in the cloned SymbolTable and have the ScopedArguments point to the related new WatchpointSets. This is a speculative fix. * Source/JavaScriptCore/runtime/ScopedArguments.h: * Source/JavaScriptCore/runtime/SymbolTable.cpp: (JSC::SymbolTable::cloneScopePart): (JSC::SymbolTable::hasScopedWatchpointSet): * Source/JavaScriptCore/runtime/SymbolTable.h: Originally-landed-as: 272448.422@safari-7618-branch (5bc92c9d5253). rdar://124554329 Canonical link: https://commits.webkit.org/276646@main
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request Template
File a Bug
All changes should be associated with a bug. The WebKit project is currently using Bugzilla as our bug tracker. Note that multiple changes may be associated with a single bug.
Provided Tooling
The WebKit Project strongly recommends contributors use
Tools/Scripts/git-webkitto generate pull requests. See Setup and Contributing Code for how to do this.Template
If a contributor wishes to file a pull request manually, the template is below. Manually-filed pull requests should contain their commit message as the pull request description, and their commit message should be formatted like the template below.
Additionally, the pull request should be mentioned on Bugzilla, labels applied to the pull request matching the component and version of the Bugzilla associated with the pull request and the pull request assigned to its author.
d0b956b