[webkit-changes] [232800] trunk/Source/JavaScriptCore

[sbarati]

Title: [232800] trunk/Source/_javascript_Core

Revision

232800

Author

sbar...@apple.com

Date

2018-06-13 12:04:10 -0700 (Wed, 13 Jun 2018)

Log Message

CFGSimplificationPhase should de-dupe jettisonedBlocks
https://bugs.webkit.org/show_bug.cgi?id=186583

Reviewed by Filip Pizlo.

When making the predecessors list unique in r232741, it revealed a bug inside
of CFG simplification, where we try to remove the same predecessor more than
once from a blocks predecessors list. We built the list of blocks to remove
from the list of successors, which is not unique, causing us to try to remove
the same predecessor more than once. The solution here is to just add to this
list of blocks to remove only if the block is not already in the list.

* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (232799 => 232800)

--- trunk/Source/_javascript_Core/ChangeLog	2018-06-13 18:51:17 UTC (rev 232799)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-06-13 19:04:10 UTC (rev 232800)
@@ -1,3 +1,20 @@
+2018-06-13  Saam Barati  <sbar...@apple.com>
+
+        CFGSimplificationPhase should de-dupe jettisonedBlocks
+        https://bugs.webkit.org/show_bug.cgi?id=186583
+
+        Reviewed by Filip Pizlo.
+
+        When making the predecessors list unique in r232741, it revealed a bug inside
+        of CFG simplification, where we try to remove the same predecessor more than
+        once from a blocks predecessors list. We built the list of blocks to remove
+        from the list of successors, which is not unique, causing us to try to remove
+        the same predecessor more than once. The solution here is to just add to this
+        list of blocks to remove only if the block is not already in the list.
+
+        * dfg/DFGCFGSimplificationPhase.cpp:
+        (JSC::DFG::CFGSimplificationPhase::run):
+
 2018-06-13  Yusuke Suzuki  <utatane....@gmail.com>
 
         [JSC] Always use Nuke & Set procedure for x86

Modified: trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp (232799 => 232800)

--- trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp	2018-06-13 18:51:17 UTC (rev 232799)
+++ trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp	2018-06-13 19:04:10 UTC (rev 232800)
@@ -182,7 +182,7 @@
                         
                         Vector<BasicBlock*, 1> jettisonedBlocks;
                         for (BasicBlock* successor : terminal->successors()) {
-                            if (successor != targetBlock)
+                            if (successor != targetBlock && !jettisonedBlocks.contains(successor))
                                 jettisonedBlocks.append(successor);
                         }
                         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes