Modified: trunk/Source/_javascript_Core/ChangeLog (97333 => 97334)
--- trunk/Source/_javascript_Core/ChangeLog 2011-10-13 02:04:36 UTC (rev 97333)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-10-13 02:20:42 UTC (rev 97334)
@@ -1,3 +1,19 @@
+2011-10-12 Filip Pizlo <fpi...@apple.com>
+
+ DFG CFA does not filter structures aggressively enough.
+ https://bugs.webkit.org/show_bug.cgi?id=69989
+
+ Reviewed by Oliver Hunt.
+
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::clear):
+ (JSC::DFG::AbstractValue::makeTop):
+ (JSC::DFG::AbstractValue::clobberStructures):
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::merge):
+ (JSC::DFG::AbstractValue::filter):
+ (JSC::DFG::AbstractValue::checkConsistency):
+
2011-10-12 Adam Barth <aba...@webkit.org>
Remove ENABLE(XHTMLMP) and associated code
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h (97333 => 97334)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h 2011-10-13 02:04:36 UTC (rev 97333)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h 2011-10-13 02:20:42 UTC (rev 97334)
@@ -319,6 +319,7 @@
{
m_type = PredictNone;
m_structure.clear();
+ checkConsistency();
}
bool isClear()
@@ -330,16 +331,16 @@
{
m_type = PredictTop;
m_structure.makeTop();
+ checkConsistency();
}
void clobberStructures()
{
- if (m_type & PredictCell) {
+ if (m_type & PredictCell)
m_structure.makeTop();
- return;
- }
-
- ASSERT(m_structure.isClear());
+ else
+ ASSERT(m_structure.isClear());
+ checkConsistency();
}
bool isTop() const
@@ -361,6 +362,8 @@
m_structure.add(value.asCell()->structure());
m_type = predictionFromValue(value);
+
+ checkConsistency();
}
void set(Structure* structure)
@@ -369,6 +372,8 @@
m_structure.add(structure);
m_type = predictionFromStructure(structure);
+
+ checkConsistency();
}
void set(PredictedType type)
@@ -378,6 +383,7 @@
else
m_structure.clear();
m_type = type;
+ checkConsistency();
}
bool operator==(const AbstractValue& other) const
@@ -387,7 +393,9 @@
bool merge(const AbstractValue& other)
{
- return mergePrediction(m_type, other.m_type) | m_structure.addAll(other.m_structure);
+ bool result = mergePrediction(m_type, other.m_type) | m_structure.addAll(other.m_structure);
+ checkConsistency();
+ return result;
}
void merge(PredictedType type)
@@ -396,6 +404,8 @@
if (type & PredictCell)
m_structure.makeTop();
+
+ checkConsistency();
}
void filter(const StructureSet& other)
@@ -409,6 +419,7 @@
// sure that new information gleaned from the PredictedType needs to be fed back
// into the information gleaned from the StructureSet.
m_structure.filter(m_type);
+ checkConsistency();
}
void filter(PredictedType type)
@@ -416,7 +427,13 @@
if (type == PredictTop)
return;
m_type &= type;
- m_structure.filter(type);
+
+ // It's possible that prior to this filter() call we had, say, (Final, TOP), and
+ // the passed type is Array. At this point we'll have (None, TOP). The best way
+ // to ensure that the structure filtering does the right thing is to filter on
+ // the new type (None) rather than the one passed (Array).
+ m_structure.filter(m_type);
+ checkConsistency();
}
bool validate(JSValue value) const
@@ -438,6 +455,17 @@
return true;
}
+ void checkConsistency() const
+ {
+ if (!(m_type & PredictCell))
+ ASSERT(m_structure.isClear());
+
+ // Note that it's possible for a prediction like (Final, []). This really means that
+ // the value is bottom and that any code that uses the value is unreachable. But
+ // we don't want to get pedantic about this as it would only increase the computational
+ // complexity of the code.
+ }
+
#ifndef NDEBUG
void dump(FILE* out)
{
