[v8-dev] [turbofan] Ignore dead cached nodes in the JSGraph. (issue 1101273002 by bmeurer@chromium.org)

[reply]

Reviewers: jarin,

Description:
[turbofan] Ignore dead cached nodes in the JSGraph.
BUG=chromium:480807
LOG=n
R=ja...@chromium.org

Please review this at https://codereview.chromium.org/1101273002/

Base URL: https://chromium.googlesource.com/v8/v8.git@master

Affected files (+33, -7 lines):
  M src/compiler/js-graph.cc
  A test/mjsunit/regress/regress-crbug-480807.js


Index: src/compiler/js-graph.cc
diff --git a/src/compiler/js-graph.cc b/src/compiler/js-graph.cc
index  
8171f1b9a808a6fe72d9997c556db411ce78b8ed..9363268513a034d0304870243ee8b942afb3a004  
100644
--- a/src/compiler/js-graph.cc
+++ b/src/compiler/js-graph.cc
@@ -184,15 +184,17 @@ Node* JSGraph::ExternalConstant(ExternalReference  
reference) {


 Node* JSGraph::EmptyFrameState() {
-  if (cached_nodes_[kEmptyFrameState] == nullptr) {
-    Node* values = graph()->NewNode(common()->StateValues(0));
-    Node* state_node = graph()->NewNode(
+  Node* empty_frame_state = cached_nodes_[kEmptyFrameState];
+  if (!empty_frame_state || empty_frame_state->IsDead()) {
+    Node* state_values = graph()->NewNode(common()->StateValues(0));
+    empty_frame_state = graph()->NewNode(
         common()->FrameState(JS_FRAME, BailoutId::None(),
                              OutputFrameStateCombine::Ignore()),
-        values, values, values, NoContextConstant(), UndefinedConstant());
-    cached_nodes_[kEmptyFrameState] = state_node;
+        state_values, state_values, state_values, NoContextConstant(),
+        UndefinedConstant());
+    cached_nodes_[kEmptyFrameState] = empty_frame_state;
   }
-  return cached_nodes_[kEmptyFrameState];
+  return empty_frame_state;
 }


@@ -204,7 +206,9 @@ Node* JSGraph::DeadControl() {
 void JSGraph::GetCachedNodes(NodeVector* nodes) {
   cache_.GetCachedNodes(nodes);
   for (size_t i = 0; i < arraysize(cached_nodes_); i++) {
-    if (cached_nodes_[i]) nodes->push_back(cached_nodes_[i]);
+    if (Node* node = cached_nodes_[i]) {
+      if (!node->IsDead()) nodes->push_back(node);
+    }
   }
 }

Index: test/mjsunit/regress/regress-crbug-480807.js
diff --git a/test/mjsunit/regress/regress-crbug-480807.js  
b/test/mjsunit/regress/regress-crbug-480807.js
new file mode 100644
index  
0000000000000000000000000000000000000000..c273f20a78bfeb4c7b48cdb2b5fb12fc9d78b5e7
--- /dev/null
+++ b/test/mjsunit/regress/regress-crbug-480807.js
@@ -0,0 +1,22 @@
+// Copyright 2015 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Flags: --allow-natives-syntax --use-osr --turbo-osr --noalways-opt
+
+function foo() {
+  var c = 0;
+  for (var e = 0; e < 1; ++e) {
+    for (var a = 1; a > 0; a--) {
+      c += 1;
+    }
+    for (var b = 1; b > 0; b--) {
+      %OptimizeOsr();
+    }
+  }
+  return c;
+}
+try {
+  foo();
+} catch (e) {
+}


--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
--- 
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.