Skip to site navigation (Press enter)

[webkit-changes] [205232] branches/safari-602-branch

bshafiei Wed, 31 Aug 2016 00:20:07 -0700

Title: [205232] branches/safari-602-branch

Revision: 205232
Author: [email protected]
Date: 2016-08-31 00:20:16 -0700 (Wed, 31 Aug 2016)

Log Message

Merge r204360. rdar://problem/27991577


Modified Paths

branches/safari-602-branch/JSTests/ChangeLog
branches/safari-602-branch/Source/_javascript_Core/ChangeLog
branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp


Added Paths

branches/safari-602-branch/JSTests/stress/need-bytecode-liveness-for-unreachable-blocks-at-dfg-time.js

Diff

Modified: branches/safari-602-branch/JSTests/ChangeLog (205231 => 205232)


--- branches/safari-602-branch/JSTests/ChangeLog	2016-08-31 07:20:12 UTC (rev 205231)
+++ branches/safari-602-branch/JSTests/ChangeLog	2016-08-31 07:20:16 UTC (rev 205232)
@@ -1,3 +1,17 @@
+2016-08-30  Babak Shafiei  <[email protected]>
+
+        Merge r204360. rdar://problem/27991577
+
+    2016-08-10  Mark Lam  <[email protected]>
+
+            DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
+            https://bugs.webkit.org/show_bug.cgi?id=160755
+            <rdar://problem/27488507>
+
+            Reviewed by Filip Pizlo.
+
+            * stress/need-bytecode-liveness-for-unreachable-blocks-at-dfg-time.js: Added.
+
 2016-08-02  Saam Barati  <[email protected]>
 
         Rename Changelog to ChangeLog

Added: branches/safari-602-branch/JSTests/stress/need-bytecode-liveness-for-unreachable-blocks-at-dfg-time.js (0 => 205232)


--- branches/safari-602-branch/JSTests/stress/need-bytecode-liveness-for-unreachable-blocks-at-dfg-time.js	                        (rev 0)
+++ branches/safari-602-branch/JSTests/stress/need-bytecode-liveness-for-unreachable-blocks-at-dfg-time.js	2016-08-31 07:20:16 UTC (rev 205232)
@@ -0,0 +1,31 @@
+//@ run("--useConcurrentJIT=false")
+
+// This test is set up delicately to:
+// 1. cause the test() function to DFG compile with just the right amount of profiling
+//    so that ...
+// 2. the DFG identifies the "return Function()" path as dead, and ...
+// 3. the DFG compiled function doesn't OSR exit too many times before ...
+// 4. we change the implementation of the inlined foo() and execute test() again.
+// 
+// This test should not crash.
+
+eval("\"use strict\"; var w;");
+foo = function() { throw 0; }
+var x;
+
+(function() {
+    eval("test = function() { ~foo(~(0 ? ~x : x) ? 0 : 0); return Function(); }");
+})();
+
+// This loop count of 2000 was empirically determined to be the right amount to get this
+// this issue to manifest.  Dropping or raising it may mask the issue and prevent it from
+// manifesting.
+for (var i = 0; i < 2000; ++i) {
+    try {
+        test();
+    } catch(e) {
+    }
+}
+
+foo = function() { };
+test();

Modified: branches/safari-602-branch/Source/_javascript_Core/ChangeLog (205231 => 205232)


--- branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-08-31 07:20:12 UTC (rev 205231)
+++ branches/safari-602-branch/Source/_javascript_Core/ChangeLog	2016-08-31 07:20:16 UTC (rev 205232)
@@ -1,5 +1,30 @@
 2016-08-30  Babak Shafiei  <[email protected]>
 
+        Merge r204360. rdar://problem/27991577
+
+    2016-08-10  Mark Lam  <[email protected]>
+
+            DFG's flushForTerminal() needs to add PhantomLocals for bytecode live locals.
+            https://bugs.webkit.org/show_bug.cgi?id=160755
+            <rdar://problem/27488507>
+
+            Reviewed by Filip Pizlo.
+
+            If the DFG sees that an inlined function will result in an OSR exit every time,
+            it will treat all downstream blocks as dead.  However, it still needs to keep
+            locals that are alive in the bytecode alive for the compiled function so that
+            those locals are properly written to the stack by the OSR exit ramp.
+
+            The existing code neglected to do this.  This patch remedies this issue.
+
+            * dfg/DFGByteCodeParser.cpp:
+            (JSC::DFG::ByteCodeParser::flushDirect):
+            (JSC::DFG::ByteCodeParser::addFlushOrPhantomLocal):
+            (JSC::DFG::ByteCodeParser::phantomLocalDirect):
+            (JSC::DFG::ByteCodeParser::flushForTerminal):
+
+2016-08-30  Babak Shafiei  <[email protected]>
+
         Merge r203952. rdar://problem/27991571
 
     2016-07-30  Mark Lam  <[email protected]>

Modified: branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (205231 => 205232)


--- branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2016-08-31 07:20:12 UTC (rev 205231)
+++ branches/safari-602-branch/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp	2016-08-31 07:20:16 UTC (rev 205232)
@@ -570,9 +570,15 @@
     {
         flushDirect(operand, findArgumentPosition(operand));
     }
-    
+
     void flushDirect(VirtualRegister operand, ArgumentPosition* argumentPosition)
     {
+        addFlushOrPhantomLocal<Flush>(operand, argumentPosition);
+    }
+
+    template<NodeType nodeType>
+    void addFlushOrPhantomLocal(VirtualRegister operand, ArgumentPosition* argumentPosition)
+    {
         ASSERT(!operand.isConstant());
         
         Node* node = m_currentBlock->variablesAtTail.operand(operand);
@@ -584,12 +590,17 @@
         else
             variable = newVariableAccessData(operand);
         
-        node = addToGraph(Flush, OpInfo(variable));
+        node = addToGraph(nodeType, OpInfo(variable));
         m_currentBlock->variablesAtTail.operand(operand) = node;
         if (argumentPosition)
             argumentPosition->addVariable(variable);
     }
-    
+
+    void phantomLocalDirect(VirtualRegister operand)
+    {
+        addFlushOrPhantomLocal<PhantomLocal>(operand, findArgumentPosition(operand));
+    }
+
     void flush(InlineStackEntry* inlineStackEntry)
     {
         int numArguments;
@@ -610,8 +621,32 @@
 
     void flushForTerminal()
     {
-        for (InlineStackEntry* inlineStackEntry = m_inlineStackTop; inlineStackEntry; inlineStackEntry = inlineStackEntry->m_caller)
+        CodeOrigin origin = currentCodeOrigin();
+        unsigned bytecodeIndex = origin.bytecodeIndex;
+
+        for (InlineStackEntry* inlineStackEntry = m_inlineStackTop; inlineStackEntry; inlineStackEntry = inlineStackEntry->m_caller) {
             flush(inlineStackEntry);
+
+            ASSERT(origin.inlineCallFrame == inlineStackEntry->m_inlineCallFrame);
+            InlineCallFrame* inlineCallFrame = inlineStackEntry->m_inlineCallFrame;
+            CodeBlock* codeBlock = m_graph.baselineCodeBlockFor(inlineCallFrame);
+            FullBytecodeLiveness& fullLiveness = m_graph.livenessFor(codeBlock);
+            const FastBitVector& livenessAtBytecode = fullLiveness.getLiveness(bytecodeIndex);
+
+            for (unsigned local = codeBlock->m_numCalleeLocals; local--;) {
+                if (livenessAtBytecode.get(local)) {
+                    VirtualRegister reg = virtualRegisterForLocal(local);
+                    if (inlineCallFrame)
+                        reg = inlineStackEntry->remapOperand(reg);
+                    phantomLocalDirect(reg);
+                }
+            }
+
+            if (inlineCallFrame) {
+                bytecodeIndex = inlineCallFrame->directCaller.bytecodeIndex;
+                origin = inlineCallFrame->directCaller;
+            }
+        }
     }
 
     void flushForReturn()

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes