Modified: releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog (205622 => 205623)
--- releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog 2016-09-08 11:13:57 UTC (rev 205622)
+++ releases/WebKitGTK/webkit-2.14/JSTests/ChangeLog 2016-09-08 11:15:32 UTC (rev 205623)
@@ -1,3 +1,25 @@
+2016-09-01 Filip Pizlo <[email protected]>
+
+ ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
+ https://bugs.webkit.org/show_bug.cgi?id=161492
+
+ Reviewed by Mark Lam.
+
+ This bug affected function->activation references but not object->object field references,
+ because object->object field references are !neededForMaterialization(). So, the object
+ test always passed but the activation/function test used to always fail. It passes now.
+
+ * stress/materialize-activation-referenced-from-phantom-function.js: Added.
+ (bar):
+ (inc):
+ (dec):
+ (foo):
+ (test):
+ * stress/materialize-object-referenced-from-phantom-object.js: Added.
+ (bar):
+ (foo):
+ (test):
+
2016-08-31 Yusuke Suzuki <[email protected]>
stress/random-53bit.js.ftl-no-cjit-no-inline-validate sometimes fails
Added: releases/WebKitGTK/webkit-2.14/JSTests/stress/materialize-activation-referenced-from-phantom-function.js (0 => 205623)
--- releases/WebKitGTK/webkit-2.14/JSTests/stress/materialize-activation-referenced-from-phantom-function.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/stress/materialize-activation-referenced-from-phantom-function.js 2016-09-08 11:15:32 UTC (rev 205623)
@@ -0,0 +1,42 @@
+function bar()
+{
+}
+
+noInline(bar);
+
+function foo(p, x)
+{
+ var value = 1;
+ function inc()
+ {
+ return value + 1;
+ }
+ function dec()
+ {
+ return value - 1;
+ }
+
+ if (!p)
+ return 0;
+
+ bar(inc);
+
+ x += 2000000000;
+
+ value = 42;
+ return dec();
+}
+
+noInline(foo);
+
+function test(x)
+{
+ var result = foo(true, x);
+ if (result != 42 - 1)
+ throw "Error: bad result: " + result;
+}
+
+for (var i = 0; i < 100000; ++i)
+ test(0);
+
+test(2000000000);
Added: releases/WebKitGTK/webkit-2.14/JSTests/stress/materialize-object-referenced-from-phantom-object.js (0 => 205623)
--- releases/WebKitGTK/webkit-2.14/JSTests/stress/materialize-object-referenced-from-phantom-object.js (rev 0)
+++ releases/WebKitGTK/webkit-2.14/JSTests/stress/materialize-object-referenced-from-phantom-object.js 2016-09-08 11:15:32 UTC (rev 205623)
@@ -0,0 +1,37 @@
+function bar()
+{
+}
+
+noInline(bar);
+
+function foo(p, x)
+{
+ var a = {f: 1};
+ var b = {f: a};
+ var c = {f: a};
+
+ if (!p)
+ return 0;
+
+ bar(b);
+
+ x += 2000000000;
+
+ c.f.f = 42;
+ return b.f.f;
+}
+
+noInline(foo);
+
+function test(x)
+{
+ var result = foo(true, x);
+ if (result != 42)
+ throw "Error: bad result: " + result;
+}
+
+for (var i = 0; i < 100000; ++i)
+ test(0);
+
+test(2000000000);
+
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog (205622 => 205623)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog 2016-09-08 11:13:57 UTC (rev 205622)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/ChangeLog 2016-09-08 11:15:32 UTC (rev 205623)
@@ -1,3 +1,25 @@
+2016-09-01 Filip Pizlo <[email protected]>
+
+ ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
+ https://bugs.webkit.org/show_bug.cgi?id=161492
+
+ Reviewed by Mark Lam.
+
+ If you materialize a sunken object that is referenced from another sunken object, then you
+ have to emit a PutHint to tell OSR that the latter object now refers to a materialized
+ object rather than to the old sunken one.
+
+ The ObjectAllocationSinkingPhase totally knows how to do this, but for some reason it only
+ did it when the PromotedLocationDescriptor for the field used for referring to the other
+ object is !neededForMaterialization(), i.e. it's a NamedPropertyPLoc or a ClosureVarPLoc.
+ I can sort of imagine why we thought that would be right - neededForMaterialization() means
+ it's a special meta-data field initialized on construction. But just because it's immutable
+ and special doesn't mean that materialization can't change its physical representation.
+ Removing the requirement that it's !neededForMaterialization() fixes the test and doesn't
+ regress anything.
+
+ * dfg/DFGObjectAllocationSinkingPhase.cpp:
+
2016-09-01 Saam Barati <[email protected]>
JITMathIC was misusing maxJumpReplacementSize
Modified: releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp (205622 => 205623)
--- releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2016-09-08 11:13:57 UTC (rev 205622)
+++ releases/WebKitGTK/webkit-2.14/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2016-09-08 11:15:32 UTC (rev 205623)
@@ -1242,7 +1242,7 @@
for (const auto& field : entry.value.fields()) {
ASSERT(m_sinkCandidates.contains(entry.key) || !escapees.contains(field.value));
- if (escapees.contains(field.value) && !field.key.neededForMaterialization())
+ if (escapees.contains(field.value))
hints.append(PromotedHeapLocation(entry.key, field.key));
}
}
@@ -1692,6 +1692,8 @@
m_localMapping.set(location, m_bottom);
if (m_sinkCandidates.contains(node)) {
+ if (verbose)
+ dataLog("For sink candidate ", node, " found location ", location, "\n");
m_insertionSet.insert(
nodeIndex + 1,
location.createHint(
@@ -1758,6 +1760,8 @@
doLower = true;
+ if (verbose)
+ dataLog("Creating hint with value ", nodeValue, " before ", node, "\n");
m_insertionSet.insert(
nodeIndex + 1,
location.createHint(
@@ -1893,6 +1897,13 @@
void insertOSRHintsForUpdate(unsigned nodeIndex, NodeOrigin origin, bool& canExit, AvailabilityMap& availability, Node* escapee, Node* materialization)
{
+ if (verbose) {
+ dataLog("Inserting OSR hints at ", origin, ":\n");
+ dataLog(" Escapee: ", escapee, "\n");
+ dataLog(" Materialization: ", materialization, "\n");
+ dataLog(" Availability: ", availability, "\n");
+ }
+
// We need to follow() the value in the heap.
// Consider the following graph:
//
