Skip to site navigation (Press enter)

[webkit-changes] [232294] trunk/Source/JavaScriptCore

sbarati Wed, 30 May 2018 09:21:06 -0700

Title: [232294] trunk/Source/_javascript_Core

Revision: 232294
Author: [email protected]
Date: 2018-05-30 09:20:58 -0700 (Wed, 30 May 2018)

Log Message

AI for Atomics.load() is too conservative in always clobbering world
https://bugs.webkit.org/show_bug.cgi?id=185738
<rdar://problem/40342214>


Reviewed by Yusuke Suzuki.

It fails the assertion that Fil added for catching disagreements between
AI and clobberize. This patch fixes that. You'd run into this if you
manually enabled SAB in a build and ran any SAB tests.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (232293 => 232294)


--- trunk/Source/_javascript_Core/ChangeLog	2018-05-30 16:09:01 UTC (rev 232293)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-05-30 16:20:58 UTC (rev 232294)
@@ -1,3 +1,18 @@
+2018-05-30  Saam Barati  <[email protected]>
+
+        AI for Atomics.load() is too conservative in always clobbering world
+        https://bugs.webkit.org/show_bug.cgi?id=185738
+        <rdar://problem/40342214>
+
+        Reviewed by Yusuke Suzuki.
+
+        It fails the assertion that Fil added for catching disagreements between
+        AI and clobberize. This patch fixes that. You'd run into this if you
+        manually enabled SAB in a build and ran any SAB tests.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
 2018-05-30  Michael Saboff  <[email protected]>
 
         REGRESSION(r232212): Broke Win32 Builds

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (232293 => 232294)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2018-05-30 16:09:01 UTC (rev 232293)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2018-05-30 16:20:58 UTC (rev 232294)
@@ -1815,8 +1815,12 @@
     case AtomicsStore:
     case AtomicsSub:
     case AtomicsXor: {
-        if (node->op() != GetByVal)
-            clobberWorld();
+        if (node->op() != GetByVal) {
+            unsigned numExtraArgs = numExtraAtomicsArgs(node->op());
+            Edge storageEdge = m_graph.child(node, 2 + numExtraArgs);
+            if (!storageEdge)
+                clobberWorld();
+        }
         switch (node->arrayMode().type()) {
         case Array::SelectUsingPredictions:
         case Array::Unprofiled:

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes