[webkit-changes] [232334] trunk

[sbarati]

Title: [232334] trunk

Revision

232334

Author

sbar...@apple.com

Date

2018-05-30 20:57:59 -0700 (Wed, 30 May 2018)

Log Message

DFG combined liveness needs to say that the machine CodeBlock's arguments are live
https://bugs.webkit.org/show_bug.cgi?id=186121
<rdar://problem/39377796>

Reviewed by Keith Miller.

JSTests:

* stress/combined-liveness-needs-to-say-arguments-are-live.js: Added.
(baz):
(foo):

Source/_javascript_Core:

DFG's combined liveness was reporting that the machine CodeBlock's |this|
argument was dead at certain points in the program. However, a CodeBlock's
arguments are considered live for the entire function. This fixes a bug
where object allocation sinking phase skipped materializing an allocation
because it thought that the argument it was associated with, |this|, was dead.

* dfg/DFGCombinedLiveness.cpp:
(JSC::DFG::liveNodesAtHead):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGCombinedLiveness.cpp

Added Paths

• trunk/JSTests/stress/combined-liveness-needs-to-say-arguments-are-live.js

Diff

Modified: trunk/JSTests/ChangeLog (232333 => 232334)

--- trunk/JSTests/ChangeLog	2018-05-31 03:31:15 UTC (rev 232333)
+++ trunk/JSTests/ChangeLog	2018-05-31 03:57:59 UTC (rev 232334)
@@ -1,3 +1,15 @@
+2018-05-30  Saam Barati  <sbar...@apple.com>
+
+        DFG combined liveness needs to say that the machine CodeBlock's arguments are live
+        https://bugs.webkit.org/show_bug.cgi?id=186121
+        <rdar://problem/39377796>
+
+        Reviewed by Keith Miller.
+
+        * stress/combined-liveness-needs-to-say-arguments-are-live.js: Added.
+        (baz):
+        (foo):
+
 2018-05-30  Keith Miller  <keith_mil...@apple.com>
 
         Unreviewed, uncomment erroneously commented test code.

Added: trunk/JSTests/stress/combined-liveness-needs-to-say-arguments-are-live.js (0 => 232334)

--- trunk/JSTests/stress/combined-liveness-needs-to-say-arguments-are-live.js	                        (rev 0)
+++ trunk/JSTests/stress/combined-liveness-needs-to-say-arguments-are-live.js	2018-05-31 03:57:59 UTC (rev 232334)
@@ -0,0 +1,24 @@
+//@ runDefault("--jitPolicyScale=0", "--validateFTLOSRExitLiveness=1", "--useConcurrentJIT=0")
+
+// This should not crash in liveness validation.
+
+function baz() { }
+noInline(baz);
+
+function foo() {
+    let i, j;
+    let a0 = [0, 1];
+    let a1 = [];
+    for (i = 0; i < a0.length; i++) {
+        a1.push();
+        for (j = 0; j < 6; j++) {
+        }
+        for (j = 0; j < 4; j++) {
+            baz();
+        }
+    }
+    throw new Error();
+}
+try {
+    new foo();
+} catch { }

Modified: trunk/Source/_javascript_Core/ChangeLog (232333 => 232334)

--- trunk/Source/_javascript_Core/ChangeLog	2018-05-31 03:31:15 UTC (rev 232333)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-05-31 03:57:59 UTC (rev 232334)
@@ -1,3 +1,20 @@
+2018-05-30  Saam Barati  <sbar...@apple.com>
+
+        DFG combined liveness needs to say that the machine CodeBlock's arguments are live
+        https://bugs.webkit.org/show_bug.cgi?id=186121
+        <rdar://problem/39377796>
+
+        Reviewed by Keith Miller.
+
+        DFG's combined liveness was reporting that the machine CodeBlock's |this|
+        argument was dead at certain points in the program. However, a CodeBlock's
+        arguments are considered live for the entire function. This fixes a bug
+        where object allocation sinking phase skipped materializing an allocation
+        because it thought that the argument it was associated with, |this|, was dead.
+
+        * dfg/DFGCombinedLiveness.cpp:
+        (JSC::DFG::liveNodesAtHead):
+
 2018-05-30  Daniel Bates  <daba...@apple.com>
 
         Web Inspector: Annotate Same-Site cookies

Modified: trunk/Source/_javascript_Core/dfg/DFGCombinedLiveness.cpp (232333 => 232334)

--- trunk/Source/_javascript_Core/dfg/DFGCombinedLiveness.cpp	2018-05-31 03:31:15 UTC (rev 232333)
+++ trunk/Source/_javascript_Core/dfg/DFGCombinedLiveness.cpp	2018-05-31 03:57:59 UTC (rev 232334)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2015-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -44,7 +44,7 @@
     }
     
     AvailabilityMap& availabilityMap = block->ssa->availabilityAtHead;
-    graph.forAllLocalsLiveInBytecode(
+    graph.forAllLiveInBytecode(
         block->at(0)->origin.forExit,
         [&] (VirtualRegister reg) {
             availabilityMap.closeStartingWithLocal(

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes