Skip to site navigation (Press enter)

[webkit-changes] [236022] trunk

sbarati Fri, 14 Sep 2018 16:49:41 -0700

Title: [236022] trunk

Revision: 236022
Author: [email protected]
Date: 2018-09-14 16:47:55 -0700 (Fri, 14 Sep 2018)

Log Message

Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
https://bugs.webkit.org/show_bug.cgi?id=189628
<rdar://problem/39481690>


Reviewed by Mark Lam.

JSTests:

* stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
(foo):

Source/_javascript_Core:

An Availability may point to a Node. And that Node may be removed from
the graph, e.g, it's freed and its memory is no longer owned by Graph.
This patch makes it so we no longer dump this metadata by default. If
this metadata is interesting to you, you'll need to go in and change
Graph::dump to dump the needed metadata.

* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGGraph.cpp

Added Paths

trunk/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js

Diff

Modified: trunk/JSTests/ChangeLog (236021 => 236022)


--- trunk/JSTests/ChangeLog	2018-09-14 23:15:27 UTC (rev 236021)
+++ trunk/JSTests/ChangeLog	2018-09-14 23:47:55 UTC (rev 236022)
@@ -1,3 +1,14 @@
+2018-09-14  Saam barati  <[email protected]>
+
+        Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
+        https://bugs.webkit.org/show_bug.cgi?id=189628
+        <rdar://problem/39481690>
+
+        Reviewed by Mark Lam.
+
+        * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
+        (foo):
+
 2018-09-11  Mark Lam  <[email protected]>
 
         Test for array initialization in arrayProtoFuncSplice.

Added: trunk/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js (0 => 236022)


--- trunk/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js	                        (rev 0)
+++ trunk/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js	2018-09-14 23:47:55 UTC (rev 236022)
@@ -0,0 +1,9 @@
+//@ runDefault("--verboseValidationFailure=true")
+
+function foo() {
+    arguments.length;
+}
+let a = 0;
+for (var i = 0; i < 1000000; i++) {
+    a += foo();
+}

Modified: trunk/Source/_javascript_Core/ChangeLog (236021 => 236022)


--- trunk/Source/_javascript_Core/ChangeLog	2018-09-14 23:15:27 UTC (rev 236021)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-09-14 23:47:55 UTC (rev 236022)
@@ -1,3 +1,20 @@
+2018-09-14  Saam barati  <[email protected]>
+
+        Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
+        https://bugs.webkit.org/show_bug.cgi?id=189628
+        <rdar://problem/39481690>
+
+        Reviewed by Mark Lam.
+
+        An Availability may point to a Node. And that Node may be removed from
+        the graph, e.g, it's freed and its memory is no longer owned by Graph.
+        This patch makes it so we no longer dump this metadata by default. If
+        this metadata is interesting to you, you'll need to go in and change
+        Graph::dump to dump the needed metadata.
+
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+
 2018-09-14  Mark Lam  <[email protected]>
 
         Refactor some ForInContext code for better encapsulation.

Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (236021 => 236022)


--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp	2018-09-14 23:15:27 UTC (rev 236021)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp	2018-09-14 23:47:55 UTC (rev 236022)
@@ -60,6 +60,8 @@
 
 namespace JSC { namespace DFG {
 
+static constexpr bool dumpOSRAvailabilityData = false;
+
 // Creates an array of stringized names.
 static const char* dfgOpNames[] = {
 #define STRINGIZE_DFG_OP_ENUM(opcode, flags) #opcode ,
@@ -569,7 +571,8 @@
             
         case SSA: {
             RELEASE_ASSERT(block->ssa);
-            out.print("  Availability: ", block->ssa->availabilityAtHead, "\n");
+            if (dumpOSRAvailabilityData)
+                out.print("  Availability: ", block->ssa->availabilityAtHead, "\n");
             out.print("  Live: ", nodeListDump(block->ssa->liveAtHead), "\n");
             out.print("  Values: ", nodeValuePairListDump(block->ssa->valuesAtHead, context), "\n");
             break;
@@ -597,7 +600,8 @@
             
         case SSA: {
             RELEASE_ASSERT(block->ssa);
-            out.print("  Availability: ", block->ssa->availabilityAtTail, "\n");
+            if (dumpOSRAvailabilityData)
+                out.print("  Availability: ", block->ssa->availabilityAtTail, "\n");
             out.print("  Live: ", nodeListDump(block->ssa->liveAtTail), "\n");
             out.print("  Values: ", nodeValuePairListDump(block->ssa->valuesAtTail, context), "\n");
             break;

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes