Modified: releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog (236193 => 236194)
--- releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-09-19 13:19:49 UTC (rev 236193)
+++ releases/WebKitGTK/webkit-2.22/JSTests/ChangeLog 2018-09-19 13:19:54 UTC (rev 236194)
@@ -1,3 +1,14 @@
+2018-09-14 Saam barati <[email protected]>
+
+ Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
+ https://bugs.webkit.org/show_bug.cgi?id=189628
+ <rdar://problem/39481690>
+
+ Reviewed by Mark Lam.
+
+ * stress/verbose-failure-dont-graph-dump-availability-already-freed.js: Added.
+ (foo):
+
2018-09-07 Mark Lam <[email protected]>
Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
Added: releases/WebKitGTK/webkit-2.22/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js (0 => 236194)
--- releases/WebKitGTK/webkit-2.22/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js (rev 0)
+++ releases/WebKitGTK/webkit-2.22/JSTests/stress/verbose-failure-dont-graph-dump-availability-already-freed.js 2018-09-19 13:19:54 UTC (rev 236194)
@@ -0,0 +1,9 @@
+//@ runDefault("--verboseValidationFailure=true")
+
+function foo() {
+ arguments.length;
+}
+let a = 0;
+for (var i = 0; i < 1000000; i++) {
+ a += foo();
+}
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog (236193 => 236194)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-09-19 13:19:49 UTC (rev 236193)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/ChangeLog 2018-09-19 13:19:54 UTC (rev 236194)
@@ -1,3 +1,20 @@
+2018-09-14 Saam barati <[email protected]>
+
+ Don't dump OSRAvailabilityData in Graph::dump because a stale Availability may point to a Node that is already freed
+ https://bugs.webkit.org/show_bug.cgi?id=189628
+ <rdar://problem/39481690>
+
+ Reviewed by Mark Lam.
+
+ An Availability may point to a Node. And that Node may be removed from
+ the graph, e.g, it's freed and its memory is no longer owned by Graph.
+ This patch makes it so we no longer dump this metadata by default. If
+ this metadata is interesting to you, you'll need to go in and change
+ Graph::dump to dump the needed metadata.
+
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+
2018-09-07 Mark Lam <[email protected]>
Ensure that handleIntrinsicCall() is only applied on op_call shaped instructions.
Modified: releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGGraph.cpp (236193 => 236194)
--- releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGGraph.cpp 2018-09-19 13:19:49 UTC (rev 236193)
+++ releases/WebKitGTK/webkit-2.22/Source/_javascript_Core/dfg/DFGGraph.cpp 2018-09-19 13:19:54 UTC (rev 236194)
@@ -60,6 +60,8 @@
namespace JSC { namespace DFG {
+static constexpr bool dumpOSRAvailabilityData = false;
+
// Creates an array of stringized names.
static const char* dfgOpNames[] = {
#define STRINGIZE_DFG_OP_ENUM(opcode, flags) #opcode ,
@@ -569,7 +571,8 @@
case SSA: {
RELEASE_ASSERT(block->ssa);
- out.print(" Availability: ", block->ssa->availabilityAtHead, "\n");
+ if (dumpOSRAvailabilityData)
+ out.print(" Availability: ", block->ssa->availabilityAtHead, "\n");
out.print(" Live: ", nodeListDump(block->ssa->liveAtHead), "\n");
out.print(" Values: ", nodeValuePairListDump(block->ssa->valuesAtHead, context), "\n");
break;
@@ -597,7 +600,8 @@
case SSA: {
RELEASE_ASSERT(block->ssa);
- out.print(" Availability: ", block->ssa->availabilityAtTail, "\n");
+ if (dumpOSRAvailabilityData)
+ out.print(" Availability: ", block->ssa->availabilityAtTail, "\n");
out.print(" Live: ", nodeListDump(block->ssa->liveAtTail), "\n");
out.print(" Values: ", nodeValuePairListDump(block->ssa->valuesAtTail, context), "\n");
break;
