Title: [240959] trunk
- Revision
- 240959
- Author
- [email protected]
- Date
- 2019-02-04 17:36:28 -0800 (Mon, 04 Feb 2019)
Log Message
when lowering AssertNotEmpty, create the value before creating the patchpoint
https://bugs.webkit.org/show_bug.cgi?id=194231
Reviewed by Saam Barati.
JSTests:
This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
So even tiny changes to this test can change the path code taken.
* stress/assert-not-empty.js: Added.
(foo):
Source/_javascript_Core:
This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (240958 => 240959)
--- trunk/JSTests/ChangeLog 2019-02-05 01:34:39 UTC (rev 240958)
+++ trunk/JSTests/ChangeLog 2019-02-05 01:36:28 UTC (rev 240959)
@@ -1,3 +1,17 @@
+2019-02-04 Robin Morisset <[email protected]>
+
+ when lowering AssertNotEmpty, create the value before creating the patchpoint
+ https://bugs.webkit.org/show_bug.cgi?id=194231
+
+ Reviewed by Saam Barati.
+
+ This test is painfully fragile: it tries to test that AssertNotEmpty on a constant produces valid B3 IR.
+ The problem is that AssertNotEmpty is only created by DFGConstantFolding when it can simplify a CheckStructure, and constant folding is a bit capricious (https://bugs.webkit.org/show_bug.cgi?id=133947)
+ So even tiny changes to this test can change the path code taken.
+
+ * stress/assert-not-empty.js: Added.
+ (foo):
+
2019-02-01 Mark Lam <[email protected]>
Remove invalid assertion in DFG's compileDoubleRep().
Added: trunk/JSTests/stress/assert-not-empty.js (0 => 240959)
--- trunk/JSTests/stress/assert-not-empty.js (rev 0)
+++ trunk/JSTests/stress/assert-not-empty.js 2019-02-05 01:36:28 UTC (rev 240959)
@@ -0,0 +1,12 @@
+//@ runDefault("--useObjectAllocationSinking=0")
+
+function foo(o) {
+ if (!o) {
+ +eval;
+ }
+ o.x;
+};
+let i=0;
+for (;i<100000;++i) {
+ foo(Object);
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (240958 => 240959)
--- trunk/Source/_javascript_Core/ChangeLog 2019-02-05 01:34:39 UTC (rev 240958)
+++ trunk/Source/_javascript_Core/ChangeLog 2019-02-05 01:36:28 UTC (rev 240959)
@@ -1,3 +1,16 @@
+2019-02-04 Robin Morisset <[email protected]>
+
+ when lowering AssertNotEmpty, create the value before creating the patchpoint
+ https://bugs.webkit.org/show_bug.cgi?id=194231
+
+ Reviewed by Saam Barati.
+
+ This is a very simple change: we should never generate B3 IR where an instruction depends on a value that comes later in the instruction stream.
+ AssertNotEmpty was generating some such IR, it probably slipped through until now because it is a rather rare and tricky instruction to generate.
+
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileAssertNotEmpty):
+
2019-02-04 Yusuke Suzuki <[email protected]>
[JSC] ExecutableToCodeBlockEdge should be smaller
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (240958 => 240959)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-05 01:34:39 UTC (rev 240958)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-05 01:36:28 UTC (rev 240959)
@@ -3111,8 +3111,9 @@
if (!validationEnabled())
return;
+ LValue val = lowJSValue(m_node->child1());
PatchpointValue* patchpoint = m_out.patchpoint(Void);
- patchpoint->appendSomeRegister(lowJSValue(m_node->child1()));
+ patchpoint->appendSomeRegister(val);
patchpoint->setGenerator(
[=] (CCallHelpers& jit, const StackmapGenerationParams& params) {
AllowMacroScratchRegisterUsage allowScratch(jit);
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
