Title: [254996] trunk/Source/_javascript_Core
- Revision
- 254996
- Author
- [email protected]
- Date
- 2020-01-23 12:11:33 -0800 (Thu, 23 Jan 2020)
Log Message
OptimizeAssociativeExpressionTrees should reset value owners before running
https://bugs.webkit.org/show_bug.cgi?id=206670
<rdar://problem/58535628>
Reviewed by Robin Morisset.
We have a crash inside OptimizeAssociativeExpressionTrees and we don't know
how to reproduce it. Also, based on Mark's auditing of the crash site's
assembly, Mark thinks we're crashing on a "currupt" basic block.
After I audited the code, I saw that we rely on value owners in this phase.
However, we don't actually reset them before running the phase. This patch
adds that as a speculative fix for the crash we're seeing.
* b3/B3OptimizeAssociativeExpressionTrees.cpp:
(JSC::B3::OptimizeAssociativeExpressionTrees::run):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (254995 => 254996)
--- trunk/Source/_javascript_Core/ChangeLog 2020-01-23 20:10:47 UTC (rev 254995)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-01-23 20:11:33 UTC (rev 254996)
@@ -1,3 +1,22 @@
+2020-01-23 Saam Barati <[email protected]>
+
+ OptimizeAssociativeExpressionTrees should reset value owners before running
+ https://bugs.webkit.org/show_bug.cgi?id=206670
+ <rdar://problem/58535628>
+
+ Reviewed by Robin Morisset.
+
+ We have a crash inside OptimizeAssociativeExpressionTrees and we don't know
+ how to reproduce it. Also, based on Mark's auditing of the crash site's
+ assembly, Mark thinks we're crashing on a "currupt" basic block.
+
+ After I audited the code, I saw that we rely on value owners in this phase.
+ However, we don't actually reset them before running the phase. This patch
+ adds that as a speculative fix for the crash we're seeing.
+
+ * b3/B3OptimizeAssociativeExpressionTrees.cpp:
+ (JSC::B3::OptimizeAssociativeExpressionTrees::run):
+
2020-01-23 Yusuke Suzuki <[email protected]>
Unreviewed, fix calculation of kindBits
Modified: trunk/Source/_javascript_Core/b3/B3OptimizeAssociativeExpressionTrees.cpp (254995 => 254996)
--- trunk/Source/_javascript_Core/b3/B3OptimizeAssociativeExpressionTrees.cpp 2020-01-23 20:10:47 UTC (rev 254995)
+++ trunk/Source/_javascript_Core/b3/B3OptimizeAssociativeExpressionTrees.cpp 2020-01-23 20:11:33 UTC (rev 254996)
@@ -249,6 +249,8 @@
// In the second one we optimize each such _expression_ tree in turn.
// We need the use counts to avoid duplicating code.
+ m_proc.resetValueOwners();
+
Vector<unsigned> useCounts(m_proc.values().size(), 0); // Mapping from Value::m_index to use counts.
HashSet<Value*> expressionTreeRoots;
HashSet<BasicBlock*> rootOwners;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
