[webkit-changes] [268572] trunk

[sbarati]

Title: [268572] trunk

Revision

268572

Author

sbar...@apple.com

Date

2020-10-15 20:11:51 -0700 (Thu, 15 Oct 2020)

Log Message

Don't assign a bogus register to Load/ForwardVarargs in AvailabilityAnalysis before stack layout
https://bugs.webkit.org/show_bug.cgi?id=217789
<rdar://problem/69285703>

Reviewed by Keith Miller.

JSTests:

* stress/dont-assign-bogus-virtual-register-in-availability-analysis-before-stack-layout-runs.js: Added.
(bar):
(foo):

Source/_javascript_Core:

There is code inside AvailabilityAnalysis phase that was assuming the
Load/ForwardVarargs data was already stack allocated. However, this isn't
guaranteed to be the case. However, we were doing virtual register math on
invalid virtual registers, leading to wonky results. The fix here is to
model it like we do GetStack/PutStack, where we say, before we do stack
allocation, we just tell availability analysis the flush format, but not
where it's flushed.

This was causing validation errors when merging these invalid FlushedAts with
the FlushedAts from GetStack/PutStack.

* dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
(JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):

Modified Paths

• trunk/JSTests/ChangeLog
• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGOSRAvailabilityAnalysisPhase.cpp

Added Paths

• trunk/JSTests/stress/dont-assign-bogus-virtual-register-in-availability-analysis-before-stack-layout-runs.js

Diff

Modified: trunk/JSTests/ChangeLog (268571 => 268572)

--- trunk/JSTests/ChangeLog	2020-10-16 01:51:40 UTC (rev 268571)
+++ trunk/JSTests/ChangeLog	2020-10-16 03:11:51 UTC (rev 268572)
@@ -1,3 +1,15 @@
+2020-10-15  Saam Barati  <sbar...@apple.com>
+
+        Don't assign a bogus register to Load/ForwardVarargs in AvailabilityAnalysis before stack layout
+        https://bugs.webkit.org/show_bug.cgi?id=217789
+        <rdar://problem/69285703>
+
+        Reviewed by Keith Miller.
+
+        * stress/dont-assign-bogus-virtual-register-in-availability-analysis-before-stack-layout-runs.js: Added.
+        (bar):
+        (foo):
+
 2020-10-15  Alexey Shvayka  <shvaikal...@gmail.com>
 
         REGRESSION (r268489): test/built-ins/Object/entries/order-after-define-property.js failing on test262 bots

Added: trunk/JSTests/stress/dont-assign-bogus-virtual-register-in-availability-analysis-before-stack-layout-runs.js (0 => 268572)

--- trunk/JSTests/stress/dont-assign-bogus-virtual-register-in-availability-analysis-before-stack-layout-runs.js	                        (rev 0)
+++ trunk/JSTests/stress/dont-assign-bogus-virtual-register-in-availability-analysis-before-stack-layout-runs.js	2020-10-16 03:11:51 UTC (rev 268572)
@@ -0,0 +1,13 @@
+function bar() {
+  for (let i=0; i<100; i++) {
+    arguments[1];
+  }
+}
+
+function foo() {
+  for (let i=0; i<100000; i++) {
+    bar(...'aa');
+  }
+}
+
+foo();

Modified: trunk/Source/_javascript_Core/ChangeLog (268571 => 268572)

--- trunk/Source/_javascript_Core/ChangeLog	2020-10-16 01:51:40 UTC (rev 268571)
+++ trunk/Source/_javascript_Core/ChangeLog	2020-10-16 03:11:51 UTC (rev 268572)
@@ -1,3 +1,25 @@
+2020-10-15  Saam Barati  <sbar...@apple.com>
+
+        Don't assign a bogus register to Load/ForwardVarargs in AvailabilityAnalysis before stack layout
+        https://bugs.webkit.org/show_bug.cgi?id=217789
+        <rdar://problem/69285703>
+
+        Reviewed by Keith Miller.
+
+        There is code inside AvailabilityAnalysis phase that was assuming the
+        Load/ForwardVarargs data was already stack allocated. However, this isn't
+        guaranteed to be the case. However, we were doing virtual register math on
+        invalid virtual registers, leading to wonky results. The fix here is to
+        model it like we do GetStack/PutStack, where we say, before we do stack
+        allocation, we just tell availability analysis the flush format, but not
+        where it's flushed.
+        
+        This was causing validation errors when merging these invalid FlushedAts with
+        the FlushedAts from GetStack/PutStack.
+
+        * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
+        (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
+
 2020-10-15  Alexey Shvayka  <shvaikal...@gmail.com>
 
         REGRESSION (r268489): test/built-ins/Object/entries/order-after-define-property.js failing on test262 bots

Modified: trunk/Source/_javascript_Core/dfg/DFGOSRAvailabilityAnalysisPhase.cpp (268571 => 268572)

--- trunk/Source/_javascript_Core/dfg/DFGOSRAvailabilityAnalysisPhase.cpp	2020-10-16 01:51:40 UTC (rev 268571)
+++ trunk/Source/_javascript_Core/dfg/DFGOSRAvailabilityAnalysisPhase.cpp	2020-10-16 03:11:51 UTC (rev 268572)
@@ -287,7 +287,7 @@
         m_availability.m_locals.operand(data->count) = Availability(FlushedAt(FlushedInt32, data->machineCount));
         for (unsigned i = data->limit; i--;) {
             m_availability.m_locals.operand(data->start + i) =
-                Availability(FlushedAt(FlushedJSValue, data->machineStart + i));
+                Availability(FlushedAt(FlushedJSValue, data->machineStart.isValid() ? (data->machineStart + i) : VirtualRegister()));
         }
         break;
     }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes