Title: [117661] trunk/Source/_javascript_Core
- Revision
- 117661
- Author
- [email protected]
- Date
- 2012-05-18 17:54:57 -0700 (Fri, 18 May 2012)
Log Message
REGRESSION(117646): fast/canvas/webgl/glsl-conformance.html is crashing in the DFG
https://bugs.webkit.org/show_bug.cgi?id=86929
Reviewed by Oliver Hunt.
The problem was that if CFG simplification saw a Branch with identical successors,
it would always perform a basic block merge. But that's wrong if the successor has
other predecessors.
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::run):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (117660 => 117661)
--- trunk/Source/_javascript_Core/ChangeLog 2012-05-19 00:04:32 UTC (rev 117660)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-05-19 00:54:57 UTC (rev 117661)
@@ -1,5 +1,19 @@
2012-05-18 Filip Pizlo <[email protected]>
+ REGRESSION(117646): fast/canvas/webgl/glsl-conformance.html is crashing in the DFG
+ https://bugs.webkit.org/show_bug.cgi?id=86929
+
+ Reviewed by Oliver Hunt.
+
+ The problem was that if CFG simplification saw a Branch with identical successors,
+ it would always perform a basic block merge. But that's wrong if the successor has
+ other predecessors.
+
+ * dfg/DFGCFGSimplificationPhase.cpp:
+ (JSC::DFG::CFGSimplificationPhase::run):
+
+2012-05-18 Filip Pizlo <[email protected]>
+
DFG CFG simplification crashes if it's trying to remove an unreachable block
that has an already-killed-off unreachable successor
https://bugs.webkit.org/show_bug.cgi?id=86918
Modified: trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp (117660 => 117661)
--- trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp 2012-05-19 00:04:32 UTC (rev 117660)
+++ trunk/Source/_javascript_Core/dfg/DFGCFGSimplificationPhase.cpp 2012-05-19 00:54:57 UTC (rev 117661)
@@ -139,11 +139,34 @@
}
if (m_graph.successor(block, 0) == m_graph.successor(block, 1)) {
+ BlockIndex targetBlockIndex = m_graph.successor(block, 0);
+ BasicBlock* targetBlock = m_graph.m_blocks[targetBlockIndex].get();
+ ASSERT(targetBlock);
+ ASSERT(targetBlock->isReachable);
+ if (targetBlock->m_predecessors.size() == 1) {
#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
- dataLog("CFGSimplify: Branch merge on Block #%u to Block #%u.\n",
- blockIndex, m_graph.successor(block, 0));
+ dataLog("CFGSimplify: Branch to same successor merge on Block #%u to Block #%u.\n",
+ blockIndex, targetBlockIndex);
#endif
- mergeBlocks(blockIndex, m_graph.successor(block, 0), NoBlock);
+ mergeBlocks(blockIndex, targetBlockIndex, NoBlock);
+ } else {
+#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
+ dataLog("CFGSimplify: Branch->jump conversion to same successor on Block #%u to Block #%u.\n",
+ blockIndex, targetBlockIndex);
+#endif
+ ASSERT(m_graph[block->last()].isTerminal());
+ Node& branch = m_graph[block->last()];
+ ASSERT(branch.isTerminal());
+ ASSERT(branch.op() == Branch);
+ branch.setOpAndDefaultFlags(Phantom);
+ ASSERT(branch.refCount() == 1);
+
+ Node jump(Jump, branch.codeOrigin, OpInfo(targetBlockIndex));
+ jump.ref();
+ NodeIndex jumpNodeIndex = m_graph.size();
+ m_graph.append(jump);
+ block->append(jumpNodeIndex);
+ }
innerChanged = outerChanged = true;
break;
}
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
