Title: [149071] trunk
- Revision
- 149071
- Author
- [email protected]
- Date
- 2013-04-24 15:39:33 -0700 (Wed, 24 Apr 2013)
Log Message
DFG should keep the operand to create_this alive if it's emitting code for create_this
https://bugs.webkit.org/show_bug.cgi?id=115133
Source/_javascript_Core:
Reviewed by Mark Hahnenberg.
The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time.
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
LayoutTests:
Reviewed by Mark Hahnenberg.
This test crashes prior to my change.
* fast/js/dfg-allocation-profile-watch-point-exit-expected.txt: Added.
* fast/js/dfg-allocation-profile-watch-point-exit.html: Added.
* fast/js/jsc-test-list:
* fast/js/script-tests/dfg-allocation-profile-watch-point-exit.js: Added.
(Foo):
(foo):
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (149070 => 149071)
--- trunk/LayoutTests/ChangeLog 2013-04-24 22:35:47 UTC (rev 149070)
+++ trunk/LayoutTests/ChangeLog 2013-04-24 22:39:33 UTC (rev 149071)
@@ -1,3 +1,19 @@
+2013-04-24 Filip Pizlo <[email protected]>
+
+ DFG should keep the operand to create_this alive if it's emitting code for create_this
+ https://bugs.webkit.org/show_bug.cgi?id=115133
+
+ Reviewed by Mark Hahnenberg.
+
+ This test crashes prior to my change.
+
+ * fast/js/dfg-allocation-profile-watch-point-exit-expected.txt: Added.
+ * fast/js/dfg-allocation-profile-watch-point-exit.html: Added.
+ * fast/js/jsc-test-list:
+ * fast/js/script-tests/dfg-allocation-profile-watch-point-exit.js: Added.
+ (Foo):
+ (foo):
+
2013-04-24 Alexey Proskuryakov <[email protected]>
fast/js/global-constructors.html was deleted in r149001, removing it from
Added: trunk/LayoutTests/fast/js/dfg-allocation-profile-watch-point-exit-expected.txt (0 => 149071)
--- trunk/LayoutTests/fast/js/dfg-allocation-profile-watch-point-exit-expected.txt (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-allocation-profile-watch-point-exit-expected.txt 2013-04-24 22:39:33 UTC (rev 149071)
@@ -0,0 +1,109 @@
+Checks that if a DFG AllocationProfileWatchpoint fires and the callee is otherwise dead, we still preserve the callee for the bytecode and don't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS foo() is 42
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
Added: trunk/LayoutTests/fast/js/dfg-allocation-profile-watch-point-exit.html (0 => 149071)
--- trunk/LayoutTests/fast/js/dfg-allocation-profile-watch-point-exit.html (rev 0)
+++ trunk/LayoutTests/fast/js/dfg-allocation-profile-watch-point-exit.html 2013-04-24 22:39:33 UTC (rev 149071)
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src=""
+</head>
+<body>
+<script src=""
+<script src=""
+</body>
+</html>
Modified: trunk/LayoutTests/fast/js/jsc-test-list (149070 => 149071)
--- trunk/LayoutTests/fast/js/jsc-test-list 2013-04-24 22:35:47 UTC (rev 149070)
+++ trunk/LayoutTests/fast/js/jsc-test-list 2013-04-24 22:39:33 UTC (rev 149071)
@@ -70,6 +70,7 @@
fast/js/delete-then-put
fast/js/dfg-abs-backwards-propagation
fast/js/dfg-add-not-number
+fast/js/dfg-allocation-profile-watch-point-exit
fast/js/dfg-arguments-alias-escape
fast/js/dfg-arguments-alias-one-block-osr-exit
fast/js/dfg-arguments-alias-one-block-overwrite-arguments
Added: trunk/LayoutTests/fast/js/script-tests/dfg-allocation-profile-watch-point-exit.js (0 => 149071)
--- trunk/LayoutTests/fast/js/script-tests/dfg-allocation-profile-watch-point-exit.js (rev 0)
+++ trunk/LayoutTests/fast/js/script-tests/dfg-allocation-profile-watch-point-exit.js 2013-04-24 22:39:33 UTC (rev 149071)
@@ -0,0 +1,18 @@
+description(
+"Checks that if a DFG AllocationProfileWatchpoint fires and the callee is otherwise dead, we still preserve the callee for the bytecode and don't crash."
+);
+
+function Foo() {
+ this.f = 42;
+}
+
+function foo() {
+ eval("// Don't optimize me!");
+ return new Foo().f;
+}
+
+for (var i = 0; i < 100; ++i) {
+ if (i == 95)
+ Foo.prototype = {foo: 62};
+ shouldBe("foo()", "42");
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (149070 => 149071)
--- trunk/Source/_javascript_Core/ChangeLog 2013-04-24 22:35:47 UTC (rev 149070)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-04-24 22:39:33 UTC (rev 149071)
@@ -1,3 +1,15 @@
+2013-04-24 Filip Pizlo <[email protected]>
+
+ DFG should keep the operand to create_this alive if it's emitting code for create_this
+ https://bugs.webkit.org/show_bug.cgi?id=115133
+
+ Reviewed by Mark Hahnenberg.
+
+ The DFG must model bytecode liveness, or else OSR exit is going to have a really bad time.
+
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::parseBlock):
+
2013-04-24 Roger Fong <[email protected]>
Have VS2010 WebKit solution look in WebKit_Libraries/lib32 for dependencies.
Modified: trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp (149070 => 149071)
--- trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-04-24 22:35:47 UTC (rev 149070)
+++ trunk/Source/_javascript_Core/dfg/DFGByteCodeParser.cpp 2013-04-24 22:39:33 UTC (rev 149071)
@@ -2027,6 +2027,8 @@
ObjectAllocationProfile* allocationProfile = function->tryGetAllocationProfile();
if (allocationProfile) {
addToGraph(AllocationProfileWatchpoint, OpInfo(function));
+ // The callee is still live up to this point.
+ addToGraph(Phantom, callee);
set(currentInstruction[1].u.operand,
addToGraph(NewObject, OpInfo(allocationProfile->structure())));
alreadyEmitted = true;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
