Title: [151273] trunk/Source/_javascript_Core
- Revision
- 151273
- Author
- [email protected]
- Date
- 2013-06-06 08:35:00 -0700 (Thu, 06 Jun 2013)
Log Message
JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com
https://bugs.webkit.org/show_bug.cgi?id=117280
Reviewed by Filip Pizlo.
Updated the merging of VariableAccessData nodes in ArgumentPosition lists
to find the unified VariableAccessData node that is the root of the
current node instead of using the current node directly when merging
attributes.
Added new dump code to dump the ArgumentPosition list.
* dfg/DFGArgumentPosition.h:
(JSC::DFG::rgumentPosition::mergeArgumentPredictionAwareness):
(JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
(JSC::DFG::ArgumentPosition::dump):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::dump):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (151272 => 151273)
--- trunk/Source/_javascript_Core/ChangeLog 2013-06-06 14:59:32 UTC (rev 151272)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-06-06 15:35:00 UTC (rev 151273)
@@ -1,3 +1,23 @@
+2013-06-05 Michael Saboff <[email protected]>
+
+ JSC: Crash beneath cti_op_div @ http://gmailblog.blogspot.com
+ https://bugs.webkit.org/show_bug.cgi?id=117280
+
+ Reviewed by Filip Pizlo.
+
+ Updated the merging of VariableAccessData nodes in ArgumentPosition lists
+ to find the unified VariableAccessData node that is the root of the
+ current node instead of using the current node directly when merging
+ attributes.
+ Added new dump code to dump the ArgumentPosition list.
+
+ * dfg/DFGArgumentPosition.h:
+ (JSC::DFG::rgumentPosition::mergeArgumentPredictionAwareness):
+ (JSC::DFG::ArgumentPosition::mergeArgumentUnboxingAwareness):
+ (JSC::DFG::ArgumentPosition::dump):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::dump):
+
2013-06-05 Bear Travis <[email protected]>
[CSS Exclusions][CSS Shapes] Split CSS Exclusions & Shapes compile & runtime flags
Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentPosition.h (151272 => 151273)
--- trunk/Source/_javascript_Core/dfg/DFGArgumentPosition.h 2013-06-06 14:59:32 UTC (rev 151272)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentPosition.h 2013-06-06 15:35:00 UTC (rev 151273)
@@ -28,6 +28,7 @@
#include "DFGDoubleFormatState.h"
#include "DFGVariableAccessData.h"
+#include "DFGVariableAccessDataDump.h"
#include "SpeculatedType.h"
namespace JSC { namespace DFG {
@@ -56,17 +57,19 @@
{
bool changed = false;
for (unsigned i = 0; i < m_variables.size(); ++i) {
- changed |= mergeSpeculation(m_prediction, m_variables[i]->argumentAwarePrediction());
- changed |= mergeDoubleFormatState(m_doubleFormatState, m_variables[i]->doubleFormatState());
- changed |= mergeShouldNeverUnbox(m_variables[i]->shouldNeverUnbox());
+ VariableAccessData* variable = m_variables[i]->find();
+ changed |= mergeSpeculation(m_prediction, variable->argumentAwarePrediction());
+ changed |= mergeDoubleFormatState(m_doubleFormatState, variable->doubleFormatState());
+ changed |= mergeShouldNeverUnbox(variable->shouldNeverUnbox());
}
if (!changed)
return false;
changed = false;
for (unsigned i = 0; i < m_variables.size(); ++i) {
- changed |= m_variables[i]->mergeArgumentAwarePrediction(m_prediction);
- changed |= m_variables[i]->mergeDoubleFormatState(m_doubleFormatState);
- changed |= m_variables[i]->mergeShouldNeverUnbox(m_shouldNeverUnbox);
+ VariableAccessData* variable = m_variables[i]->find();
+ changed |= variable->mergeArgumentAwarePrediction(m_prediction);
+ changed |= variable->mergeDoubleFormatState(m_doubleFormatState);
+ changed |= variable->mergeShouldNeverUnbox(m_shouldNeverUnbox);
}
return changed;
}
@@ -74,13 +77,17 @@
bool mergeArgumentUnboxingAwareness()
{
bool changed = false;
- for (unsigned i = 0; i < m_variables.size(); ++i)
- changed |= checkAndSet(m_isProfitableToUnbox, m_isProfitableToUnbox | m_variables[i]->isProfitableToUnbox());
+ for (unsigned i = 0; i < m_variables.size(); ++i) {
+ VariableAccessData* variable = m_variables[i]->find();
+ changed |= checkAndSet(m_isProfitableToUnbox, m_isProfitableToUnbox | variable->isProfitableToUnbox());
+ }
if (!changed)
return false;
changed = false;
- for (unsigned i = 0; i < m_variables.size(); ++i)
- changed |= m_variables[i]->mergeIsProfitableToUnbox(m_isProfitableToUnbox);
+ for (unsigned i = 0; i < m_variables.size(); ++i) {
+ VariableAccessData* variable = m_variables[i]->find();
+ changed |= variable->mergeIsProfitableToUnbox(m_isProfitableToUnbox);
+ }
return changed;
}
@@ -93,6 +100,23 @@
return doubleFormatState() == UsingDoubleFormat && shouldUnboxIfPossible();
}
+ void dump(PrintStream& out, Graph* graph)
+ {
+ for (unsigned i = 0; i < m_variables.size(); ++i) {
+ VariableAccessData* variable = m_variables[i]->find();
+ int operand = variable->operand();
+
+ if (i)
+ out.print(" ");
+
+ if (operandIsArgument(operand))
+ out.print("arg", operandToArgument(operand), "(", VariableAccessDataDump(*graph, variable), ")");
+ else
+ out.print("r", operand, "(", VariableAccessDataDump(*graph, variable), ")");
+ }
+ out.print("\n");
+ }
+
private:
SpeculatedType m_prediction;
DoubleFormatState m_doubleFormatState;
Modified: trunk/Source/_javascript_Core/dfg/DFGGraph.cpp (151272 => 151273)
--- trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2013-06-06 14:59:32 UTC (rev 151272)
+++ trunk/Source/_javascript_Core/dfg/DFGGraph.cpp 2013-06-06 15:35:00 UTC (rev 151273)
@@ -314,7 +314,14 @@
{
dataLog("DFG for ", CodeBlockWithJITType(m_codeBlock, JITCode::DFGJIT), ":\n");
dataLog(" Fixpoint state: ", m_fixpointState, "; Form: ", m_form, "; Unification state: ", m_unificationState, "; Ref count state: ", m_refCountState, "\n");
-
+
+ out.print(" ArgumentPosition size: ", m_argumentPositions.size(), "\n");
+ for (size_t i = 0; i < m_argumentPositions.size(); ++i) {
+ out.print(" #", i, ": ");
+ ArgumentPosition& arguments = m_argumentPositions[i];
+ arguments.dump(out, this);
+ }
+
Node* lastNode = 0;
for (size_t b = 0; b < m_blocks.size(); ++b) {
BasicBlock* block = m_blocks[b].get();
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
