[webkit-changes] [152481] branches/dfgFourthTier/Source/JavaScriptCore

Mon, 08 Jul 2013 22:07:31 -0700

Title: [152481] branches/dfgFourthTier/Source/_javascript_Core
Revision
152481
Author
[email protected]
Date
2013-07-08 22:08:29 -0700 (Mon, 08 Jul 2013)

Log Message

NaturalLoops + Profiler = Crash
https://bugs.webkit.org/show_bug.cgi?id=118486

Reviewed by Geoffrey Garen.
        
I borked dominators in:
http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.h
        
This patch also adds some debug support, and fixes the loop that adds a block to
an already-existing natural loop. Note that we currently don't take that path in
most programs, but it will arise, for example if you use 'continue' - though you'd
have to use it rather cleverly since the bytecode will not jump to the loop header
in most uses of 'continue'.

* dfg/DFGDominators.cpp:
(JSC::DFG::Dominators::dump):
(DFG):
* dfg/DFGDominators.h:
(JSC::DFG::Dominators::dominates):
(Dominators):
* dfg/DFGNaturalLoops.cpp:
(JSC::DFG::NaturalLoops::compute):

Modified Paths

Diff

Modified: branches/dfgFourthTier/Source/_javascript_Core/ChangeLog (152480 => 152481)


--- branches/dfgFourthTier/Source/_javascript_Core/ChangeLog	2013-07-09 03:22:26 UTC (rev 152480)
+++ branches/dfgFourthTier/Source/_javascript_Core/ChangeLog	2013-07-09 05:08:29 UTC (rev 152481)
@@ -1,5 +1,30 @@
 2013-07-08  Filip Pizlo  <[email protected]>
 
+        NaturalLoops + Profiler = Crash
+        https://bugs.webkit.org/show_bug.cgi?id=118486
+
+        Reviewed by Geoffrey Garen.
+        
+        I borked dominators in:
+        http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.h
+        
+        This patch also adds some debug support, and fixes the loop that adds a block to
+        an already-existing natural loop. Note that we currently don't take that path in
+        most programs, but it will arise, for example if you use 'continue' - though you'd
+        have to use it rather cleverly since the bytecode will not jump to the loop header
+        in most uses of 'continue'.
+
+        * dfg/DFGDominators.cpp:
+        (JSC::DFG::Dominators::dump):
+        (DFG):
+        * dfg/DFGDominators.h:
+        (JSC::DFG::Dominators::dominates):
+        (Dominators):
+        * dfg/DFGNaturalLoops.cpp:
+        (JSC::DFG::NaturalLoops::compute):
+
+2013-07-08  Filip Pizlo  <[email protected]>
+
         fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
         https://bugs.webkit.org/show_bug.cgi?id=118489

Modified: branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.cpp (152480 => 152481)


--- branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.cpp	2013-07-09 03:22:26 UTC (rev 152480)
+++ branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.cpp	2013-07-09 05:08:29 UTC (rev 152481)
@@ -100,6 +100,22 @@
     return m_results[i].setAndCheck(m_scratch);
 }
 
+void Dominators::dump(Graph& graph, PrintStream& out) const
+{
+    for (BlockIndex blockIndex = 0; blockIndex < graph.numBlocks(); ++blockIndex) {
+        BasicBlock* block = graph.block(blockIndex);
+        if (!block)
+            continue;
+        out.print("    Block ", *block, ":");
+        for (BlockIndex otherIndex = 0; otherIndex < graph.numBlocks(); ++otherIndex) {
+            if (!dominates(block->index, otherIndex))
+                continue;
+            out.print(" #", otherIndex);
+        }
+        out.print("\n");
+    }
+}
+
 } } // namespace JSC::DFG
 
 #endif // ENABLE(DFG_JIT)

Modified: branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.h (152480 => 152481)


--- branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.h	2013-07-09 03:22:26 UTC (rev 152480)
+++ branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGDominators.h	2013-07-09 05:08:29 UTC (rev 152481)
@@ -49,7 +49,7 @@
     bool dominates(BlockIndex from, BlockIndex to) const
     {
         ASSERT(isValid());
-        return m_results[from].get(to);
+        return m_results[to].get(from);
     }
     
     bool dominates(BasicBlock* from, BasicBlock* to) const
@@ -57,10 +57,12 @@
         return dominates(from->index, to->index);
     }
     
+    void dump(Graph& graph, PrintStream&) const;
+    
 private:
     bool iterateForBlock(Graph& graph, BlockIndex);
     
-    Vector<FastBitVector> m_results;
+    Vector<FastBitVector> m_results; // For each block, the bitvector of blocks that dominate it.
     FastBitVector m_scratch;
 };

Modified: branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGNaturalLoops.cpp (152480 => 152481)


--- branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGNaturalLoops.cpp	2013-07-09 03:22:26 UTC (rev 152480)
+++ branches/dfgFourthTier/Source/_javascript_Core/dfg/DFGNaturalLoops.cpp	2013-07-09 05:08:29 UTC (rev 152481)
@@ -58,6 +58,11 @@
     
     graph.m_dominators.computeIfNecessary(graph);
     
+    if (verbose) {
+        dataLog("Dominators:\n");
+        graph.m_dominators.dump(graph, WTF::dataFile());
+    }
+    
     m_loops.resize(0);
     
     for (BlockIndex blockIndex = graph.numBlocks(); blockIndex--;) {
@@ -71,9 +76,10 @@
                 continue;
             bool found = false;
             for (unsigned j = m_loops.size(); j--;) {
-                if (m_loops[i].header() == successor) {
-                    m_loops[i].addBlock(block);
+                if (m_loops[j].header() == successor) {
+                    m_loops[j].addBlock(block);
                     found = true;
+                    break;
                 }
             }
             if (found)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to