Title: [153283] trunk/Source/_javascript_Core
- Revision
- 153283
- Author
- [email protected]
- Date
- 2013-07-24 21:05:04 -0700 (Wed, 24 Jul 2013)
Log Message
fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
https://bugs.webkit.org/show_bug.cgi?id=118880
Reviewed by Sam Weinig.
It should be possible to have an AbstractState that is backed by a HashMap. But to
do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
the map, since otherwise the idiom of getting a reference to the AbstractValue
returned by forNode() would cause really subtle memory corruption bugs.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::::executeEffects):
* dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::createValueForNode):
(InPlaceAbstractState):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (153282 => 153283)
--- trunk/Source/_javascript_Core/ChangeLog 2013-07-25 04:05:03 UTC (rev 153282)
+++ trunk/Source/_javascript_Core/ChangeLog 2013-07-25 04:05:04 UTC (rev 153283)
@@ -1,5 +1,23 @@
2013-07-18 Filip Pizlo <[email protected]>
+ fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
+ https://bugs.webkit.org/show_bug.cgi?id=118880
+
+ Reviewed by Sam Weinig.
+
+ It should be possible to have an AbstractState that is backed by a HashMap. But to
+ do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
+ the map, since otherwise the idiom of getting a reference to the AbstractValue
+ returned by forNode() would cause really subtle memory corruption bugs.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::::executeEffects):
+ * dfg/DFGInPlaceAbstractState.h:
+ (JSC::DFG::InPlaceAbstractState::createValueForNode):
+ (InPlaceAbstractState):
+
+2013-07-18 Filip Pizlo <[email protected]>
+
fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
https://bugs.webkit.org/show_bug.cgi?id=118835
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (153282 => 153283)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2013-07-25 04:05:03 UTC (rev 153282)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2013-07-25 04:05:04 UTC (rev 153283)
@@ -124,6 +124,8 @@
if (!ASSERT_DISABLED)
verifyEdges(node);
+ m_state.createValueForNode(node);
+
switch (node->op()) {
case JSConstant:
case WeakJSConstant:
@@ -1471,6 +1473,7 @@
break;
case Upsilon: {
+ m_state.createValueForNode(node->phi());
AbstractValue& value = forNode(node->child1());
forNode(node) = value;
forNode(node->phi()) = value;
Modified: trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.h (153282 => 153283)
--- trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.h 2013-07-25 04:05:03 UTC (rev 153282)
+++ trunk/Source/_javascript_Core/dfg/DFGInPlaceAbstractState.h 2013-07-25 04:05:04 UTC (rev 153283)
@@ -44,6 +44,8 @@
~InPlaceAbstractState();
+ void createValueForNode(Node*) { }
+
AbstractValue& forNode(Node* node)
{
return node->value;
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
