Title: [163224] trunk/Source/_javascript_Core
- Revision
- 163224
- Author
- [email protected]
- Date
- 2014-01-31 17:28:26 -0800 (Fri, 31 Jan 2014)
Log Message
DFG->FTL tier-up shouldn't assume that LoopHints stay at the tops of loops
https://bugs.webkit.org/show_bug.cgi?id=128030
Reviewed by Oliver Hunt.
Remove a bogus assertion. The only thing that matters is that the LoopHint had at one
point in time been at the top of a loop header, and that it is now at the top of a
basic block. But the basic block that it's at the top of now doesn't have to be the
same as the loop header that it once was the top of.
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run):
* tests/stress/tier-up-in-loop-with-cfg-simplification.js: Added.
(foo):
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (163223 => 163224)
--- trunk/Source/_javascript_Core/ChangeLog 2014-02-01 01:24:39 UTC (rev 163223)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-02-01 01:28:26 UTC (rev 163224)
@@ -1,3 +1,20 @@
+2014-01-31 Filip Pizlo <[email protected]>
+
+ DFG->FTL tier-up shouldn't assume that LoopHints stay at the tops of loops
+ https://bugs.webkit.org/show_bug.cgi?id=128030
+
+ Reviewed by Oliver Hunt.
+
+ Remove a bogus assertion. The only thing that matters is that the LoopHint had at one
+ point in time been at the top of a loop header, and that it is now at the top of a
+ basic block. But the basic block that it's at the top of now doesn't have to be the
+ same as the loop header that it once was the top of.
+
+ * dfg/DFGTierUpCheckInjectionPhase.cpp:
+ (JSC::DFG::TierUpCheckInjectionPhase::run):
+ * tests/stress/tier-up-in-loop-with-cfg-simplification.js: Added.
+ (foo):
+
2014-01-31 Mark Lam <[email protected]>
Avoid eagerly creating the JSActivation when the debugger is attached.
Modified: trunk/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp (163223 => 163224)
--- trunk/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp 2014-02-01 01:24:39 UTC (rev 163223)
+++ trunk/Source/_javascript_Core/dfg/DFGTierUpCheckInjectionPhase.cpp 2014-02-01 01:28:26 UTC (rev 163224)
@@ -98,7 +98,6 @@
break;
}
- RELEASE_ASSERT(block->bytecodeBegin == codeOrigin.bytecodeIndex);
insertionSet.insertNode(
nodeIndex + 1, SpecNone, CheckTierUpAndOSREnter, codeOrigin);
break;
Added: trunk/Source/_javascript_Core/tests/stress/tier-up-in-loop-with-cfg-simplification.js (0 => 163224)
--- trunk/Source/_javascript_Core/tests/stress/tier-up-in-loop-with-cfg-simplification.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/tier-up-in-loop-with-cfg-simplification.js 2014-02-01 01:28:26 UTC (rev 163224)
@@ -0,0 +1,24 @@
+var False = false;
+
+function foo(p, array) {
+ var result = 0;
+ var i = 0;
+ if (array.length) {
+ if (p) {
+ } else {
+ return;
+ }
+ do {
+ result += array[i++];
+ } while (False);
+ }
+ return result;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 1000000; ++i) {
+ var result = foo(true, [42]);
+ if (result != 42)
+ throw "Error: bad result: " + result;
+}
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
