Title: [173534] trunk/Source/_javascript_Core
- Revision
- 173534
- Author
- [email protected]
- Date
- 2014-09-11 13:04:38 -0700 (Thu, 11 Sep 2014)
Log Message
REGRESSION (r172129): Vine pages load as blank
https://bugs.webkit.org/show_bug.cgi?id=136655
rdar://problem/18281215
Reviewed by Michael Saboff.
If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
reasonably compact; it's OK if we miss cases here.
* dfg/DFGPhantomRemovalPhase.cpp:
(JSC::DFG::PhantomRemovalPhase::run):
* tests/stress/remove-phantom-after-setlocal.js: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (173533 => 173534)
--- trunk/Source/_javascript_Core/ChangeLog 2014-09-11 19:57:33 UTC (rev 173533)
+++ trunk/Source/_javascript_Core/ChangeLog 2014-09-11 20:04:38 UTC (rev 173534)
@@ -1,3 +1,21 @@
+2014-09-11 Filip Pizlo <[email protected]>
+
+ REGRESSION (r172129): Vine pages load as blank
+ https://bugs.webkit.org/show_bug.cgi?id=136655
+ rdar://problem/18281215
+
+ Reviewed by Michael Saboff.
+
+ If lastNode is something that is subject to DCE, then removing the Phantom's reference to something
+ that lastNode references means that the thing being referenced may no longer be kept alive for OSR.
+ Teach PhantomRemovalPhase that it's only safe to do this if lastNode is a Phantom. That's probably too
+ conservative, but that's fine since this is mainly just an optimization to make the IR sane to read and
+ reasonably compact; it's OK if we miss cases here.
+
+ * dfg/DFGPhantomRemovalPhase.cpp:
+ (JSC::DFG::PhantomRemovalPhase::run):
+ * tests/stress/remove-phantom-after-setlocal.js: Added.
+
2014-09-11 Bear Travis <[email protected]>
[CSS Font Loading] Enable CSS Font Loading on Mac
Modified: trunk/Source/_javascript_Core/dfg/DFGPhantomRemovalPhase.cpp (173533 => 173534)
--- trunk/Source/_javascript_Core/dfg/DFGPhantomRemovalPhase.cpp 2014-09-11 19:57:33 UTC (rev 173533)
+++ trunk/Source/_javascript_Core/dfg/DFGPhantomRemovalPhase.cpp 2014-09-11 20:04:38 UTC (rev 173534)
@@ -93,13 +93,17 @@
unsigned sourceIndex = 0;
unsigned targetIndex = 0;
- Node* lastNode = nullptr;
while (sourceIndex < block->size()) {
Node* node = block->at(sourceIndex++);
switch (node->op()) {
case Phantom: {
- if (lastNode && (lastNode->origin.forExit != node->origin.forExit || (lastNode->flags() & NodeHasVarArgs)))
- lastNode = nullptr;
+ Node* lastNode = nullptr;
+ if (sourceIndex > 1) {
+ lastNode = block->at(sourceIndex - 2);
+ if (lastNode->op() != Phantom
+ || lastNode->origin.forExit != node->origin.forExit)
+ lastNode = nullptr;
+ }
for (unsigned i = 0; i < AdjacencyList::Size; ++i) {
Edge edge = node->children.child(i);
if (!edge)
@@ -161,7 +165,7 @@
default:
break;
}
- lastNode = node;
+
block->at(targetIndex++) = node;
}
block->resize(targetIndex);
Added: trunk/Source/_javascript_Core/tests/stress/remove-phantom-after-setlocal.js (0 => 173534)
--- trunk/Source/_javascript_Core/tests/stress/remove-phantom-after-setlocal.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/remove-phantom-after-setlocal.js 2014-09-11 20:04:38 UTC (rev 173534)
@@ -0,0 +1,18 @@
+var constant = {};
+
+function foo(o) {
+ var v = o.f;
+ return v === constant;
+}
+
+noInline(foo);
+
+for (var i = 0; i < 1000000; ++i) {
+ var result = foo({f:null});
+ if (result !== false)
+ throw "Error: bogus result in loop";
+}
+
+var result = foo({f:constant});
+if (result !== true)
+ throw "Error: bogus result at end";
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
