[webkit-changes] [184405] trunk/Source/JavaScriptCore

Fri, 15 May 2015 12:31:07 -0700

Title: [184405] trunk/Source/_javascript_Core
Revision
184405
Author
[email protected]
Date
2015-05-15 12:30:14 -0700 (Fri, 15 May 2015)

Log Message

DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
https://bugs.webkit.org/show_bug.cgi?id=145062

Reviewed by Filip Pizlo.

We assert in various places (including NodeOrigin::isSet()) that a
NodeOrigin's semantic and forExit must be either both set, or both
unset.  However, LICM'ing a node with unset NodeOrigin would only set
forExit, and leave semantic unset. This can for instance happen when a
Phi node is constant-folded into a JSConstant, which in turn gets
LICM'd.

This patch changes DFGLICMPhase to set the NodeOrigin's semantic in
addition to its forExit if semantic was previously unset.

It also adds two validators to DFGValidate.cpp:
 - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset
 - In CPS form, all nodes must have a set NodeOrigin forExit (this is
   the CPS counterpart to the SSA validator that checks that all nodes
   must have a set NodeOrigin except possibly for a continuous chunk of
   nodes at the top of a block)

* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::validateCPS):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (184404 => 184405)


--- trunk/Source/_javascript_Core/ChangeLog	2015-05-15 19:12:58 UTC (rev 184404)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-05-15 19:30:14 UTC (rev 184405)
@@ -1,3 +1,33 @@
+2015-05-15  Basile Clement  <[email protected]>
+
+        DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
+        https://bugs.webkit.org/show_bug.cgi?id=145062
+
+        Reviewed by Filip Pizlo.
+
+        We assert in various places (including NodeOrigin::isSet()) that a
+        NodeOrigin's semantic and forExit must be either both set, or both
+        unset.  However, LICM'ing a node with unset NodeOrigin would only set
+        forExit, and leave semantic unset. This can for instance happen when a
+        Phi node is constant-folded into a JSConstant, which in turn gets
+        LICM'd.
+
+        This patch changes DFGLICMPhase to set the NodeOrigin's semantic in
+        addition to its forExit if semantic was previously unset.
+
+        It also adds two validators to DFGValidate.cpp:
+         - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset
+         - In CPS form, all nodes must have a set NodeOrigin forExit (this is
+           the CPS counterpart to the SSA validator that checks that all nodes
+           must have a set NodeOrigin except possibly for a continuous chunk of
+           nodes at the top of a block)
+
+        * dfg/DFGLICMPhase.cpp:
+        (JSC::DFG::LICMPhase::attemptHoist):
+        * dfg/DFGValidate.cpp:
+        (JSC::DFG::Validate::validate):
+        (JSC::DFG::Validate::validateCPS):
+
 2015-05-15  Filip Pizlo  <[email protected]>
 
         Unreviewed, remove an unused declaration.

Modified: trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp (184404 => 184405)


--- trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp	2015-05-15 19:12:58 UTC (rev 184404)
+++ trunk/Source/_javascript_Core/dfg/DFGLICMPhase.cpp	2015-05-15 19:30:14 UTC (rev 184405)
@@ -282,6 +282,8 @@
         node->owner = data.preHeader;
         NodeOrigin originalOrigin = node->origin;
         node->origin.forExit = data.preHeader->terminal()->origin.forExit;
+        if (!node->origin.semantic.isSet())
+            node->origin.semantic = node->origin.forExit;
         
         // Modify the states at the end of the preHeader of the loop we hoisted to,
         // and all pre-headers inside the loop.

Modified: trunk/Source/_javascript_Core/dfg/DFGValidate.cpp (184404 => 184405)


--- trunk/Source/_javascript_Core/dfg/DFGValidate.cpp	2015-05-15 19:12:58 UTC (rev 184404)
+++ trunk/Source/_javascript_Core/dfg/DFGValidate.cpp	2015-05-15 19:30:14 UTC (rev 184405)
@@ -186,6 +186,7 @@
             for (size_t i = 0; i < block->size(); ++i) {
                 Node* node = block->at(i);
                 
+                VALIDATE((node), node->origin.semantic.isSet() == node->origin.forExit.isSet());
                 VALIDATE((node), !mayExit(m_graph, node) || node->origin.forExit.isSet());
                 VALIDATE((node), !node->hasStructure() || !!node->structure());
                 VALIDATE((node), !node->hasCellOperand() || node->cellOperand()->value().isCell());
@@ -402,6 +403,7 @@
                 Node* node = block->at(i);
                 ASSERT(nodesInThisBlock.contains(node));
                 VALIDATE((node), node->op() != Phi);
+                VALIDATE((node), node->origin.forExit.isSet());
                 for (unsigned j = 0; j < m_graph.numChildren(node); ++j) {
                     Edge edge = m_graph.child(node, j);
                     if (!edge)

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to