forked from WebKit/WebKit-http
-
Notifications
You must be signed in to change notification settings - Fork 12
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Object allocation sinking phase doesn't properly handle control flow …
…when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object https://bugs.webkit.org/show_bug.cgi?id=168140 <rdar://problem/30205880> Reviewed by Filip Pizlo. JSTests: * stress/allocation-sinking-puthint-control-flow.js: Added. (e): (bar): (let.y): (else.let.y): (baz): (foo): (catch): Source/JavaScriptCore: This patch fixes a bug in allocation sinking phase where we don't properly handle control flow when materializing an object and also PutHinting that materialization into a still sunken object. We were performing the PutHint for the materialization at the point of materialization, however, we may have materialized along both edges of a control flow diamond, in which case, we need to also PutHint at the join point. Consider this program: ``` bb#0: b: PhantomActivation() a: PhantomNewFunction() c: PutHint(@A, @b, ActivationLoc) Branch(#1, #2) bb#1: d: MaterializeActivation() e: PutHint(@A, @d, ActivationLoc) f: Upsilon(@d, ^p) Jump(#3) bb#2: g: MaterializeActivation() h: PutHint(@A, @g, ActivationLoc) i: Upsilon(@d, ^p) Jump(#3) bb#3: p: Phi() // What is PromotedHeapLocation(@A, ActivationLoc) here? // What would we do if we exited? ``` Before this patch, we didn't perform a PutHint of the Phi. However, we need to, otherwise when exit, we won't know the value of PromotedHeapLocation(@A, ActivationLoc) The program we need then, for correctness, is this: ``` bb#0: b: PhantomActivation() a: PhantomNewFunction() c: PutHint(@A, @b, ActivationLoc) Branch(#1, #2) bb#1: d: MaterializeActivation() e: PutHint(@A, @d, ActivationLoc) f: Upsilon(@d, ^p) Jump(#3) bb#2: g: MaterializeActivation() h: PutHint(@A, @g, ActivationLoc) i: Upsilon(@d, ^p) Jump(#3) bb#3: p: Phi() j: PutHint(@A, @p, ActivationLoc) ``` This patch makes it so that we emit the necessary PutHint at node `j`. I've also added more validation to the OSRAvailabilityAnalysisPhase to catch this problem during validation. * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: (JSC::DFG::OSRAvailabilityAnalysisPhase::run): * dfg/DFGObjectAllocationSinkingPhase.cpp: * ftl/FTLOperations.cpp: (JSC::FTL::operationMaterializeObjectInOSR): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@212177 268f45cc-cd09-0410-ab3c-d52691b4dbfc
- Loading branch information
sbarati@apple.com
committed
Feb 11, 2017
1 parent
81ef511
commit 78e87c7
Showing
6 changed files
with
259 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
function e() { } | ||
noInline(e); | ||
|
||
function foo(b, c, d) { | ||
let x; | ||
function bar() { return x; } | ||
if (b) { | ||
let y = function() { return x; } | ||
} else { | ||
let y = function() { return x; } | ||
} | ||
|
||
if (c) { | ||
function baz() { } | ||
if (b) { | ||
let y = function() { return x; } | ||
e(y); | ||
} else { | ||
let y = function() { return x; } | ||
e(y); | ||
} | ||
if (d) | ||
d(); | ||
e(baz); | ||
} | ||
|
||
} | ||
noInline(foo); | ||
|
||
for (let i = 0; i < 100000; i++) { | ||
foo(!!(i % 2), true, false); | ||
} | ||
|
||
let threw = false; | ||
try { | ||
foo(true, true, true); | ||
} catch(e) { | ||
threw = true; | ||
} | ||
if (!threw) | ||
throw new Error("Bad test") |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters