source: webkit/trunk/Source/JavaScriptCore/dfg/DFGInsertionSet.h

Last change on this file was 228565, checked in by [email protected], 7 years ago

Fix bugs from r228411
https://bugs.webkit.org/show_bug.cgi?id=182851
<rdar://problem/37577732>

Reviewed by JF Bastien.

JSTests:

  • stress/constant-folding-phase-insert-check-handle-varargs.js: Added.

Source/JavaScriptCore:

There was a bug from r228411 where inside the constant folding phase,
we used an insertCheck method that didn't handle varargs. This would
lead to a crash. When thinking about the fix for that function, I realized
a made a couple of mistakes in r228411. One is probably a security bug, and
the other is a performance bug because it'll prevent CSE for certain flavors
of GetByVal nodes. Both blunders are similar in nature.

In r228411, I added code in LICM that inserted a CheckVarargs node with children
of another varargs node. However, to construct this new node's children,
I just copied the AdjacencyList. This does a shallow copy. What we needed
was a deep copy. We needed to create a new vararg AdjacencyList that points
to edges that are deep copies of the original varargs children. This patch
fixes this goof in LICM.

r228411 made it so that PureValue over a varargs node would just compare actual
AdjacencyLists structs. So, if you had two GetByVals that had equal santized
children, their actual AdjacencyList structs are *not* bitwise equal, since they'll
have different firstChild values. Instead, we need to do a deep compare of their
adjacency lists. This patch teaches PureValue how to do that.

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

  • dfg/DFGGraph.h:

(JSC::DFG::Graph::copyVarargChildren):

  • dfg/DFGInsertionSet.h:

(JSC::DFG::InsertionSet::insertCheck):

  • dfg/DFGLICMPhase.cpp:

(JSC::DFG::LICMPhase::attemptHoist):

  • dfg/DFGPureValue.cpp:

(JSC::DFG::PureValue::dump const):

  • dfg/DFGPureValue.h:

(JSC::DFG::PureValue::PureValue):
(JSC::DFG::PureValue::op const):
(JSC::DFG::PureValue::hash const):
(JSC::DFG::PureValue::operator== const):
(JSC::DFG::PureValue::isVarargs const):
(JSC::DFG::PureValue::children const): Deleted.

  • dfg/DFGStrengthReductionPhase.cpp:

(JSC::DFG::StrengthReductionPhase::handleNode):
(JSC::DFG::StrengthReductionPhase::convertToIdentityOverChild):
File size: 5.0 KB
Line 
1/*
2 * Copyright (C) 2012-2015 Apple Inc. All rights reserved.
3 *
4 * Redistribution and use in source and binary forms, with or without
5 * modification, are permitted provided that the following conditions
6 * are met:
7 * 1. Redistributions of source code must retain the above copyright
8 * notice, this list of conditions and the following disclaimer.
9 * 2. Redistributions in binary form must reproduce the above copyright
10 * notice, this list of conditions and the following disclaimer in the
11 * documentation and/or other materials provided with the distribution.
12 *
13 * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
14 * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
16 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
17 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
18 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
19 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
20 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
21 * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24 */
25
26#pragma once
27
28#if ENABLE(DFG_JIT)
29
30#include "DFGGraph.h"
31#include <wtf/Insertion.h>
32#include <wtf/Vector.h>
33
34namespace JSC { namespace DFG {
35
36typedef WTF::Insertion<Node*> Insertion;
37
38class InsertionSet {
39public:
40 InsertionSet(Graph& graph)
41 : m_graph(graph)
42 {
43 }
44
45 Graph& graph() { return m_graph; }
46
47 // Adds another code insertion. It's expected that you'll usually insert things in order. If
48 // you don't, this function will perform a linear search to find the largest insertion point
49 // at which insertion order would be preserved. This is essentially equivalent to if you did
50 // a stable sort on the insertions.
51 Node* insert(const Insertion& insertion)
52 {
53 if (LIKELY(!m_insertions.size() || m_insertions.last().index() <= insertion.index()))
54 m_insertions.append(insertion);
55 else
56 insertSlow(insertion);
57 return insertion.element();
58 }
59
60 Node* insert(size_t index, Node* element)
61 {
62 return insert(Insertion(index, element));
63 }
64
65 template<typename... Params>
66 Node* insertNode(size_t index, SpeculatedType type, Params... params)
67 {
68 return insert(index, m_graph.addNode(type, params...));
69 }
70
71 Node* insertConstant(
72 size_t index, NodeOrigin origin, FrozenValue* value,
73 NodeType op = JSConstant)
74 {
75 return insertNode(
76 index, speculationFromValue(value->value()), op, origin, OpInfo(value));
77 }
78
79 Edge insertConstantForUse(
80 size_t index, NodeOrigin origin, FrozenValue* value, UseKind useKind)
81 {
82 NodeType op;
83 if (isDouble(useKind))
84 op = DoubleConstant;
85 else if (useKind == Int52RepUse)
86 op = Int52Constant;
87 else
88 op = JSConstant;
89 return Edge(insertConstant(index, origin, value, op), useKind);
90 }
91
92 Node* insertConstant(size_t index, NodeOrigin origin, JSValue value, NodeType op = JSConstant)
93 {
94 return insertConstant(index, origin, m_graph.freeze(value), op);
95 }
96
97 Edge insertConstantForUse(size_t index, NodeOrigin origin, JSValue value, UseKind useKind)
98 {
99 return insertConstantForUse(index, origin, m_graph.freeze(value), useKind);
100 }
101
102 Edge insertBottomConstantForUse(size_t index, NodeOrigin origin, UseKind useKind)
103 {
104 if (isDouble(useKind))
105 return insertConstantForUse(index, origin, jsNumber(PNaN), useKind);
106 if (useKind == Int52RepUse)
107 return insertConstantForUse(index, origin, jsNumber(0), useKind);
108 return insertConstantForUse(index, origin, jsUndefined(), useKind);
109 }
110
111 Node* insertCheck(size_t index, NodeOrigin origin, AdjacencyList children)
112 {
113 children = children.justChecks();
114 if (children.isEmpty())
115 return nullptr;
116 return insertNode(index, SpecNone, Check, origin, children);
117 }
118
119 Node* insertCheck(Graph& graph, size_t index, Node* node)
120 {
121 if (!(node->flags() & NodeHasVarArgs))
122 return insertCheck(index, node->origin, node->children);
123
124 AdjacencyList children = graph.copyVarargChildren(node, [] (Edge edge) { return edge.willHaveCheck(); });
125 if (!children.numChildren())
126 return nullptr;
127 return insertNode(index, SpecNone, CheckVarargs, node->origin, children);
128 }
129
130 Node* insertCheck(size_t index, NodeOrigin origin, Edge edge)
131 {
132 if (edge.willHaveCheck())
133 return insertNode(index, SpecNone, Check, origin, edge);
134 return nullptr;
135 }
136
137 size_t execute(BasicBlock* block);
138
139private:
140 void insertSlow(const Insertion&);
141
142 Graph& m_graph;
143 Vector<Insertion, 8> m_insertions;
144};
145
146} } // namespace JSC::DFG
147
148#endif // ENABLE(DFG_JIT)
Note: See TracBrowser for help on using the repository browser.