Ignore:
Timestamp:
Oct 11, 2013, 6:35:49 PM (12 years ago)
Author:
[email protected]
Message:

sunspider-1.0/math-spectral-norm.js.dfg-eager occasionally fails with Trap 5 (i.e int $3)
https://bugs.webkit.org/show_bug.cgi?id=122462

Reviewed by Mark Hahnenberg.

This fixes two bugs, both of which led to GetByVal on Int32 trapping because the
array no longer had Int32 shape but the check wasn't executed:

1) We weren't snapshotting the structures of mustHandleValues. This led to an awesome

race where if a mustHandleValue JSValue's structure changed on the main thread
between runs of the AI, the AI would contradict each other and things would just
get corrupted in funny ways.


2) The constant folder has a long standing bug! It will fold a node to a constant if

the AI proved it to be a constant. But it's possible that the original node also
proved things about the constant's structure. In that case "folding" to a
JSConstant actually loses information since JSConstant doesn't guarantee anything
about a constant's structure. There are various things we could do here to ensure
that a folded constant's structure doesn't change, and that if it does, we
deoptimize the code. But for now we can just make this sound by disabling folding
in this pathological case.

  • dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

  • dfg/DFGGraph.cpp:

(JSC::DFG::Graph::Graph):

  • dfg/DFGGraph.h:
  • dfg/DFGInPlaceAbstractState.cpp:

(JSC::DFG::InPlaceAbstractState::initialize):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp

    r156047 r157327  
    160160        if (block->bytecodeBegin != m_graph.m_plan.osrEntryBytecodeIndex)
    161161            continue;
    162         for (size_t i = 0; i < m_graph.m_plan.mustHandleValues.size(); ++i) {
    163             AbstractValue value;
    164             value.setMostSpecific(m_graph, m_graph.m_plan.mustHandleValues[i]);
    165             int operand = m_graph.m_plan.mustHandleValues.operandForIndex(i);
     162        for (size_t i = 0; i < m_graph.m_mustHandleAbstractValues.size(); ++i) {
     163            AbstractValue value = m_graph.m_mustHandleAbstractValues[i];
     164            int operand = m_graph.m_mustHandleAbstractValues.operandForIndex(i);
    166165            block->valuesAtHead.operand(operand).merge(value);
    167166#if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE)
Note: See TracChangeset for help on using the changeset viewer.