Ignore:
Timestamp:
Aug 18, 2014, 5:55:31 PM (11 years ago)
Author:
[email protected]
Message:

REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
https://bugs.webkit.org/show_bug.cgi?id=135750

Reviewed by Mark Lam.

This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
could sometimes perform an optimization that requires a structure to be alive but forget to
ensure that the structure is actually kept alive. In particular, any watchpoint-based
optimizations involve setting watchpoints even if the code that got optimized is eventually
deleted because it is unreachable. All such optimizations would leave behind something in
the IR to tell us that we are interested in the structure and that therefore it should be
kept alive. But, IR can be deleted if it is unreachable.

The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
to the set of weak references.

  • JavaScriptCore.xcodeproj/project.pbxproj:
  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::setOSREntryValue):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::normalizeClarity):
(JSC::DFG::AbstractValue::assertIsRegistered):
(JSC::DFG::AbstractValue::assertIsWatched): Deleted.

  • dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::assertIsRegistered):
(JSC::DFG::AbstractValue::assertIsWatched): Deleted.

  • dfg/DFGCommon.h:
  • dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):

  • dfg/DFGDesiredWeakReferences.cpp:

(JSC::DFG::DesiredWeakReferences::addLazily):
(JSC::DFG::DesiredWeakReferences::contains):
(JSC::DFG::DesiredWeakReferences::reallyAdd):
(JSC::DFG::DesiredWeakReferences::visitChildren):

  • dfg/DFGDesiredWeakReferences.h:
  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):

  • dfg/DFGGraph.cpp:

(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::registerStructure):
(JSC::DFG::Graph::assertIsRegistered):
(JSC::DFG::Graph::assertIsWatched): Deleted.

  • dfg/DFGGraph.h:
  • dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThreadImpl):

  • dfg/DFGStructureAbstractValue.cpp:

(JSC::DFG::StructureAbstractValue::assertIsRegistered):
(JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.

  • dfg/DFGStructureAbstractValue.h:

(JSC::DFG::StructureAbstractValue::assertIsRegistered):
(JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.

  • dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.

(JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
(JSC::DFG::StructureRegistrationPhase::run):
(JSC::DFG::StructureRegistrationPhase::registerStructures):
(JSC::DFG::StructureRegistrationPhase::registerStructure):
(JSC::DFG::performStructureRegistration):
(JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
(JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
(JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
(JSC::DFG::performWatchableStructureWatching): Deleted.

  • dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
  • dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
  • dfg/DFGWatchableStructureWatchingPhase.h: Removed.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

    r171660 r172737  
    5252    if (!!value && value.value().isCell()) {
    5353        Structure* structure = value.structure();
    54         graph.watchpoints().consider(structure);
     54        graph.registerStructure(structure);
    5555        m_structure = structure;
    5656        m_arrayModes = asArrayModes(structure->indexingType());
     
    6464       
    6565    checkConsistency();
    66     assertIsWatched(graph);
     66    assertIsRegistered(graph);
    6767}
    6868
     
    7171    if (!!value && value.value().isCell()) {
    7272        Structure* structure = value.structure();
    73         if (graph.watchpoints().consider(structure)) {
    74             // We should be able to assume that the watchpoint for this has already been set.
    75             // But we can't because our view of what structure a value has keeps changing. That's
    76             // why we call consider().
    77             // https://bugs.webkit.org/show_bug.cgi?id=133426
     73        // FIXME: This check may not be necessary since any frozen value should have its structure
     74        // watched already.
     75        // https://bugs.webkit.org/show_bug.cgi?id=136055
     76        if (graph.registerStructure(structure) == StructureRegisteredAndWatched) {
    7877            m_structure = structure;
    7978            if (clobberState == StructuresAreClobbered) {
     
    9594   
    9695    checkConsistency();
    97     assertIsWatched(graph);
     96    assertIsRegistered(graph);
    9897}
    9998
     
    106105   
    107106    checkConsistency();
    108     assertIsWatched(graph);
     107    assertIsRegistered(graph);
    109108}
    110109
     
    117116   
    118117    checkConsistency();
    119     assertIsWatched(graph);
     118    assertIsRegistered(graph);
    120119}
    121120
     
    365364{
    366365    FiltrationResult result = normalizeClarity();
    367     assertIsWatched(graph);
     366    assertIsRegistered(graph);
    368367    return result;
    369368}
     
    395394}
    396395
    397 void AbstractValue::assertIsWatched(Graph& graph) const
    398 {
    399     m_structure.assertIsWatched(graph);
     396void AbstractValue::assertIsRegistered(Graph& graph) const
     397{
     398    m_structure.assertIsRegistered(graph);
    400399}
    401400#endif
Note: See TracChangeset for help on using the changeset viewer.