Ignore:
Timestamp:
Aug 18, 2014, 5:55:31 PM (11 years ago)
Author:
[email protected]
Message:

REGRESSION(r172129): ftlopt branch merge made performance tests flakey crash
https://bugs.webkit.org/show_bug.cgi?id=135750

Reviewed by Mark Lam.

This was caused by a rather embarrassing oversight in how the DFG tracks structures: we
could sometimes perform an optimization that requires a structure to be alive but forget to
ensure that the structure is actually kept alive. In particular, any watchpoint-based
optimizations involve setting watchpoints even if the code that got optimized is eventually
deleted because it is unreachable. All such optimizations would leave behind something in
the IR to tell us that we are interested in the structure and that therefore it should be
kept alive. But, IR can be deleted if it is unreachable.

The solution is to ensure that as soon as the DFG is made aware of a structure, it adds it
to the set of weak references.

  • JavaScriptCore.xcodeproj/project.pbxproj:
  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::setOSREntryValue):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::normalizeClarity):
(JSC::DFG::AbstractValue::assertIsRegistered):
(JSC::DFG::AbstractValue::assertIsWatched): Deleted.

  • dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::assertIsRegistered):
(JSC::DFG::AbstractValue::assertIsWatched): Deleted.

  • dfg/DFGCommon.h:
  • dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::addStructureTransitionCheck):

  • dfg/DFGDesiredWeakReferences.cpp:

(JSC::DFG::DesiredWeakReferences::addLazily):
(JSC::DFG::DesiredWeakReferences::contains):
(JSC::DFG::DesiredWeakReferences::reallyAdd):
(JSC::DFG::DesiredWeakReferences::visitChildren):

  • dfg/DFGDesiredWeakReferences.h:
  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::canOptimizeStringObjectAccess):

  • dfg/DFGGraph.cpp:

(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::convertToConstant):
(JSC::DFG::Graph::registerStructure):
(JSC::DFG::Graph::assertIsRegistered):
(JSC::DFG::Graph::assertIsWatched): Deleted.

  • dfg/DFGGraph.h:
  • dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThreadImpl):

  • dfg/DFGStructureAbstractValue.cpp:

(JSC::DFG::StructureAbstractValue::assertIsRegistered):
(JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.

  • dfg/DFGStructureAbstractValue.h:

(JSC::DFG::StructureAbstractValue::assertIsRegistered):
(JSC::DFG::StructureAbstractValue::assertIsWatched): Deleted.

  • dfg/DFGStructureRegistrationPhase.cpp: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.cpp.

(JSC::DFG::StructureRegistrationPhase::StructureRegistrationPhase):
(JSC::DFG::StructureRegistrationPhase::run):
(JSC::DFG::StructureRegistrationPhase::registerStructures):
(JSC::DFG::StructureRegistrationPhase::registerStructure):
(JSC::DFG::performStructureRegistration):
(JSC::DFG::WatchableStructureWatchingPhase::WatchableStructureWatchingPhase): Deleted.
(JSC::DFG::WatchableStructureWatchingPhase::run): Deleted.
(JSC::DFG::WatchableStructureWatchingPhase::tryWatch): Deleted.
(JSC::DFG::performWatchableStructureWatching): Deleted.

  • dfg/DFGStructureRegistrationPhase.h: Copied from Source/JavaScriptCore/dfg/DFGWatchableStructureWatchingPhase.h.
  • dfg/DFGWatchableStructureWatchingPhase.cpp: Removed.
  • dfg/DFGWatchableStructureWatchingPhase.h: Removed.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

    r172176 r172737  
    6666    , m_machineCaptureStart(std::numeric_limits<int>::max())
    6767    , m_fixpointState(BeforeFixpoint)
    68     , m_structureWatchpointState(HaveNotStartedWatching)
     68    , m_structureRegistrationState(HaveNotStartedRegistering)
    6969    , m_form(LoadStore)
    7070    , m_unificationState(LocallyUnified)
     
    944944    m_codeBlock->constants().resize(0);
    945945    for (FrozenValue* value : m_frozenValues) {
    946         if (value->structure() && value->structure()->dfgShouldWatch())
    947             m_plan.weakReferences.addLazily(value->structure());
     946        if (value->structure())
     947            ASSERT(m_plan.weakReferences.contains(value->structure()));
    948948       
    949949        switch (value->strength()) {
     
    10721072{
    10731073    if (value->structure())
    1074         assertIsWatched(value->structure());
     1074        assertIsRegistered(value->structure());
    10751075    if (m_form == ThreadedCPS) {
    10761076        if (node->op() == GetLocal)
     
    10921092}
    10931093
    1094 void Graph::assertIsWatched(Structure* structure)
    1095 {
    1096     if (m_structureWatchpointState == HaveNotStartedWatching)
     1094StructureRegistrationResult Graph::registerStructure(Structure* structure)
     1095{
     1096    m_plan.weakReferences.addLazily(structure);
     1097    if (m_plan.watchpoints.consider(structure))
     1098        return StructureRegisteredAndWatched;
     1099    return StructureRegisteredNormally;
     1100}
     1101
     1102void Graph::assertIsRegistered(Structure* structure)
     1103{
     1104    if (m_structureRegistrationState == HaveNotStartedRegistering)
    10971105        return;
     1106   
     1107    DFG_ASSERT(*this, nullptr, m_plan.weakReferences.contains(structure));
    10981108   
    10991109    if (!structure->dfgShouldWatch())
Note: See TracChangeset for help on using the changeset viewer.