Ignore:
Timestamp:
May 15, 2015, 12:30:14 PM (10 years ago)
Author:
[email protected]
Message:

DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
https://bugs.webkit.org/show_bug.cgi?id=145062

Reviewed by Filip Pizlo.

We assert in various places (including NodeOrigin::isSet()) that a
NodeOrigin's semantic and forExit must be either both set, or both
unset. However, LICM'ing a node with unset NodeOrigin would only set
forExit, and leave semantic unset. This can for instance happen when a
Phi node is constant-folded into a JSConstant, which in turn gets
LICM'd.

This patch changes DFGLICMPhase to set the NodeOrigin's semantic in
addition to its forExit if semantic was previously unset.

It also adds two validators to DFGValidate.cpp:

  • In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset
  • In CPS form, all nodes must have a set NodeOrigin forExit (this is the CPS counterpart to the SSA validator that checks that all nodes must have a set NodeOrigin except possibly for a continuous chunk of nodes at the top of a block)
  • dfg/DFGLICMPhase.cpp:

(JSC::DFG::LICMPhase::attemptHoist):

  • dfg/DFGValidate.cpp:

(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::validateCPS):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp

    r183719 r184405  
    283283        NodeOrigin originalOrigin = node->origin;
    284284        node->origin.forExit = data.preHeader->terminal()->origin.forExit;
     285        if (!node->origin.semantic.isSet())
     286            node->origin.semantic = node->origin.forExit;
    285287       
    286288        // Modify the states at the end of the preHeader of the loop we hoisted to,
Note: See TracChangeset for help on using the changeset viewer.