Changeset 222060 in webkit for trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

Timestamp:

Sep 14, 2017, 4:39:27 PM (8 years ago)

Author:

[email protected]

Message:

It should be valid to exit before each set when doing arity fixup when inlining
​https://bugs.webkit.org/show_bug.cgi?id=176948

Reviewed by Keith Miller.

JSTests:

• stress/arity-fixup-inlining-dont-generate-invalid-use.js: Added.

(baz):
(bar):
(foo):

Source/JavaScriptCore:

This patch makes it so that we can exit before each SetLocal when doing arity
fixup during inlining. This is OK because if we exit at any of these SetLocals,
we will simply exit to the beginning of the call instruction.

Not doing this led to a bug where FixupPhase would insert a ValueRep of
a node before the actual node. This is obviously invalid IR. I've added
a new validation rule to catch this malformed IR.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::inliningCost):
(JSC::DFG::ByteCodeParser::inlineCall):

• dfg/DFGValidate.cpp:
• runtime/Options.h:

File:

• trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1457 +1457 @@
     }
 
-
     if (!Options::useArityFixupInlining()) {
         if (codeBlock->numParameters() > argumentCountIncludingThis) {
@@ -1583 +1582 @@
         Node* undefined = addToGraph(JSConstant, OpInfo(m_constantUndefined));
         auto fill = [&] (VirtualRegister reg, Node* value) {
-            Node* result = set(reg, value, ImmediateNakedSet);
-            result->variableAccessData()->mergeShouldNeverUnbox(true); // We cannot exit after starting arity fixup.
+            // It's valid to exit here since we'll exit to the top of the
+            // call and re-setup the arguments.
+            m_exitOK = true;
+            addToGraph(ExitOK);
+
+            set(reg, value, ImmediateNakedSet);
         };