Context Navigation

← Previous Change
Next Change →

DFGCriticalEdgeBreakingPhase.cpp

Timestamp:

Jun 14, 2018, 2:48:02 PM (7 years ago)

Author:

[email protected]

Message:

REGRESSION(232741): Crash running ARES-6
https://bugs.webkit.org/show_bug.cgi?id=186630

Reviewed by Saam Barati.

The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
treated edges between identical predecessor->successor pairs independently.
This fixes the issue by handling such edges once, using the added intermediate
pad for all instances of the edges between the same pairs.

dfg/DFGCriticalEdgeBreakingPhase.cpp:

(JSC::DFG::CriticalEdgeBreakingPhase::run):
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.

File:

: 1 edited

trunk/Source/JavaScriptCore/dfg/DFGCriticalEdgeBreakingPhase.cpp (modified) (2 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/dfg/DFGCriticalEdgeBreakingPhase.cpp

-              r204466
+              r232856
             if (block->numSuccessors() <= 1)
                 continue;
+            // Break critical edges by inserting a "Jump" pad block in place of each
+            // unique A->B critical edge.
+            HashMap<BasicBlock*, BasicBlock*> successorPads;
             for (unsigned i = block->numSuccessors(); i--;) {
                 BasicBlock** successor = &block->successor(i);
                 if ((*successor)->predecessors.size() <= 1)
                     continue;
+                breakCriticalEdge(block, successor);
+                BasicBlock* pad = nullptr;
+                auto iter = successorPads.find(*successor);
+                if (iter == successorPads.end()) {
+                    pad = m_insertionSet.insertBefore(*successor, (*successor)->executionCount);
+                    pad->appendNode(
+                        m_graph, SpecNone, Jump, (*successor)->at(0)->origin, OpInfo(*successor));
+                    pad->predecessors.append(block);
+                    (*successor)->replacePredecessor(block, pad);
+                    successorPads.set(*successor, pad);
+                } else
+                    pad = iter->value;
+                *successor = pad;
+            }
+        }
 …
 private:
-    void breakCriticalEdge(BasicBlock* predecessor, BasicBlock** successor)
+    {
-        BasicBlock* pad = m_insertionSet.insertBefore(*successor, (*successor)->executionCount);
-        pad->appendNode(
-            m_graph, SpecNone, Jump, (*successor)->at(0)->origin, OpInfo(*successor));
-        pad->predecessors.append(predecessor);
-        (*successor)->replacePredecessor(predecessor, pad);
-        *successor = pad;
+    }
     BlockInsertionSet m_insertionSet;
 };

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 232856 in webkit for trunk/Source/JavaScriptCore/dfg/DFGCriticalEdgeBreakingPhase.cpp

Legend:

trunk/Source/JavaScriptCore/dfg/DFGCriticalEdgeBreakingPhase.cpp

Download in other formats: