Title: [179882] trunk/Source/_javascript_Core
- Revision
- 179882
- Author
- msab...@apple.com
- Date
- 2015-02-10 13:59:54 -0800 (Tue, 10 Feb 2015)
Log Message
Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
https://bugs.webkit.org/show_bug.cgi?id=139398
Reviewed by Filip Pizlo.
Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq
node are UntypedUse which we can't compile. Fixed this by checking that the IR before
lowering can still be handled by the FTL.
Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument
node. With the check right before lowering, we see this node.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
to verify that after all the transformations we still have valid IR for the FTL.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (179881 => 179882)
--- trunk/Source/_javascript_Core/ChangeLog 2015-02-10 21:56:29 UTC (rev 179881)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-02-10 21:59:54 UTC (rev 179882)
@@ -1,3 +1,25 @@
+2015-02-10 Michael Saboff <msab...@apple.com>
+
+ Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
+ https://bugs.webkit.org/show_bug.cgi?id=139398
+
+ Reviewed by Filip Pizlo.
+
+ Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
+ was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq
+ node are UntypedUse which we can't compile. Fixed this by checking that the IR before
+ lowering can still be handled by the FTL.
+
+ Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
+ a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument
+ node. With the check right before lowering, we see this node.
+
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
+ to verify that after all the transformations we still have valid IR for the FTL.
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
+
2015-02-10 Filip Pizlo <fpi...@apple.com>
Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
Modified: trunk/Source/_javascript_Core/dfg/DFGPlan.cpp (179881 => 179882)
--- trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2015-02-10 21:56:29 UTC (rev 179881)
+++ trunk/Source/_javascript_Core/dfg/DFGPlan.cpp 2015-02-10 21:59:54 UTC (rev 179882)
@@ -364,6 +364,11 @@
performOSRAvailabilityAnalysis(dfg);
performWatchpointCollection(dfg);
+ if (FTL::canCompile(dfg) == FTL::CannotCompile) {
+ finalizer = std::make_unique<FailedFinalizer>(*this);
+ return FailPath;
+ }
+
dumpAndVerifyGraph(dfg, "Graph just before FTL lowering:");
bool haveLLVM;
@@ -379,7 +384,7 @@
finalizer = std::make_unique<FailedFinalizer>(*this);
return FailPath;
}
-
+
FTL::State state(dfg);
FTL::lowerDFGToLLVM(state);
Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (179881 => 179882)
--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2015-02-10 21:56:29 UTC (rev 179881)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2015-02-10 21:59:54 UTC (rev 179882)
@@ -51,6 +51,7 @@
case KillLocal:
case MovHint:
case ZombieHint:
+ case GetArgument:
case Phantom:
case HardPhantom:
case Flush:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
