Skip to site navigation (Press enter)

[webkit-changes] [219997] trunk

utatane . tea Fri, 28 Jul 2017 00:26:34 -0700

Title: [219997] trunk

Revision: 219997
Author: utatane....@gmail.com
Date: 2017-07-28 00:25:57 -0700 (Fri, 28 Jul 2017)

Log Message

ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
https://bugs.webkit.org/show_bug.cgi?id=174900


Reviewed by Saam Barati.

JSTests:

* stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js: Added.
(sideEffect):
(args):
(test):

Source/_javascript_Core:

In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
The problem is that even transforming phase also checks this pseudo terminals.

    BB1
    1: ForceOSRExit
    2: CreateDirectArguments

    BB2
    3: GetButterfly(@2)
    4: ForceOSRExit

In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.

In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.

* dfg/DFGArgumentsEliminationPhase.cpp:

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp

Added Paths

trunk/JSTests/stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js

Diff

Modified: trunk/JSTests/ChangeLog (219996 => 219997)


--- trunk/JSTests/ChangeLog	2017-07-28 07:25:39 UTC (rev 219996)
+++ trunk/JSTests/ChangeLog	2017-07-28 07:25:57 UTC (rev 219997)
@@ -1,3 +1,15 @@
+2017-07-28  Yusuke Suzuki  <utatane....@gmail.com>
+
+        ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
+        https://bugs.webkit.org/show_bug.cgi?id=174900
+
+        Reviewed by Saam Barati.
+
+        * stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js: Added.
+        (sideEffect):
+        (args):
+        (test):
+
 2017-07-27  Yusuke Suzuki  <utatane....@gmail.com>
 
         Hoist DOM binding attribute getter prologue into _javascript_Core taking advantage of DOMJIT / CheckSubClass

Added: trunk/JSTests/stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js (0 => 219997)


--- trunk/JSTests/stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js	                        (rev 0)
+++ trunk/JSTests/stress/arguments-elimination-candidate-listings-should-respect-pseudo-terminals.js	2017-07-28 07:25:57 UTC (rev 219997)
@@ -0,0 +1,28 @@
+var index = 0;
+function sideEffect()
+{
+    return index++ === 0;
+}
+noInline(sideEffect);
+
+function args(flag)
+{
+    var a = arguments;
+    if (flag) {
+        return a[4] + a[5];
+    }
+    return a.length;
+}
+
+function test(flag)
+{
+    args(flag, 0, 1, 2);
+    if (sideEffect()) {
+        OSRExit();
+        args(sideEffect(), 0, 1, 2);
+    }
+}
+noInline(test);
+
+for (var i = 0; i < 1e3; ++i)
+    test(false);

Modified: trunk/Source/_javascript_Core/ChangeLog (219996 => 219997)


--- trunk/Source/_javascript_Core/ChangeLog	2017-07-28 07:25:39 UTC (rev 219996)
+++ trunk/Source/_javascript_Core/ChangeLog	2017-07-28 07:25:57 UTC (rev 219997)
@@ -1,3 +1,28 @@
+2017-07-28  Yusuke Suzuki  <utatane....@gmail.com>
+
+        ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
+        https://bugs.webkit.org/show_bug.cgi?id=174900
+
+        Reviewed by Saam Barati.
+
+        In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
+        Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
+        The problem is that even transforming phase also checks this pseudo terminals.
+
+            BB1
+            1: ForceOSRExit
+            2: CreateDirectArguments
+
+            BB2
+            3: GetButterfly(@2)
+            4: ForceOSRExit
+
+        In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
+
+        In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
 2017-07-27  Oleksandr Skachkov  <gskach...@gmail.com>
 
         [ES] Add support finally to Promise

Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp (219996 => 219997)


--- trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp	2017-07-28 07:25:39 UTC (rev 219996)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp	2017-07-28 07:25:57 UTC (rev 219997)
@@ -152,6 +152,8 @@
                 default:
                     break;
                 }
+                if (node->isPseudoTerminal())
+                    break;
             }
         }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes