Title: [200761] branches/safari-601.1.46-branch/Source/_javascript_Core
- Revision
- 200761
- Author
- matthew_han...@apple.com
- Date
- 2016-05-12 02:12:31 -0700 (Thu, 12 May 2016)
Log Message
Merge r199277. rdar://problem/26228815
Modified Paths
Added Paths
Diff
Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog (200760 => 200761)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog 2016-05-12 09:12:28 UTC (rev 200760)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/ChangeLog 2016-05-12 09:12:31 UTC (rev 200761)
@@ -1,5 +1,54 @@
2016-05-12 Matthew Hanson <matthew_han...@apple.com>
+ Merge r199277. rdar://problem/26228815
+
+ 2016-04-09 Saam barati <sbar...@apple.com>
+
+ Allocation sinking SSA Defs are allowed to have replacements
+ https://bugs.webkit.org/show_bug.cgi?id=156444
+
+ Reviewed by Filip Pizlo.
+
+ Consider the following program and the annotations that explain why
+ the SSA defs we create in allocation sinking can have replacements.
+
+ function foo(a1) {
+ let o1 = {x: 20, y: 50};
+ let o2 = {y: 40, o1: o1};
+ let o3 = {};
+
+ // We're Defing a new variable here, call it o3_field.
+ // o3_field is defing the value that is the result of
+ // a GetByOffset that gets eliminated through allocation sinking.
+ o3.field = o1.y;
+
+ dontCSE();
+
+ // This control flow is here to not allow the phase to consult
+ // its local SSA mapping (which properly handles replacements)
+ // for the value of o3_field.
+ if (a1) {
+ a1 = true;
+ } else {
+ a1 = false;
+ }
+
+ // Here, we ask for the reaching def of o3_field, and assert
+ // it doesn't have a replacement. It does have a replacement
+ // though. The original Def was the GetByOffset. We replaced
+ // that GetByOffset with the value of the o1_y variable.
+ let value = o3.field;
+ assert(value === 50);
+ }
+
+ * dfg/DFGObjectAllocationSinkingPhase.cpp:
+ * tests/stress/allocation-sinking-defs-may-have-replacements.js: Added.
+ (dontCSE):
+ (assert):
+ (foo):
+
+2016-05-12 Matthew Hanson <matthew_han...@apple.com>
+
Merge r196524. rdar://problem/26228854
2016-02-12 Filip Pizlo <fpi...@apple.com>
Modified: branches/safari-601.1.46-branch/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp (200760 => 200761)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2016-05-12 09:12:28 UTC (rev 200760)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/dfg/DFGObjectAllocationSinkingPhase.cpp 2016-05-12 09:12:31 UTC (rev 200761)
@@ -828,7 +828,10 @@
ASSERT(def);
ASSERT(def->value());
m_localMapping.add(location, def->value());
- return def->value();
+ Node* result = def->value();
+ if (result->replacement())
+ result = result->replacement();
+ return result;
}
template<typename SinkCandidateFunctor, typename EscapeFunctor>
Added: branches/safari-601.1.46-branch/Source/_javascript_Core/tests/stress/allocation-sinking-defs-may-have-replacements.js (0 => 200761)
--- branches/safari-601.1.46-branch/Source/_javascript_Core/tests/stress/allocation-sinking-defs-may-have-replacements.js (rev 0)
+++ branches/safari-601.1.46-branch/Source/_javascript_Core/tests/stress/allocation-sinking-defs-may-have-replacements.js 2016-05-12 09:12:31 UTC (rev 200761)
@@ -0,0 +1,31 @@
+function dontCSE() { }
+noInline(dontCSE);
+
+function assert(b) {
+ if (!b)
+ throw new Error("Bad assertion");
+}
+noInline(assert);
+
+function foo(a1) {
+ let o1 = {x: 20, y: 50};
+ let o2 = {y: 40, o1: o1};
+ let o3 = {};
+
+ o3.field = o1.y;
+
+ dontCSE();
+
+ if (a1) {
+ a1 = true;
+ } else {
+ a1 = false;
+ }
+
+ let value = o3.field;
+ assert(value === 50);
+}
+noInline(foo);
+
+for (let i = 0; i < 100000; i++)
+ foo(i);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
