Title: [207623] trunk
- Revision
- 207623
- Author
- keith_mil...@apple.com
- Date
- 2016-10-20 10:40:19 -0700 (Thu, 20 Oct 2016)
Log Message
Invalid assertion in arguments elimination
https://bugs.webkit.org/show_bug.cgi?id=163740
<rdar://problem/27911462>
Reviewed by Michael Saboff.
JSTests:
* stress/direct-arguments-osr-entry.js: Added.
(foo.):
(foo):
Source/_javascript_Core:
The DFGFTL's arguments elimination phase incorrectly asserted that a GetFromArguments' first
child would always be a CreateDirectArguments. While we only create the
op_get_from_arguments bytecode pointing to a create_direct_arguments, its possible for a
number of reasons that a DFG GetFromArguments may not point to a CreateDirectArguments. For
example, if we are OSR entering in some function with direct arguments the
CreateDirectArguments node might become ExtractOSREntryLocals.
* dfg/DFGArgumentsEliminationPhase.cpp:
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (207622 => 207623)
--- trunk/JSTests/ChangeLog 2016-10-20 17:25:01 UTC (rev 207622)
+++ trunk/JSTests/ChangeLog 2016-10-20 17:40:19 UTC (rev 207623)
@@ -1,3 +1,15 @@
+2016-10-20 Keith Miller <keith_mil...@apple.com>
+
+ Invalid assertion in arguments elimination
+ https://bugs.webkit.org/show_bug.cgi?id=163740
+ <rdar://problem/27911462>
+
+ Reviewed by Michael Saboff.
+
+ * stress/direct-arguments-osr-entry.js: Added.
+ (foo.):
+ (foo):
+
2016-10-20 Caitlin Potter <ca...@igalia.com>
[JSC] throw TypeError when constructing dynamically created JSGeneratorFunction
Added: trunk/JSTests/stress/direct-arguments-osr-entry.js (0 => 207623)
--- trunk/JSTests/stress/direct-arguments-osr-entry.js (rev 0)
+++ trunk/JSTests/stress/direct-arguments-osr-entry.js 2016-10-20 17:40:19 UTC (rev 207623)
@@ -0,0 +1,22 @@
+// This tests that arguments elimination works with OSR entry.
+// We need to have an inner call so that arguments elimination
+// sees there are potential candidates.
+
+var args;
+
+function foo(a)
+{
+ args = arguments;
+ var result = 0;
+ for (var i = 0; i < 1000000; ++i) {
+ (function() {
+ return arguments[0];
+ })(42);
+ result += a;
+ }
+ return result;
+}
+
+noInline(foo);
+
+foo(42);
Modified: trunk/Source/_javascript_Core/ChangeLog (207622 => 207623)
--- trunk/Source/_javascript_Core/ChangeLog 2016-10-20 17:25:01 UTC (rev 207622)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-10-20 17:40:19 UTC (rev 207623)
@@ -1,3 +1,20 @@
+2016-10-20 Keith Miller <keith_mil...@apple.com>
+
+ Invalid assertion in arguments elimination
+ https://bugs.webkit.org/show_bug.cgi?id=163740
+ <rdar://problem/27911462>
+
+ Reviewed by Michael Saboff.
+
+ The DFGFTL's arguments elimination phase incorrectly asserted that a GetFromArguments' first
+ child would always be a CreateDirectArguments. While we only create the
+ op_get_from_arguments bytecode pointing to a create_direct_arguments, its possible for a
+ number of reasons that a DFG GetFromArguments may not point to a CreateDirectArguments. For
+ example, if we are OSR entering in some function with direct arguments the
+ CreateDirectArguments node might become ExtractOSREntryLocals.
+
+ * dfg/DFGArgumentsEliminationPhase.cpp:
+
2016-10-20 Caitlin Potter <ca...@igalia.com>
[JSC] throw TypeError when constructing dynamically created JSGeneratorFunction
Modified: trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp (207622 => 207623)
--- trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2016-10-20 17:25:01 UTC (rev 207622)
+++ trunk/Source/_javascript_Core/dfg/DFGArgumentsEliminationPhase.cpp 2016-10-20 17:40:19 UTC (rev 207623)
@@ -168,7 +168,6 @@
for (Node* node : *block) {
switch (node->op()) {
case GetFromArguments:
- DFG_ASSERT(m_graph, node, node->child1()->op() == CreateDirectArguments);
break;
case GetByVal:
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
