Title: [232856] trunk/Source/_javascript_Core
- Revision
- 232856
- Author
- msab...@apple.com
- Date
- 2018-06-14 14:48:02 -0700 (Thu, 14 Jun 2018)
Log Message
REGRESSION(232741): Crash running ARES-6
https://bugs.webkit.org/show_bug.cgi?id=186630
Reviewed by Saam Barati.
The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
treated edges between identical predecessor->successor pairs independently.
This fixes the issue by handling such edges once, using the added intermediate
pad for all instances of the edges between the same pairs.
* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::run):
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (232855 => 232856)
--- trunk/Source/_javascript_Core/ChangeLog 2018-06-14 21:44:01 UTC (rev 232855)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-06-14 21:48:02 UTC (rev 232856)
@@ -1,3 +1,19 @@
+2018-06-14 Michael Saboff <msab...@apple.com>
+
+ REGRESSION(232741): Crash running ARES-6
+ https://bugs.webkit.org/show_bug.cgi?id=186630
+
+ Reviewed by Saam Barati.
+
+ The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
+ treated edges between identical predecessor->successor pairs independently.
+ This fixes the issue by handling such edges once, using the added intermediate
+ pad for all instances of the edges between the same pairs.
+
+ * dfg/DFGCriticalEdgeBreakingPhase.cpp:
+ (JSC::DFG::CriticalEdgeBreakingPhase::run):
+ (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
+
2018-06-14 Carlos Garcia Campos <cgar...@igalia.com>
[GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
Modified: trunk/Source/_javascript_Core/dfg/DFGCriticalEdgeBreakingPhase.cpp (232855 => 232856)
--- trunk/Source/_javascript_Core/dfg/DFGCriticalEdgeBreakingPhase.cpp 2018-06-14 21:44:01 UTC (rev 232855)
+++ trunk/Source/_javascript_Core/dfg/DFGCriticalEdgeBreakingPhase.cpp 2018-06-14 21:48:02 UTC (rev 232856)
@@ -56,13 +56,30 @@
if (block->numSuccessors() <= 1)
continue;
-
+
+ // Break critical edges by inserting a "Jump" pad block in place of each
+ // unique A->B critical edge.
+ HashMap<BasicBlock*, BasicBlock*> successorPads;
+
for (unsigned i = block->numSuccessors(); i--;) {
BasicBlock** successor = &block->successor(i);
if ((*successor)->predecessors.size() <= 1)
continue;
-
- breakCriticalEdge(block, successor);
+
+ BasicBlock* pad = nullptr;
+ auto iter = successorPads.find(*successor);
+
+ if (iter == successorPads.end()) {
+ pad = m_insertionSet.insertBefore(*successor, (*successor)->executionCount);
+ pad->appendNode(
+ m_graph, SpecNone, Jump, (*successor)->at(0)->origin, OpInfo(*successor));
+ pad->predecessors.append(block);
+ (*successor)->replacePredecessor(block, pad);
+ successorPads.set(*successor, pad);
+ } else
+ pad = iter->value;
+
+ *successor = pad;
}
}
@@ -70,17 +87,6 @@
}
private:
- void breakCriticalEdge(BasicBlock* predecessor, BasicBlock** successor)
- {
- BasicBlock* pad = m_insertionSet.insertBefore(*successor, (*successor)->executionCount);
- pad->appendNode(
- m_graph, SpecNone, Jump, (*successor)->at(0)->origin, OpInfo(*successor));
- pad->predecessors.append(predecessor);
- (*successor)->replacePredecessor(predecessor, pad);
-
- *successor = pad;
- }
-
BlockInsertionSet m_insertionSet;
};
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
