Title: [193782] trunk/Source/_javascript_Core
- Revision
- 193782
- Author
- fpi...@apple.com
- Date
- 2015-12-08 13:45:54 -0800 (Tue, 08 Dec 2015)
Log Message
DFG::UnificationPhase should merge isProfitableToUnbox, since this may have been set in ByteCodeParser
https://bugs.webkit.org/show_bug.cgi?id=152011
rdar://problem/23777875
Reviewed by Michael Saboff.
Previously UnificationPhase did not merge this because we used to only set this in FixupPhase, which runs after unification. But now
ByteCodeParser may set isProfitableToUnbox as part of how it handles the ArgumentCount of an inlined varargs call, so UnificationPhase
needs to merge it after unifying.
Also changed the order of unification since this makes the bug more obvious and easier to test.
* dfg/DFGUnificationPhase.cpp:
(JSC::DFG::UnificationPhase::run):
* tests/stress/varargs-with-unused-count.js: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (193781 => 193782)
--- trunk/Source/_javascript_Core/ChangeLog 2015-12-08 21:44:12 UTC (rev 193781)
+++ trunk/Source/_javascript_Core/ChangeLog 2015-12-08 21:45:54 UTC (rev 193782)
@@ -1,3 +1,21 @@
+2015-12-08 Filip Pizlo <fpi...@apple.com>
+
+ DFG::UnificationPhase should merge isProfitableToUnbox, since this may have been set in ByteCodeParser
+ https://bugs.webkit.org/show_bug.cgi?id=152011
+ rdar://problem/23777875
+
+ Reviewed by Michael Saboff.
+
+ Previously UnificationPhase did not merge this because we used to only set this in FixupPhase, which runs after unification. But now
+ ByteCodeParser may set isProfitableToUnbox as part of how it handles the ArgumentCount of an inlined varargs call, so UnificationPhase
+ needs to merge it after unifying.
+
+ Also changed the order of unification since this makes the bug more obvious and easier to test.
+
+ * dfg/DFGUnificationPhase.cpp:
+ (JSC::DFG::UnificationPhase::run):
+ * tests/stress/varargs-with-unused-count.js: Added.
+
2015-12-08 Mark Lam <mark....@apple.com>
Polymorphic operand types for DFG and FTL div.
Modified: trunk/Source/_javascript_Core/dfg/DFGUnificationPhase.cpp (193781 => 193782)
--- trunk/Source/_javascript_Core/dfg/DFGUnificationPhase.cpp 2015-12-08 21:44:12 UTC (rev 193781)
+++ trunk/Source/_javascript_Core/dfg/DFGUnificationPhase.cpp 2015-12-08 21:45:54 UTC (rev 193782)
@@ -60,8 +60,7 @@
if (!phi->children.child(childIdx))
break;
- phi->variableAccessData()->unify(
- phi->children.child(childIdx)->variableAccessData());
+ phi->children.child(childIdx)->variableAccessData()->unify(phi->variableAccessData());
}
}
}
@@ -74,6 +73,7 @@
data->find()->mergeCheckArrayHoistingFailed(data->checkArrayHoistingFailed());
data->find()->mergeShouldNeverUnbox(data->shouldNeverUnbox());
data->find()->mergeIsLoadedFrom(data->isLoadedFrom());
+ data->find()->mergeIsProfitableToUnbox(data->isProfitableToUnbox());
}
m_graph.m_unificationState = GloballyUnified;
Added: trunk/Source/_javascript_Core/tests/stress/varargs-with-unused-count.js (0 => 193782)
--- trunk/Source/_javascript_Core/tests/stress/varargs-with-unused-count.js (rev 0)
+++ trunk/Source/_javascript_Core/tests/stress/varargs-with-unused-count.js 2015-12-08 21:45:54 UTC (rev 193782)
@@ -0,0 +1,23 @@
+function foo(p, q, r) {
+ while (r) {
+ if (p)
+ return 1;
+ else if (p)
+ return 2;
+ else
+ throw "error";
+ }
+}
+
+function bar() {
+ foo.apply(this, arguments);
+}
+
+function baz(a, b, c, d) {
+ bar(a, b, c, d);
+}
+
+noInline(baz);
+
+for (var i = 0; i < 10000; ++i)
+ baz(1, 2, 3, 4);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
