DFG::PutStackSinkingPhase should not treat the stack variables written by LoadVarargs...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Nov 2015 00:39:13 +0000 (00:39 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 10 Nov 2015 00:39:13 +0000 (00:39 +0000)
commit11df1773b174b73accf92b0c6170383c08a5637f
tree3651139f6c61ebb99744a55fc2e85bc4c6cdd66d
parentee7a34030fa40f8964b09ecc26e20aa80fab871b
DFG::PutStackSinkingPhase should not treat the stack variables written by LoadVarargs/ForwardVarargs as being live
https://bugs.webkit.org/show_bug.cgi?id=145295

Reviewed by Filip Pizlo.

This patch fixes PutStackSinkingPhase to no longer escape the stack
locations that LoadVarargs and ForwardVarargs write to. We used
to consider sinking PutStacks right before a LoadVarargs/ForwardVarargs
because we considered them uses of such stack locations. They aren't
uses of those stack locations, they unconditionally write to those
stack locations. Sinking PutStacks to these nodes was not needed before,
but seemed mostly innocent. But I ran into a problem with this while implementing
FTL try/catch where we would end up having to generate a value for a sunken PutStack
right before a LoadVarargs. This would cause us to issue a GetStack that loaded garbage that
was then forwarded into a Phi that was used as the source as the PutStack. This caused the
abstract interpreter to confuse itself on type information for the garbage GetStack
that was fed into the Phi, which would cause the abstract interpreter to then claim
that the basic block with the PutStack in it would never be reached. This isn't true, the
block would indeed be reached. The solution here is to be more precise about the
liveness of locals w.r.t LoadVarargs and ForwardVarargs.

* dfg/DFGPreciseLocalClobberize.h:
(JSC::DFG::PreciseLocalClobberizeAdaptor::PreciseLocalClobberizeAdaptor):
(JSC::DFG::PreciseLocalClobberizeAdaptor::write):
* dfg/DFGPutStackSinkingPhase.cpp:
* dfg/DFGSSACalculator.h:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@192190 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h
Source/JavaScriptCore/dfg/DFGPutStackSinkingPhase.cpp
Source/JavaScriptCore/dfg/DFGSSACalculator.h