<1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 10 Feb 2014 17:04:28 +0000 (17:04 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 10 Feb 2014 17:04:28 +0000 (17:04 +0000)
commita46c09a158669793326d8cc0d2ca1490332c62aa
tree4de082e82c23170169573d6b06b742595589ef81
parent453c1e40f6b8e75b9d5932961d2e70aeabe0bd87
<1/100 probability FTL failure: v8-v6/v8-deltablue.js.ftl-eager: Exception: TypeError: undefined is not an object (evaluating 'c.isInput')
https://bugs.webkit.org/show_bug.cgi?id=128278

Reviewed by Mark Hahnenberg.

Fix another FTL flake due to bytecode liveness corner cases. Hopefully it's the last
one.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock): Make sure that inside a constructor, the 'this' result is always set. This makes it easier to unify the treatment of 'this' for OSR exit: we just say that it's always live.
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::isLiveInBytecode): Assume that 'this' is live. We were already sort of doing this for calls because the callsite would claim it to be live. But we didn't do it for constructors. It's true that *at the callsite* 'this' won't be live, but inside the inlined constructor, it almost certainly will be.
* dfg/DFGTierUpCheckInjectionPhase.cpp:
(JSC::DFG::TierUpCheckInjectionPhase::run): I just noticed this benign bug. We should only return 'true' if we actually injected checks.
* ftl/FTLOSRExitCompiler.cpp:
(JSC::FTL::compileStub): Make it easier to just dump disassembly for FTL OSR exits.
* runtime/Options.h: Ditto.
* tests/stress/inlined-constructor-this-liveness.js: Added.
(Foo):
(foo):
* tests/stress/inlined-function-this-liveness.js: Added.
(bar):
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@163789 268f45cc-cd09-0410-ab3c-d52691b4dbfc
PerformanceTests/SunSpider/tests/v8-v6/v8-deltablue.js
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp
Source/JavaScriptCore/dfg/DFGGraph.cpp
Source/JavaScriptCore/dfg/DFGTierUpCheckInjectionPhase.cpp
Source/JavaScriptCore/ftl/FTLOSRExitCompiler.cpp
Source/JavaScriptCore/runtime/Options.h
Source/JavaScriptCore/tests/stress/inlined-constructor-this-liveness.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/inlined-function-this-liveness.js [new file with mode: 0644]