Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 May 2019 20:30:16 +0000 (20:30 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Wed, 15 May 2019 20:30:16 +0000 (20:30 +0000)
commitc16efe1a9f9e21de528b7b6bac1f030f87b4ce9f
tree522e27b6f8889e3ba26ab717158bd33c4bed0dd0
parent6120db6e7abc0cf25b2e96ce3e232944aaca46aa
Bound liveness of SetArgumentMaybe nodes when maximal flush insertion phase is enabled
https://bugs.webkit.org/show_bug.cgi?id=197855
<rdar://problem/50236506>

Reviewed by Michael Saboff.

JSTests:

* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js: Added.
(f0):
(bar):
(foo):
* stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js: Added.
(f1):
(f2):
(foo):

Source/JavaScriptCore:

Maximal flush insertion phase assumes it can extend the live range of
variables. However, this is not true with SetArgumentMaybe nodes, because
they are not guaranteed to demarcate the birth of a variable in the way
that SetArgumentDefinitely does. This caused things to break in SSA conversion
when we wanted to use the result of a SetArgumentMaybe node. To obviate this,
when we're done inlining something with SetArgumentMaybes, we SetLocal(undefined)
to the same set of locals. This caps the live range of the SetArgumentMaybe
and makes it so that extending the live range of the SetLocal is valid.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::handleVarargsInlining):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@245341 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js [new file with mode: 0644]
JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp