We can't remove code after ForceOSRExit until after FixupPhase
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Mar 2019 04:31:52 +0000 (04:31 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 15 Mar 2019 04:31:52 +0000 (04:31 +0000)
commitd384b8e78c505dabe51e7dd8d2a1fc4d5691ebc4
treea35a6b708c2176ce0163f67b36877e3c29b62044
parent791935ec38d03c4029be24cecfc830e469fcde1d
We can't remove code after ForceOSRExit until after FixupPhase
https://bugs.webkit.org/show_bug.cgi?id=186916
<rdar://problem/41396612>

Reviewed by Yusuke Suzuki.

JSTests:

* stress/movhint-backwards-propagation-must-merge-use-as-value-add.js: Added.
(foo):
* stress/movhint-backwards-propagation-must-merge-use-as-value.js: Added.
(foo):

Source/JavaScriptCore:

There was an optimization in the bytecode parser I added in r232742 that converted blocks
with ForceOSRExit in them to remove all IR after the ForceOSRExit. However,
this is incorrect because it breaks backwards propagation. For example, it
could incorrectly lead us to think it's safe to not check for overflow in
an Add because such Add has no non-int uses. Backwards propagation relies on
having a view over bytecode uses, and this optimization broke that. This patch
rolls out that optimization, as initial perf data shows it may no longer be
needed.

* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::addToGraph):
(JSC::DFG::ByteCodeParser::parse):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@242989 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/movhint-backwards-propagation-must-merge-use-as-value-add.js [new file with mode: 0644]
JSTests/stress/movhint-backwards-propagation-must-merge-use-as-value.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp