We need to do proper bookkeeping of exitOK when inserting constants when sinking...
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Mar 2018 21:59:33 +0000 (21:59 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 20 Mar 2018 21:59:33 +0000 (21:59 +0000)
https://bugs.webkit.org/show_bug.cgi?id=183795
<rdar://problem/38298694>

Reviewed by JF Bastien.

JSTests:

* stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
(foo):
(bar):

Source/JavaScriptCore:

We were just assuming that the constants we were inserting were
always exitOK=true. However, this breaks validation. The exitOK
we emit for the constants in the NewArrayBuffer should respect
the current exit state of the IR we've emitted. This is just IR
bookkeeping since JSConstant is a non-exiting node.

* dfg/DFGArgumentsEliminationPhase.cpp:

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@229775 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/stress/sink-phantom-new-array-buffer-exit-ok.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp

index b1c396f..116aeb4 100644 (file)
@@ -1,3 +1,15 @@
+2018-03-20  Saam Barati  <sbarati@apple.com>
+
+        We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=183795
+        <rdar://problem/38298694>
+
+        Reviewed by JF Bastien.
+
+        * stress/sink-phantom-new-array-buffer-exit-ok.js: Added.
+        (foo):
+        (bar):
+
 2018-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
 
         [DFG][FTL] Add vectorLengthHint for NewArray
diff --git a/JSTests/stress/sink-phantom-new-array-buffer-exit-ok.js b/JSTests/stress/sink-phantom-new-array-buffer-exit-ok.js
new file mode 100644 (file)
index 0000000..d279877
--- /dev/null
@@ -0,0 +1,8 @@
+function foo() {
+}
+function bar() {
+    foo(...[42]);
+}
+for (var i = 0; i < 400000; i++) {
+    bar();
+}
index 65df730..eccc111 100644 (file)
@@ -1,3 +1,19 @@
+2018-03-20  Saam Barati  <sbarati@apple.com>
+
+        We need to do proper bookkeeping of exitOK when inserting constants when sinking NewArrayBuffer
+        https://bugs.webkit.org/show_bug.cgi?id=183795
+        <rdar://problem/38298694>
+
+        Reviewed by JF Bastien.
+
+        We were just assuming that the constants we were inserting were
+        always exitOK=true. However, this breaks validation. The exitOK
+        we emit for the constants in the NewArrayBuffer should respect
+        the current exit state of the IR we've emitted. This is just IR
+        bookkeeping since JSConstant is a non-exiting node.
+
+        * dfg/DFGArgumentsEliminationPhase.cpp:
+
 2018-03-20  Guillaume Emont  <guijemont@igalia.com>
 
         MIPS+Armv7 builds are broken since r229391
index ad2c75d..c2c355c 100644 (file)
@@ -919,7 +919,6 @@ private:
                                     }
 
                                     if (candidate->op() == PhantomNewArrayBuffer) {
-                                        bool canExit = true;
                                         auto* array = candidate->castOperand<JSFixedArray*>();
                                         for (unsigned index = 0; index < array->length(); ++index) {
                                             JSValue constant;