REGRESSION(232741): Crash running ARES-6
authormsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Jun 2018 21:48:02 +0000 (21:48 +0000)
committermsaboff@apple.com <msaboff@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 14 Jun 2018 21:48:02 +0000 (21:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=186630

Reviewed by Saam Barati.

The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
treated edges between identical predecessor->successor pairs independently.
This fixes the issue by handling such edges once, using the added intermediate
pad for all instances of the edges between the same pairs.

* dfg/DFGCriticalEdgeBreakingPhase.cpp:
(JSC::DFG::CriticalEdgeBreakingPhase::run):
(JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@232856 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCriticalEdgeBreakingPhase.cpp

index a4ea135..7b05c31 100644 (file)
@@ -1,3 +1,19 @@
+2018-06-14  Michael Saboff  <msaboff@apple.com>
+
+        REGRESSION(232741): Crash running ARES-6
+        https://bugs.webkit.org/show_bug.cgi?id=186630
+
+        Reviewed by Saam Barati.
+
+        The de-duplicating work in r232741 caused a bug in breakCriticalEdge() where it
+        treated edges between identical predecessor->successor pairs independently.
+        This fixes the issue by handling such edges once, using the added intermediate
+        pad for all instances of the edges between the same pairs.
+
+        * dfg/DFGCriticalEdgeBreakingPhase.cpp:
+        (JSC::DFG::CriticalEdgeBreakingPhase::run):
+        (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge): Deleted.
+
 2018-06-14  Carlos Garcia Campos  <cgarcia@igalia.com>
 
         [GTK][WPE] WebDriver: handle acceptInsecureCertificates capability
index e8df6c5..574b69f 100644 (file)
@@ -56,13 +56,30 @@ public:
             
             if (block->numSuccessors() <= 1)
                 continue;
-            
+
+            // Break critical edges by inserting a "Jump" pad block in place of each
+            // unique A->B critical edge.
+            HashMap<BasicBlock*, BasicBlock*> successorPads;
+
             for (unsigned i = block->numSuccessors(); i--;) {
                 BasicBlock** successor = &block->successor(i);
                 if ((*successor)->predecessors.size() <= 1)
                     continue;
-                
-                breakCriticalEdge(block, successor); 
+
+                BasicBlock* pad = nullptr;
+                auto iter = successorPads.find(*successor);
+
+                if (iter == successorPads.end()) {
+                    pad = m_insertionSet.insertBefore(*successor, (*successor)->executionCount);
+                    pad->appendNode(
+                        m_graph, SpecNone, Jump, (*successor)->at(0)->origin, OpInfo(*successor));
+                    pad->predecessors.append(block);
+                    (*successor)->replacePredecessor(block, pad);
+                    successorPads.set(*successor, pad);
+                } else
+                    pad = iter->value;
+
+                *successor = pad;
             }
         }
         
@@ -70,17 +87,6 @@ public:
     }
 
 private:
-    void breakCriticalEdge(BasicBlock* predecessor, BasicBlock** successor)
-    {
-        BasicBlock* pad = m_insertionSet.insertBefore(*successor, (*successor)->executionCount);
-        pad->appendNode(
-            m_graph, SpecNone, Jump, (*successor)->at(0)->origin, OpInfo(*successor));
-        pad->predecessors.append(predecessor);
-        (*successor)->replacePredecessor(predecessor, pad);
-        
-        *successor = pad;
-    }
-    
     BlockInsertionSet m_insertionSet;
 };