DFG constant folding search for the last local access skips the immediately previous...
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Jun 2012 22:44:43 +0000 (22:44 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 1 Jun 2012 22:44:43 +0000 (22:44 +0000)
https://bugs.webkit.org/show_bug.cgi?id=88141

Source/JavaScriptCore:

Reviewed by Michael Saboff.

If you use a loop in the style of:

for (i = start; i--;)

then you need to remember that the first value of 'i' that the loop body will see is 'start - 1'.
Hence the following is probably wrong:

for (i = start - 1; i--;)

* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::run):

LayoutTests:

Reviewed by Michael Saboff.

* fast/js/dfg-obvious-constant-cfa-expected.txt: Added.
* fast/js/dfg-obvious-constant-cfa.html: Added.
* fast/js/script-tests/dfg-obvious-constant-cfa.js: Added.
(bar.baz):
(bar):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@119292 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/fast/js/dfg-obvious-constant-cfa-expected.txt [new file with mode: 0644]
LayoutTests/fast/js/dfg-obvious-constant-cfa.html [new file with mode: 0644]
LayoutTests/fast/js/script-tests/dfg-obvious-constant-cfa.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

index 2052739..9ea8e8e 100644 (file)
@@ -1,3 +1,16 @@
+2012-06-01  Filip Pizlo  <fpizlo@apple.com>
+
+        DFG constant folding search for the last local access skips the immediately previous local access
+        https://bugs.webkit.org/show_bug.cgi?id=88141
+
+        Reviewed by Michael Saboff.
+
+        * fast/js/dfg-obvious-constant-cfa-expected.txt: Added.
+        * fast/js/dfg-obvious-constant-cfa.html: Added.
+        * fast/js/script-tests/dfg-obvious-constant-cfa.js: Added.
+        (bar.baz):
+        (bar):
+
 2012-06-01  Ryosuke Niwa  <rniwa@webkit.org>
 
         Chromium rebaseline after r119274.
diff --git a/LayoutTests/fast/js/dfg-obvious-constant-cfa-expected.txt b/LayoutTests/fast/js/dfg-obvious-constant-cfa-expected.txt
new file mode 100644 (file)
index 0000000..6b460d3
--- /dev/null
@@ -0,0 +1,10 @@
+This tests that if the CFA performs constant folding on an obvious set and then get of a captured local, then we don't crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS result is 228300
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/fast/js/dfg-obvious-constant-cfa.html b/LayoutTests/fast/js/dfg-obvious-constant-cfa.html
new file mode 100644 (file)
index 0000000..7d1963c
--- /dev/null
@@ -0,0 +1,10 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="script-tests/dfg-obvious-constant-cfa.js"></script>
+<script src="resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/fast/js/script-tests/dfg-obvious-constant-cfa.js b/LayoutTests/fast/js/script-tests/dfg-obvious-constant-cfa.js
new file mode 100644 (file)
index 0000000..4e5478f
--- /dev/null
@@ -0,0 +1,23 @@
+description(
+"This tests that if the CFA performs constant folding on an obvious set and then get of a captured local, then we don't crash."
+);
+
+function bar(a, b) {
+    var x;
+    var y;
+    function baz() {
+        return x + y;
+    }
+    x = 13;
+    y = 16;
+    if (y == 16) {
+        return x + a + b + baz();
+    } else
+        return 24;
+}
+
+var result = 0;
+for (var i = 0; i < 200; ++i)
+    result += bar(i, 1000);
+
+shouldBe("result", "228300");
index eb1868b..fa77132 100644 (file)
@@ -1,5 +1,24 @@
 2012-06-01  Filip Pizlo  <fpizlo@apple.com>
 
+        DFG constant folding search for the last local access skips the immediately previous local access
+        https://bugs.webkit.org/show_bug.cgi?id=88141
+
+        Reviewed by Michael Saboff.
+        
+        If you use a loop in the style of:
+
+        for (i = start; i--;)
+
+        then you need to remember that the first value of 'i' that the loop body will see is 'start - 1'.
+        Hence the following is probably wrong:
+        
+        for (i = start - 1; i--;)
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::run):
+
+2012-06-01  Filip Pizlo  <fpizlo@apple.com>
+
         DFG constant folding should be OK with GetLocal of captured variables having a constant
         https://bugs.webkit.org/show_bug.cgi?id=88137
 
index af46705..35e4dc0 100644 (file)
@@ -84,7 +84,7 @@ public:
                     } else {
                         ASSERT(indexInBlock > 0);
                         // Must search for the previous access to this local.
-                        for (BlockIndex subIndexInBlock = indexInBlock - 1; subIndexInBlock--;) {
+                        for (BlockIndex subIndexInBlock = indexInBlock; subIndexInBlock--;) {
                             NodeIndex subNodeIndex = block->at(subIndexInBlock);
                             Node& subNode = m_graph[subNodeIndex];
                             if (!subNode.shouldGenerate())