CFGSimplificationPhase should not merge a block with itself
authorsbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 23 May 2017 18:49:15 +0000 (18:49 +0000)
committersbarati@apple.com <sbarati@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Tue, 23 May 2017 18:49:15 +0000 (18:49 +0000)
commit2ca41a6a44ea7579f0b78d970585f5c692b793ea
treee2eb0edb0a030805d31a2eb22d8370b8a712ec48
parent4aefc216c38aa0ba3158997f4f47314796add1ed
CFGSimplificationPhase should not merge a block with itself
https://bugs.webkit.org/show_bug.cgi?id=172508
<rdar://problem/28424006>

Reviewed by Keith Miller.

JSTests:

* stress/dont-crash-in-cfg-simplification.js: Added.
(bar):
(baz):
(foo):

Source/JavaScriptCore:

CFGSimplificationPhase can run into or create IR that ends up with a
block that has a Jump to itself, and no other predecessors. It should
gracefully handle such IR. Before this patch, it would not. The only criteria
for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
The code is written in such a way that if we merge a block with itself, we
will infinite loop until we run out of memory.

Merging a block with itself does not make sense for a few reasons. First,
we're joining the contents of two blocks. What is the definition of joining
a block with itself? I suppose we could simply unroll this self loop
one level, but that would not be wise because this self loop is by definition
unreachable unless it's the root block in the graph (which I think is
invalid IR since we'd never generate bytecode that would do this).

This patch employs an easy fix: we can't merge a block with itself.

* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
(JSC::DFG::CFGSimplificationPhase::run):
(JSC::DFG::CFGSimplificationPhase::convertToJump):
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@217287 268f45cc-cd09-0410-ab3c-d52691b4dbfc
JSTests/ChangeLog
JSTests/stress/dont-crash-in-cfg-simplification.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp