[webkit-changes] [WebKit/WebKit] d38e92: [JSC] LICM fuzzer should always try to hoist check...
Commit Queue
noreply at github.com
Wed May 3 13:48:18 PDT 2023
Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: d38e9253394d559bee6fd15031f489eced98cd37
https://github.com/WebKit/WebKit/commit/d38e9253394d559bee6fd15031f489eced98cd37
Author: Yijia Huang <yijia_huang at apple.com>
Date: 2023-05-03 (Wed, 03 May 2023)
Changed paths:
A JSTests/stress/licm-fuzzer-check-node.js
M Source/JavaScriptCore/dfg/DFGLICMPhase.cpp
M Source/JavaScriptCore/dfg/DFGNode.h
Log Message:
-----------
[JSC] LICM fuzzer should always try to hoist check nodes
https://bugs.webkit.org/show_bug.cgi?id=256223
rdar://108693746
Reviewed by Yusuke Suzuki.
The LICM fuzzer is introduced in https://trac.webkit.org/changeset/264133/webkit,
which is intend for checking unsafe hoisting. However, we might get crash when
some nodes got hoisted but not for its corresponding check nodes. This is because
when the useLICMFuzzing=1 the fuzzer will try to hoist randomly picked nodes.
To fix the issue, the fuzzer should always try to hoist check nodes.
* Source/JavaScriptCore/dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::run):
* Source/JavaScriptCore/dfg/DFGNode.h:
(JSC::DFG::Node::isCheckNode):
Canonical link: https://commits.webkit.org/263648@main
More information about the webkit-changes
mailing list