<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[179882] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/179882">179882</a></dd>
<dt>Author</dt> <dd>msaboff@apple.com</dd>
<dt>Date</dt> <dd>2015-02-10 13:59:54 -0800 (Tue, 10 Feb 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
https://bugs.webkit.org/show_bug.cgi?id=139398
Reviewed by Filip Pizlo.
Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq
node are UntypedUse which we can't compile. Fixed this by checking that the IR before
lowering can still be handled by the FTL.
Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument
node. With the check right before lowering, we see this node.
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
to verify that after all the transformations we still have valid IR for the FTL.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCapabilitiescpp">trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (179881 => 179882)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-02-10 21:56:29 UTC (rev 179881)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-02-10 21:59:54 UTC (rev 179882)
</span><span class="lines">@@ -1,3 +1,25 @@
</span><ins>+2015-02-10 Michael Saboff <msaboff@apple.com>
+
+ Crash in JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq
+ https://bugs.webkit.org/show_bug.cgi?id=139398
+
+ Reviewed by Filip Pizlo.
+
+ Due to CFA analysis, the CompareStrictEq node was determined to be unreachable, but later
+ was determined to be reachable. When we go to lower to LLVM, the edges for the CompareStrictEq
+ node are UntypedUse which we can't compile. Fixed this by checking that the IR before
+ lowering can still be handled by the FTL.
+
+ Had to add GetArgument as a node that the FTL can compile as the SSA conversion phase converts
+ a SetArgument to a GetArgument. Before this change FTL::canCompile() would never see a GetArgument
+ node. With the check right before lowering, we see this node.
+
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::compileInThreadImpl): Added a final FTL::canCompile() check before lowering
+ to verify that after all the transformations we still have valid IR for the FTL.
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile): Added GetArgument as a node the FTL can compile.
+
</ins><span class="cx"> 2015-02-10 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Remove unused DFG::SpeculativeJIT::calleeFrameOffset().
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (179881 => 179882)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2015-02-10 21:56:29 UTC (rev 179881)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2015-02-10 21:59:54 UTC (rev 179882)
</span><span class="lines">@@ -364,6 +364,11 @@
</span><span class="cx"> performOSRAvailabilityAnalysis(dfg);
</span><span class="cx"> performWatchpointCollection(dfg);
</span><span class="cx">
</span><ins>+ if (FTL::canCompile(dfg) == FTL::CannotCompile) {
+ finalizer = std::make_unique<FailedFinalizer>(*this);
+ return FailPath;
+ }
+
</ins><span class="cx"> dumpAndVerifyGraph(dfg, "Graph just before FTL lowering:");
</span><span class="cx">
</span><span class="cx"> bool haveLLVM;
</span><span class="lines">@@ -379,7 +384,7 @@
</span><span class="cx"> finalizer = std::make_unique<FailedFinalizer>(*this);
</span><span class="cx"> return FailPath;
</span><span class="cx"> }
</span><del>-
</del><ins>+
</ins><span class="cx"> FTL::State state(dfg);
</span><span class="cx"> FTL::lowerDFGToLLVM(state);
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCapabilitiescpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (179881 => 179882)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2015-02-10 21:56:29 UTC (rev 179881)
+++ trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp 2015-02-10 21:59:54 UTC (rev 179882)
</span><span class="lines">@@ -51,6 +51,7 @@
</span><span class="cx"> case KillLocal:
</span><span class="cx"> case MovHint:
</span><span class="cx"> case ZombieHint:
</span><ins>+ case GetArgument:
</ins><span class="cx"> case Phantom:
</span><span class="cx"> case HardPhantom:
</span><span class="cx"> case Flush:
</span></span></pre>
</div>
</div>
</body>
</html>