<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[184405] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/184405">184405</a></dd>
<dt>Author</dt> <dd>basile_clement@apple.com</dd>
<dt>Date</dt> <dd>2015-05-15 12:30:14 -0700 (Fri, 15 May 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
https://bugs.webkit.org/show_bug.cgi?id=145062
Reviewed by Filip Pizlo.
We assert in various places (including NodeOrigin::isSet()) that a
NodeOrigin's semantic and forExit must be either both set, or both
unset. However, LICM'ing a node with unset NodeOrigin would only set
forExit, and leave semantic unset. This can for instance happen when a
Phi node is constant-folded into a JSConstant, which in turn gets
LICM'd.
This patch changes DFGLICMPhase to set the NodeOrigin's semantic in
addition to its forExit if semantic was previously unset.
It also adds two validators to DFGValidate.cpp:
- In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset
- In CPS form, all nodes must have a set NodeOrigin forExit (this is
the CPS counterpart to the SSA validator that checks that all nodes
must have a set NodeOrigin except possibly for a continuous chunk of
nodes at the top of a block)
* dfg/DFGLICMPhase.cpp:
(JSC::DFG::LICMPhase::attemptHoist):
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
(JSC::DFG::Validate::validateCPS):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGLICMPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValidatecpp">trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (184404 => 184405)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-05-15 19:12:58 UTC (rev 184404)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-05-15 19:30:14 UTC (rev 184405)
</span><span class="lines">@@ -1,3 +1,33 @@
</span><ins>+2015-05-15 Basile Clement <basile_clement@apple.com>
+
+ DFGLICMPhase shouldn't create NodeOrigins with forExit but without semantic
+ https://bugs.webkit.org/show_bug.cgi?id=145062
+
+ Reviewed by Filip Pizlo.
+
+ We assert in various places (including NodeOrigin::isSet()) that a
+ NodeOrigin's semantic and forExit must be either both set, or both
+ unset. However, LICM'ing a node with unset NodeOrigin would only set
+ forExit, and leave semantic unset. This can for instance happen when a
+ Phi node is constant-folded into a JSConstant, which in turn gets
+ LICM'd.
+
+ This patch changes DFGLICMPhase to set the NodeOrigin's semantic in
+ addition to its forExit if semantic was previously unset.
+
+ It also adds two validators to DFGValidate.cpp:
+ - In both SSA and CPS form, a NodeOrigin semantic and forExit must be either both set or both unset
+ - In CPS form, all nodes must have a set NodeOrigin forExit (this is
+ the CPS counterpart to the SSA validator that checks that all nodes
+ must have a set NodeOrigin except possibly for a continuous chunk of
+ nodes at the top of a block)
+
+ * dfg/DFGLICMPhase.cpp:
+ (JSC::DFG::LICMPhase::attemptHoist):
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ (JSC::DFG::Validate::validateCPS):
+
</ins><span class="cx"> 2015-05-15 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed, remove an unused declaration.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGLICMPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp (184404 => 184405)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp 2015-05-15 19:12:58 UTC (rev 184404)
+++ trunk/Source/JavaScriptCore/dfg/DFGLICMPhase.cpp 2015-05-15 19:30:14 UTC (rev 184405)
</span><span class="lines">@@ -282,6 +282,8 @@
</span><span class="cx"> node->owner = data.preHeader;
</span><span class="cx"> NodeOrigin originalOrigin = node->origin;
</span><span class="cx"> node->origin.forExit = data.preHeader->terminal()->origin.forExit;
</span><ins>+ if (!node->origin.semantic.isSet())
+ node->origin.semantic = node->origin.forExit;
</ins><span class="cx">
</span><span class="cx"> // Modify the states at the end of the preHeader of the loop we hoisted to,
</span><span class="cx"> // and all pre-headers inside the loop.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValidatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp (184404 => 184405)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2015-05-15 19:12:58 UTC (rev 184404)
+++ trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2015-05-15 19:30:14 UTC (rev 184405)
</span><span class="lines">@@ -186,6 +186,7 @@
</span><span class="cx"> for (size_t i = 0; i < block->size(); ++i) {
</span><span class="cx"> Node* node = block->at(i);
</span><span class="cx">
</span><ins>+ VALIDATE((node), node->origin.semantic.isSet() == node->origin.forExit.isSet());
</ins><span class="cx"> VALIDATE((node), !mayExit(m_graph, node) || node->origin.forExit.isSet());
</span><span class="cx"> VALIDATE((node), !node->hasStructure() || !!node->structure());
</span><span class="cx"> VALIDATE((node), !node->hasCellOperand() || node->cellOperand()->value().isCell());
</span><span class="lines">@@ -402,6 +403,7 @@
</span><span class="cx"> Node* node = block->at(i);
</span><span class="cx"> ASSERT(nodesInThisBlock.contains(node));
</span><span class="cx"> VALIDATE((node), node->op() != Phi);
</span><ins>+ VALIDATE((node), node->origin.forExit.isSet());
</ins><span class="cx"> for (unsigned j = 0; j < m_graph.numChildren(node); ++j) {
</span><span class="cx"> Edge edge = m_graph.child(node, j);
</span><span class="cx"> if (!edge)
</span></span></pre>
</div>
</div>
</body>
</html>