<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[186691] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/186691">186691</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2015-07-10 14:19:51 -0700 (Fri, 10 Jul 2015)</dd>
</dl>
<h3>Log Message</h3>
<pre>DFG fragile frozen values are fundamentally broken
https://bugs.webkit.org/show_bug.cgi?id=146602
Reviewed by Mark Lam.
This change gets rid of the FragileValue value strength, because it was fundamentally
broken.
FragileValue was a value known to the compiler but not tracked by the GC in any way -
it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
must-handle values. The philosophy was that if the compiler did use the value for
optimization, it would have been strengthened to a weak value (or maybe even a strong
value, though we probably won't do that). But this was too much of a pipe dream. I've
found at least one case where the compiler did use the value, but never strengthened
it: it would happen if the value ended up in an OSR entry data expected value. Then if
we GCed, we might have killed the value, but OSR entry would still try to use it for
validation. That might have sort of just worked, but it's clearly shady.
The reason why we made must-handle values fragile and not weak is that most of the time
the values disappear from the abstract state: they are LUBed to a non-constant. If we
kept them around as weak, we'd have too many cases of the GC killing the code because
it thought that the value was somehow meaningful to the code when it was only used as a
temporary artifact of optimization.
So, it's true that it's very important for must-handle values not to automatically be
weak or strong. It's also true that the values are necessary for AI bootstrap because
we need to know what values OSR entry will require. But we shouldn't accomplish these
goals by having the compiler hold onto what are essentially dangling pointers.
This implements a better solution: instead of having InPlaceAbstractState bootstrap the
AI with must-handle values at the beginning, we now widen the valuesAtHead of the
must-handle block after AI converges. This widening is done in CFAPhase. This allows us
to see if the must-handle values are necessary at all. In most cases, the widening
takes a non-constant abstract value and simply amends something to its type based on
the type of the must-handle value, and so the must-handle value never actually shows up
in either the IR or any abstract value. In the unlikely event that the value at head is
bottom, we freeze the must-handle value. This change removes FragileValue, and this
freezing uses WeakValue as the strength. That makes sense: since the abstract value was
bottom, the must-handle value becomes integral to the IR and so it makes no sense for
the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
sometimes happen for example if you have a very long-running loop whose pre-header
allocates some object, but that pre-header appears to always exit to the optimizing JIT
because it was only profiled once in the LLInt and that profiling appears insufficient
to the DFG. In that case, we'll effectively constant-fold the references to the object
inside the loop, which is both efficient (yay constant folding!) and necessary
(otherwise we wouldn't know what the type of the variable should have been).
Testing and debugging this is complicated. So, this adds some new capabilities:
- DFG IR dumps also dump all of the FrozenValues that point to the heap along with
their strengths, so that it's easy to see what GC objects the DFG feels are necessary
for the compilation.
- DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
to see what GC pointers (and other things) are used for OSR entry validation. The
printouts are quite detailed, and should also help other kinds of OSR entry
debugging.
- DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
data structures are also properly registered as either weak or strong pointers in the
CodeBlock. This validation check previously failed due to fragile values ending up in
the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
and in some pre-existing tests (like earley-boyer and 3d-raytrace).
* CMakeLists.txt:
* JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
* JavaScriptCore.xcodeproj/project.pbxproj:
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::stronglyVisitStrongReferences):
* bytecode/CodeOrigin.cpp:
(JSC::InlineCallFrame::visitAggregate):
* bytecode/Operands.h:
(JSC::Operands::operand):
(JSC::Operands::hasOperand):
* bytecode/StructureSet.cpp:
(JSC::StructureSet::dump):
(JSC::StructureSet::validateReferences):
* bytecode/StructureSet.h:
* bytecode/TrackedReferences.cpp: Added.
(JSC::TrackedReferences::TrackedReferences):
(JSC::TrackedReferences::~TrackedReferences):
(JSC::TrackedReferences::add):
(JSC::TrackedReferences::check):
(JSC::TrackedReferences::dump):
* bytecode/TrackedReferences.h: Added.
* dfg/DFGAbstractValue.cpp:
(JSC::DFG::AbstractValue::observeTransitions):
(JSC::DFG::AbstractValue::set):
(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::mergeOSREntryValue):
(JSC::DFG::AbstractValue::filter):
(JSC::DFG::AbstractValue::dumpInContext):
(JSC::DFG::AbstractValue::validateReferences):
(JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::fullTop):
(JSC::DFG::AbstractValue::merge):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* dfg/DFGCommonData.cpp:
(JSC::DFG::CommonData::invalidate):
(JSC::DFG::CommonData::validateReferences):
* dfg/DFGCommonData.h:
(JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
* dfg/DFGFrozenValue.h:
(JSC::DFG::FrozenValue::FrozenValue):
(JSC::DFG::FrozenValue::strengthenTo):
(JSC::DFG::FrozenValue::pointsToHeap):
(JSC::DFG::FrozenValue::strength):
(JSC::DFG::FrozenValue::freeze):
* dfg/DFGGraph.cpp:
(JSC::DFG::Graph::Graph):
(JSC::DFG::Graph::dump):
(JSC::DFG::Graph::registerFrozenValues):
(JSC::DFG::Graph::visitChildren):
(JSC::DFG::Graph::freeze):
(JSC::DFG::Graph::freezeStrong):
(JSC::DFG::Graph::freezeFragile): Deleted.
* dfg/DFGGraph.h:
* dfg/DFGInPlaceAbstractState.cpp:
(JSC::DFG::InPlaceAbstractState::initialize):
* dfg/DFGJITCode.cpp:
(JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
(JSC::DFG::JITCode::validateReferences):
* dfg/DFGJITCode.h:
* dfg/DFGJITCompiler.cpp:
(JSC::DFG::JITCompiler::addressOfDoubleConstant):
(JSC::DFG::JITCompiler::noticeOSREntry):
* dfg/DFGJITCompiler.h:
(JSC::DFG::JITCompiler::branchStructurePtr):
(JSC::DFG::JITCompiler::jitCode):
(JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
* dfg/DFGMinifiedGraph.cpp: Added.
(JSC::DFG::MinifiedGraph::prepareAndShrink):
(JSC::DFG::MinifiedGraph::validateReferences):
* dfg/DFGMinifiedGraph.h:
(JSC::DFG::MinifiedGraph::append):
(JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
* dfg/DFGOSREntry.cpp:
(JSC::DFG::OSREntryData::dumpInContext):
(JSC::DFG::OSREntryData::dump):
(JSC::DFG::prepareOSREntry):
* dfg/DFGOSREntry.h:
(JSC::DFG::getOSREntryDataBytecodeIndex):
* dfg/DFGPlan.cpp:
(JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::linkOSREntries):
(JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
* dfg/DFGStructureAbstractValue.cpp:
(JSC::DFG::StructureAbstractValue::dump):
(JSC::DFG::StructureAbstractValue::validateReferences):
* dfg/DFGStructureAbstractValue.h:
* dfg/DFGValidate.cpp:
(JSC::DFG::Validate::validate):
* dfg/DFGValueStrength.cpp:
(WTF::printInternal):
* dfg/DFGValueStrength.h:
(JSC::DFG::merge):
* ftl/FTLExitPropertyValue.cpp:
(JSC::FTL::ExitPropertyValue::dump):
(JSC::FTL::ExitPropertyValue::validateReferences):
* ftl/FTLExitPropertyValue.h:
* ftl/FTLExitTimeObjectMaterialization.cpp:
(JSC::FTL::ExitTimeObjectMaterialization::dump):
(JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
* ftl/FTLExitTimeObjectMaterialization.h:
* ftl/FTLExitValue.cpp:
(JSC::FTL::ExitValue::dump):
(JSC::FTL::ExitValue::validateReferences):
* ftl/FTLExitValue.h:
* ftl/FTLJITCode.cpp:
(JSC::FTL::JITCode::dfgCommon):
(JSC::FTL::JITCode::validateReferences):
* ftl/FTLJITCode.h:
(JSC::FTL::JITCode::handles):
(JSC::FTL::JITCode::dataSections):
* ftl/FTLOSRExit.cpp:
(JSC::FTL::OSRExit::codeLocationForRepatch):
(JSC::FTL::OSRExit::validateReferences):
* ftl/FTLOSRExit.h:
(JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
* jit/JITCode.cpp:
(JSC::JITCode::typeName):
(JSC::JITCode::validateReferences):
(JSC::JITCode::execute):
* jit/JITCode.h:
(JSC::JITCode::start):
* tests/stress/dead-osr-entry-value.js: Added.
(foo):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreCMakeListstxt">trunk/Source/JavaScriptCore/CMakeLists.txt</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj">trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj</a></li>
<li><a href="#trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeOrigincpp">trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeOperandsh">trunk/Source/JavaScriptCore/bytecode/Operands.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureSetcpp">trunk/Source/JavaScriptCore/bytecode/StructureSet.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeStructureSeth">trunk/Source/JavaScriptCore/bytecode/StructureSet.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractValuecpp">trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractValueh">trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp">trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCFAPhasecpp">trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCommonDatacpp">trunk/Source/JavaScriptCore/dfg/DFGCommonData.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGCommonDatah">trunk/Source/JavaScriptCore/dfg/DFGCommonData.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGFrozenValueh">trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGGraphh">trunk/Source/JavaScriptCore/dfg/DFGGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGInPlaceAbstractStatecpp">trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCodecpp">trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCodeh">trunk/Source/JavaScriptCore/dfg/DFGJITCode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilercpp">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGJITCompilerh">trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMinifiedGraphh">trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSREntrycpp">trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGOSREntryh">trunk/Source/JavaScriptCore/dfg/DFGOSREntry.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGPlancpp">trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStructureAbstractValuecpp">trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGStructureAbstractValueh">trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValidatecpp">trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValueStrengthcpp">trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGValueStrengthh">trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitPropertyValuecpp">trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitPropertyValueh">trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationcpp">trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationh">trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitValuecpp">trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLExitValueh">trunk/Source/JavaScriptCore/ftl/FTLExitValue.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLJITCodecpp">trunk/Source/JavaScriptCore/ftl/FTLJITCode.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLJITCodeh">trunk/Source/JavaScriptCore/ftl/FTLJITCode.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExitcpp">trunk/Source/JavaScriptCore/ftl/FTLOSRExit.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLOSRExith">trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCodecpp">trunk/Source/JavaScriptCore/jit/JITCode.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorejitJITCodeh">trunk/Source/JavaScriptCore/jit/JITCode.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCorebytecodeTrackedReferencescpp">trunk/Source/JavaScriptCore/bytecode/TrackedReferences.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeTrackedReferencesh">trunk/Source/JavaScriptCore/bytecode/TrackedReferences.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGMinifiedGraphcpp">trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoretestsstressdeadosrentryvaluejs">trunk/Source/JavaScriptCore/tests/stress/dead-osr-entry-value.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreCMakeListstxt"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/CMakeLists.txt (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/CMakeLists.txt 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/CMakeLists.txt 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -110,6 +110,7 @@
</span><span class="cx"> bytecode/StructureStubClearingWatchpoint.cpp
</span><span class="cx"> bytecode/StructureStubInfo.cpp
</span><span class="cx"> bytecode/ToThisStatus.cpp
</span><ins>+ bytecode/TrackedReferences.cpp
</ins><span class="cx"> bytecode/UnlinkedCodeBlock.cpp
</span><span class="cx"> bytecode/UnlinkedInstructionStream.cpp
</span><span class="cx"> bytecode/ValueRecovery.cpp
</span><span class="lines">@@ -193,6 +194,7 @@
</span><span class="cx"> dfg/DFGLongLivedState.cpp
</span><span class="cx"> dfg/DFGLoopPreHeaderCreationPhase.cpp
</span><span class="cx"> dfg/DFGMayExit.cpp
</span><ins>+ dfg/DFGMinifiedGraph.cpp
</ins><span class="cx"> dfg/DFGMinifiedNode.cpp
</span><span class="cx"> dfg/DFGMovHintRemovalPhase.cpp
</span><span class="cx"> dfg/DFGNaiveDominators.cpp
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ChangeLog 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,3 +1,198 @@
</span><ins>+2015-07-04 Filip Pizlo <fpizlo@apple.com>
+
+ DFG fragile frozen values are fundamentally broken
+ https://bugs.webkit.org/show_bug.cgi?id=146602
+
+ Reviewed by Mark Lam.
+
+ This change gets rid of the FragileValue value strength, because it was fundamentally
+ broken.
+
+ FragileValue was a value known to the compiler but not tracked by the GC in any way -
+ it wasn't marked and it wasn't weak. This was used to support AI bootstrap for OSR
+ must-handle values. The philosophy was that if the compiler did use the value for
+ optimization, it would have been strengthened to a weak value (or maybe even a strong
+ value, though we probably won't do that). But this was too much of a pipe dream. I've
+ found at least one case where the compiler did use the value, but never strengthened
+ it: it would happen if the value ended up in an OSR entry data expected value. Then if
+ we GCed, we might have killed the value, but OSR entry would still try to use it for
+ validation. That might have sort of just worked, but it's clearly shady.
+
+ The reason why we made must-handle values fragile and not weak is that most of the time
+ the values disappear from the abstract state: they are LUBed to a non-constant. If we
+ kept them around as weak, we'd have too many cases of the GC killing the code because
+ it thought that the value was somehow meaningful to the code when it was only used as a
+ temporary artifact of optimization.
+
+ So, it's true that it's very important for must-handle values not to automatically be
+ weak or strong. It's also true that the values are necessary for AI bootstrap because
+ we need to know what values OSR entry will require. But we shouldn't accomplish these
+ goals by having the compiler hold onto what are essentially dangling pointers.
+
+ This implements a better solution: instead of having InPlaceAbstractState bootstrap the
+ AI with must-handle values at the beginning, we now widen the valuesAtHead of the
+ must-handle block after AI converges. This widening is done in CFAPhase. This allows us
+ to see if the must-handle values are necessary at all. In most cases, the widening
+ takes a non-constant abstract value and simply amends something to its type based on
+ the type of the must-handle value, and so the must-handle value never actually shows up
+ in either the IR or any abstract value. In the unlikely event that the value at head is
+ bottom, we freeze the must-handle value. This change removes FragileValue, and this
+ freezing uses WeakValue as the strength. That makes sense: since the abstract value was
+ bottom, the must-handle value becomes integral to the IR and so it makes no sense for
+ the GC to keep the resulting CodeBlock alive if that must-handle value dies. This will
+ sometimes happen for example if you have a very long-running loop whose pre-header
+ allocates some object, but that pre-header appears to always exit to the optimizing JIT
+ because it was only profiled once in the LLInt and that profiling appears insufficient
+ to the DFG. In that case, we'll effectively constant-fold the references to the object
+ inside the loop, which is both efficient (yay constant folding!) and necessary
+ (otherwise we wouldn't know what the type of the variable should have been).
+
+ Testing and debugging this is complicated. So, this adds some new capabilities:
+
+ - DFG IR dumps also dump all of the FrozenValues that point to the heap along with
+ their strengths, so that it's easy to see what GC objects the DFG feels are necessary
+ for the compilation.
+
+ - DFG OSR entry preparation prints out the OSR entry data structures, so that it's easy
+ to see what GC pointers (and other things) are used for OSR entry validation. The
+ printouts are quite detailed, and should also help other kinds of OSR entry
+ debugging.
+
+ - DFG::Plan now validates whether all of the GC pointers planted in the various JITCode
+ data structures are also properly registered as either weak or strong pointers in the
+ CodeBlock. This validation check previously failed due to fragile values ending up in
+ the OSR entry data structures, both in the newly added test (dead-osr-entry-value.js)
+ and in some pre-existing tests (like earley-boyer and 3d-raytrace).
+
+ * CMakeLists.txt:
+ * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::stronglyVisitStrongReferences):
+ * bytecode/CodeOrigin.cpp:
+ (JSC::InlineCallFrame::visitAggregate):
+ * bytecode/Operands.h:
+ (JSC::Operands::operand):
+ (JSC::Operands::hasOperand):
+ * bytecode/StructureSet.cpp:
+ (JSC::StructureSet::dump):
+ (JSC::StructureSet::validateReferences):
+ * bytecode/StructureSet.h:
+ * bytecode/TrackedReferences.cpp: Added.
+ (JSC::TrackedReferences::TrackedReferences):
+ (JSC::TrackedReferences::~TrackedReferences):
+ (JSC::TrackedReferences::add):
+ (JSC::TrackedReferences::check):
+ (JSC::TrackedReferences::dump):
+ * bytecode/TrackedReferences.h: Added.
+ * dfg/DFGAbstractValue.cpp:
+ (JSC::DFG::AbstractValue::observeTransitions):
+ (JSC::DFG::AbstractValue::set):
+ (JSC::DFG::AbstractValue::fixTypeForRepresentation):
+ (JSC::DFG::AbstractValue::mergeOSREntryValue):
+ (JSC::DFG::AbstractValue::filter):
+ (JSC::DFG::AbstractValue::dumpInContext):
+ (JSC::DFG::AbstractValue::validateReferences):
+ (JSC::DFG::AbstractValue::setOSREntryValue): Deleted.
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::fullTop):
+ (JSC::DFG::AbstractValue::merge):
+ * dfg/DFGByteCodeParser.cpp:
+ (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
+ * dfg/DFGCFAPhase.cpp:
+ (JSC::DFG::CFAPhase::run):
+ * dfg/DFGCommonData.cpp:
+ (JSC::DFG::CommonData::invalidate):
+ (JSC::DFG::CommonData::validateReferences):
+ * dfg/DFGCommonData.h:
+ (JSC::DFG::CommonData::requiredRegisterCountForExecutionAndExit):
+ * dfg/DFGFrozenValue.h:
+ (JSC::DFG::FrozenValue::FrozenValue):
+ (JSC::DFG::FrozenValue::strengthenTo):
+ (JSC::DFG::FrozenValue::pointsToHeap):
+ (JSC::DFG::FrozenValue::strength):
+ (JSC::DFG::FrozenValue::freeze):
+ * dfg/DFGGraph.cpp:
+ (JSC::DFG::Graph::Graph):
+ (JSC::DFG::Graph::dump):
+ (JSC::DFG::Graph::registerFrozenValues):
+ (JSC::DFG::Graph::visitChildren):
+ (JSC::DFG::Graph::freeze):
+ (JSC::DFG::Graph::freezeStrong):
+ (JSC::DFG::Graph::freezeFragile): Deleted.
+ * dfg/DFGGraph.h:
+ * dfg/DFGInPlaceAbstractState.cpp:
+ (JSC::DFG::InPlaceAbstractState::initialize):
+ * dfg/DFGJITCode.cpp:
+ (JSC::DFG::JITCode::setOptimizationThresholdBasedOnCompilationResult):
+ (JSC::DFG::JITCode::validateReferences):
+ * dfg/DFGJITCode.h:
+ * dfg/DFGJITCompiler.cpp:
+ (JSC::DFG::JITCompiler::addressOfDoubleConstant):
+ (JSC::DFG::JITCompiler::noticeOSREntry):
+ * dfg/DFGJITCompiler.h:
+ (JSC::DFG::JITCompiler::branchStructurePtr):
+ (JSC::DFG::JITCompiler::jitCode):
+ (JSC::DFG::JITCompiler::noticeOSREntry): Deleted.
+ * dfg/DFGMinifiedGraph.cpp: Added.
+ (JSC::DFG::MinifiedGraph::prepareAndShrink):
+ (JSC::DFG::MinifiedGraph::validateReferences):
+ * dfg/DFGMinifiedGraph.h:
+ (JSC::DFG::MinifiedGraph::append):
+ (JSC::DFG::MinifiedGraph::prepareAndShrink): Deleted.
+ * dfg/DFGOSREntry.cpp:
+ (JSC::DFG::OSREntryData::dumpInContext):
+ (JSC::DFG::OSREntryData::dump):
+ (JSC::DFG::prepareOSREntry):
+ * dfg/DFGOSREntry.h:
+ (JSC::DFG::getOSREntryDataBytecodeIndex):
+ * dfg/DFGPlan.cpp:
+ (JSC::DFG::Plan::finalizeWithoutNotifyingCallback):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::linkOSREntries):
+ (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
+ * dfg/DFGStructureAbstractValue.cpp:
+ (JSC::DFG::StructureAbstractValue::dump):
+ (JSC::DFG::StructureAbstractValue::validateReferences):
+ * dfg/DFGStructureAbstractValue.h:
+ * dfg/DFGValidate.cpp:
+ (JSC::DFG::Validate::validate):
+ * dfg/DFGValueStrength.cpp:
+ (WTF::printInternal):
+ * dfg/DFGValueStrength.h:
+ (JSC::DFG::merge):
+ * ftl/FTLExitPropertyValue.cpp:
+ (JSC::FTL::ExitPropertyValue::dump):
+ (JSC::FTL::ExitPropertyValue::validateReferences):
+ * ftl/FTLExitPropertyValue.h:
+ * ftl/FTLExitTimeObjectMaterialization.cpp:
+ (JSC::FTL::ExitTimeObjectMaterialization::dump):
+ (JSC::FTL::ExitTimeObjectMaterialization::validateReferences):
+ * ftl/FTLExitTimeObjectMaterialization.h:
+ * ftl/FTLExitValue.cpp:
+ (JSC::FTL::ExitValue::dump):
+ (JSC::FTL::ExitValue::validateReferences):
+ * ftl/FTLExitValue.h:
+ * ftl/FTLJITCode.cpp:
+ (JSC::FTL::JITCode::dfgCommon):
+ (JSC::FTL::JITCode::validateReferences):
+ * ftl/FTLJITCode.h:
+ (JSC::FTL::JITCode::handles):
+ (JSC::FTL::JITCode::dataSections):
+ * ftl/FTLOSRExit.cpp:
+ (JSC::FTL::OSRExit::codeLocationForRepatch):
+ (JSC::FTL::OSRExit::validateReferences):
+ * ftl/FTLOSRExit.h:
+ (JSC::FTL::OSRExit::considerAddingAsFrequentExitSite):
+ * jit/JITCode.cpp:
+ (JSC::JITCode::typeName):
+ (JSC::JITCode::validateReferences):
+ (JSC::JITCode::execute):
+ * jit/JITCode.h:
+ (JSC::JITCode::start):
+ * tests/stress/dead-osr-entry-value.js: Added.
+ (foo):
+
</ins><span class="cx"> 2015-07-09 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> It should be possible to run the OSR exit fuzzer
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorevcxprojJavaScriptCorevcxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.vcxproj/JavaScriptCore.vcxproj 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -351,6 +351,7 @@
</span><span class="cx"> <ClCompile Include="..\bytecode\StructureStubClearingWatchpoint.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\StructureStubInfo.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\ToThisStatus.cpp" />
</span><ins>+ <ClCompile Include="..\bytecode\TrackedReferences.cpp" />
</ins><span class="cx"> <ClCompile Include="..\bytecode\UnlinkedCodeBlock.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\UnlinkedInstructionStream.cpp" />
</span><span class="cx"> <ClCompile Include="..\bytecode\ValueRecovery.cpp" />
</span><span class="lines">@@ -431,6 +432,7 @@
</span><span class="cx"> <ClCompile Include="..\dfg\DFGLongLivedState.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGLoopPreHeaderCreationPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGMayExit.cpp" />
</span><ins>+ <ClCompile Include="..\dfg\DFGMinifiedGraph.cpp" />
</ins><span class="cx"> <ClCompile Include="..\dfg\DFGMinifiedNode.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGMovHintRemovalPhase.cpp" />
</span><span class="cx"> <ClCompile Include="..\dfg\DFGNaiveDominators.cpp" />
</span><span class="lines">@@ -1012,6 +1014,7 @@
</span><span class="cx"> <ClInclude Include="..\bytecode\StructureStubClearingWatchpoint.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\StructureStubInfo.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\ToThisStatus.h" />
</span><ins>+ <ClInclude Include="..\bytecode\TrackedReferences.h" />
</ins><span class="cx"> <ClInclude Include="..\bytecode\TypeLocation.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\UnlinkedCodeBlock.h" />
</span><span class="cx"> <ClInclude Include="..\bytecode\UnlinkedInstructionStream.h" />
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -106,6 +106,7 @@
</span><span class="cx"> 0F13912C16771C3D009CCB07 /* ProfilerProfiledBytecodes.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F13912716771C30009CCB07 /* ProfilerProfiledBytecodes.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F13E04E16164A1F00DC8DE7 /* IndexingType.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F13E04C16164A1B00DC8DE7 /* IndexingType.cpp */; };
</span><span class="cx"> 0F15F15F14B7A73E005DE37D /* CommonSlowPaths.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F15F15D14B7A73A005DE37D /* CommonSlowPaths.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F1725FF1B48719A00AC3A55 /* DFGMinifiedGraph.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F1725FE1B48719A00AC3A55 /* DFGMinifiedGraph.cpp */; };
</ins><span class="cx"> 0F190CAC189D82F6000AE5F0 /* ProfilerJettisonReason.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F190CAA189D82F6000AE5F0 /* ProfilerJettisonReason.cpp */; };
</span><span class="cx"> 0F190CAD189D82F6000AE5F0 /* ProfilerJettisonReason.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F190CAB189D82F6000AE5F0 /* ProfilerJettisonReason.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F1DD84A18A945BE0026F3FA /* JSCInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F1DD84918A945BE0026F3FA /* JSCInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -451,6 +452,8 @@
</span><span class="cx"> 0F9332A514CA7DDD0085F3C6 /* StructureSet.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93329B14CA7DC10085F3C6 /* StructureSet.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F93B4A918B92C4D00178A3F /* PutByIdVariant.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F93B4A718B92C4D00178A3F /* PutByIdVariant.cpp */; };
</span><span class="cx"> 0F93B4AA18B92C4D00178A3F /* PutByIdVariant.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F93B4A818B92C4D00178A3F /* PutByIdVariant.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F952ABC1B487A7700C367C5 /* TrackedReferences.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F952ABA1B487A7700C367C5 /* TrackedReferences.cpp */; };
+ 0F952ABD1B487A7700C367C5 /* TrackedReferences.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F952ABB1B487A7700C367C5 /* TrackedReferences.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F963B3813FC6FE90002D9B2 /* ValueProfile.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F963B3613FC6FDE0002D9B2 /* ValueProfile.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F96EBB316676EF6008BADE3 /* CodeBlockWithJITType.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F96EBB116676EF4008BADE3 /* CodeBlockWithJITType.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F9749711687ADE400A4FF6A /* JSCellInlines.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F97496F1687ADE200A4FF6A /* JSCellInlines.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -1848,6 +1851,7 @@
</span><span class="cx"> 0F13912716771C30009CCB07 /* ProfilerProfiledBytecodes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ProfilerProfiledBytecodes.h; path = profiler/ProfilerProfiledBytecodes.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F13E04C16164A1B00DC8DE7 /* IndexingType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = IndexingType.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F15F15D14B7A73A005DE37D /* CommonSlowPaths.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CommonSlowPaths.h; sourceTree = "<group>"; };
</span><ins>+ 0F1725FE1B48719A00AC3A55 /* DFGMinifiedGraph.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGMinifiedGraph.cpp; path = dfg/DFGMinifiedGraph.cpp; sourceTree = "<group>"; };
</ins><span class="cx"> 0F190CAA189D82F6000AE5F0 /* ProfilerJettisonReason.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = ProfilerJettisonReason.cpp; path = profiler/ProfilerJettisonReason.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F190CAB189D82F6000AE5F0 /* ProfilerJettisonReason.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = ProfilerJettisonReason.h; path = profiler/ProfilerJettisonReason.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F1DD84918A945BE0026F3FA /* JSCInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCInlines.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2191,6 +2195,8 @@
</span><span class="cx"> 0F93329B14CA7DC10085F3C6 /* StructureSet.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StructureSet.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F93B4A718B92C4D00178A3F /* PutByIdVariant.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = PutByIdVariant.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F93B4A818B92C4D00178A3F /* PutByIdVariant.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = PutByIdVariant.h; sourceTree = "<group>"; };
</span><ins>+ 0F952ABA1B487A7700C367C5 /* TrackedReferences.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = TrackedReferences.cpp; sourceTree = "<group>"; };
+ 0F952ABB1B487A7700C367C5 /* TrackedReferences.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TrackedReferences.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F963B3613FC6FDE0002D9B2 /* ValueProfile.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ValueProfile.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F96EBB116676EF4008BADE3 /* CodeBlockWithJITType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CodeBlockWithJITType.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F97496F1687ADE200A4FF6A /* JSCellInlines.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JSCellInlines.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -5002,6 +5008,7 @@
</span><span class="cx"> 0F5874EB194FEB1200AAB2C1 /* DFGMayExit.cpp */,
</span><span class="cx"> 0F5874EC194FEB1200AAB2C1 /* DFGMayExit.h */,
</span><span class="cx"> A704D90217A0BAA8006BA554 /* DFGMergeMode.h */,
</span><ins>+ 0F1725FE1B48719A00AC3A55 /* DFGMinifiedGraph.cpp */,
</ins><span class="cx"> 0F2BDC3D1522801700CD8910 /* DFGMinifiedGraph.h */,
</span><span class="cx"> 0FB4B51016B3A964003F696B /* DFGMinifiedID.h */,
</span><span class="cx"> 0F2BDC4C1522818300CD8910 /* DFGMinifiedNode.cpp */,
</span><span class="lines">@@ -5284,6 +5291,8 @@
</span><span class="cx"> 0F426A4A1460CD6B00131F8F /* DataFormat.h */,
</span><span class="cx"> 0FC712DC17CD8778008CC93C /* DeferredCompilationCallback.cpp */,
</span><span class="cx"> 0FC712DD17CD8778008CC93C /* DeferredCompilationCallback.h */,
</span><ins>+ FE5068661AE25E280009DAB7 /* DeferredSourceDump.cpp */,
+ FE5068641AE246390009DAB7 /* DeferredSourceDump.h */,
</ins><span class="cx"> 0FBC0AE41496C7C100D4FBDD /* DFGExitProfile.cpp */,
</span><span class="cx"> 0FBC0AE51496C7C100D4FBDD /* DFGExitProfile.h */,
</span><span class="cx"> 969A07920ED1D3AE00F1F681 /* EvalCodeCache.h */,
</span><span class="lines">@@ -5331,8 +5340,6 @@
</span><span class="cx"> 0FF60AC016740F8100029779 /* ReduceWhitespace.h */,
</span><span class="cx"> 1429D8830ED21C3D00B89619 /* SamplingTool.cpp */,
</span><span class="cx"> 1429D8840ED21C3D00B89619 /* SamplingTool.h */,
</span><del>- FE5068661AE25E280009DAB7 /* DeferredSourceDump.cpp */,
- FE5068641AE246390009DAB7 /* DeferredSourceDump.h */,
</del><span class="cx"> 0F5541AF1613C1FB00CE3E25 /* SpecialPointer.cpp */,
</span><span class="cx"> 0F5541B01613C1FB00CE3E25 /* SpecialPointer.h */,
</span><span class="cx"> 0FD82E84141F3FDA00179C94 /* SpeculatedType.cpp */,
</span><span class="lines">@@ -5345,6 +5352,8 @@
</span><span class="cx"> BCCF0D070EF0AAB900413C8F /* StructureStubInfo.h */,
</span><span class="cx"> 0F2D4DE519832DAC007D4B19 /* ToThisStatus.cpp */,
</span><span class="cx"> 0F2D4DE619832DAC007D4B19 /* ToThisStatus.h */,
</span><ins>+ 0F952ABA1B487A7700C367C5 /* TrackedReferences.cpp */,
+ 0F952ABB1B487A7700C367C5 /* TrackedReferences.h */,
</ins><span class="cx"> 0F2D4DE719832DAC007D4B19 /* TypeLocation.h */,
</span><span class="cx"> A79E781E15EECBA80047C855 /* UnlinkedCodeBlock.cpp */,
</span><span class="cx"> A79E781F15EECBA80047C855 /* UnlinkedCodeBlock.h */,
</span><span class="lines">@@ -6060,6 +6069,7 @@
</span><span class="cx"> A5840E29187CA5E600843B10 /* inline-and-minify-stylesheets-and-scripts.py in Headers */,
</span><span class="cx"> 0F24E55617F0B71C00ABB217 /* InlineCallFrameSet.h in Headers */,
</span><span class="cx"> 99E45A2718A1B2590026D88F /* InputCursor.h in Headers */,
</span><ins>+ 0F952ABD1B487A7700C367C5 /* TrackedReferences.h in Headers */,
</ins><span class="cx"> A593CF7F1840362C00BFCE27 /* InspectorAgentBase.h in Headers */,
</span><span class="cx"> 0F3E01AB19D353A500F61B7F /* DFGPrePostNumbering.h in Headers */,
</span><span class="cx"> A593CF87184038CA00BFCE27 /* InspectorAgentRegistry.h in Headers */,
</span><span class="lines">@@ -7480,6 +7490,7 @@
</span><span class="cx"> 655EB29B10CE2581001A990E /* NodesCodegen.cpp in Sources */,
</span><span class="cx"> 6546F5211A32B313006F07D5 /* NullGetterFunction.cpp in Sources */,
</span><span class="cx"> 65525FC51A6DD801007B5495 /* NullSetterFunction.cpp in Sources */,
</span><ins>+ 0F1725FF1B48719A00AC3A55 /* DFGMinifiedGraph.cpp in Sources */,
</ins><span class="cx"> 14469DE2107EC7E700650446 /* NumberConstructor.cpp in Sources */,
</span><span class="cx"> 14469DE3107EC7E700650446 /* NumberObject.cpp in Sources */,
</span><span class="cx"> 14469DE4107EC7E700650446 /* NumberPrototype.cpp in Sources */,
</span><span class="lines">@@ -7555,6 +7566,7 @@
</span><span class="cx"> A54CF2F5184EAB2400237F19 /* ScriptValue.cpp in Sources */,
</span><span class="cx"> A7299DA517D12858005F5FF9 /* SetConstructor.cpp in Sources */,
</span><span class="cx"> 0FD1202F1A8AED12000F5280 /* FTLJSCallBase.cpp in Sources */,
</span><ins>+ 0F952ABC1B487A7700C367C5 /* TrackedReferences.cpp in Sources */,
</ins><span class="cx"> A790DD6D182F499700588807 /* SetIteratorPrototype.cpp in Sources */,
</span><span class="cx"> A7299DA117D12848005F5FF9 /* SetPrototype.cpp in Sources */,
</span><span class="cx"> 0F2B670417B6B5AB00A7AE3F /* SimpleTypedArrayController.cpp in Sources */,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -2801,6 +2801,13 @@
</span><span class="cx">
</span><span class="cx"> #if ENABLE(DFG_JIT)
</span><span class="cx"> if (JITCode::isOptimizingJIT(jitType())) {
</span><ins>+ // FIXME: This is an antipattern for two reasons. References introduced by the DFG
+ // that aren't in the original CodeBlock being compiled should be weakly referenced.
+ // Inline call frames aren't in the original CodeBlock, so they qualify as weak. Also,
+ // those weak references should already be tracked in the DFG as weak FrozenValues. So,
+ // there is probably no need for this. We already have assertions that this should be
+ // unnecessary.
+ // https://bugs.webkit.org/show_bug.cgi?id=146613
</ins><span class="cx"> DFG::CommonData* dfgCommon = m_jitCode->dfgCommon();
</span><span class="cx"> if (dfgCommon->inlineCallFrames.get())
</span><span class="cx"> dfgCommon->inlineCallFrames->visitAggregate(visitor);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeOrigincpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/bytecode/CodeOrigin.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -150,6 +150,15 @@
</span><span class="cx">
</span><span class="cx"> void InlineCallFrame::visitAggregate(SlotVisitor& visitor)
</span><span class="cx"> {
</span><ins>+ // FIXME: This is an antipattern for two reasons. References introduced by the DFG
+ // that aren't in the original CodeBlock being compiled should be weakly referenced.
+ // Inline call frames aren't in the original CodeBlock, so they qualify as weak. Also,
+ // those weak references should already be tracked in the DFG as weak FrozenValues. So,
+ // there is probably no need for this. We already have assertions that this should be
+ // unnecessary. Finally, just marking the executable and not anything else in the inline
+ // call frame is almost certainly insufficient for what this method thought it was going
+ // to accomplish.
+ // https://bugs.webkit.org/show_bug.cgi?id=146613
</ins><span class="cx"> visitor.append(&executable);
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeOperandsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/Operands.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/Operands.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/bytecode/Operands.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2012, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2012, 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -149,6 +149,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> const T& operand(int operand) const { return const_cast<const T&>(const_cast<Operands*>(this)->operand(operand)); }
</span><ins>+ const T& operand(VirtualRegister operand) const { return const_cast<const T&>(const_cast<Operands*>(this)->operand(operand)); }
</ins><span class="cx">
</span><span class="cx"> bool hasOperand(int operand) const
</span><span class="cx"> {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureSetcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureSet.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureSet.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/bytecode/StructureSet.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -27,6 +27,7 @@
</span><span class="cx"> #include "StructureSet.h"
</span><span class="cx">
</span><span class="cx"> #include "DFGAbstractValue.h"
</span><ins>+#include "TrackedReferences.h"
</ins><span class="cx"> #include <wtf/CommaPrinter.h>
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="lines">@@ -96,5 +97,13 @@
</span><span class="cx"> dumpInContext(out, nullptr);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void StructureSet::validateReferences(const TrackedReferences& trackedReferences) const
+{
+ forEach(
+ [&] (Structure* structure) {
+ trackedReferences.check(structure);
+ });
+}
+
</ins><span class="cx"> } // namespace JSC
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeStructureSeth"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/StructureSet.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/StructureSet.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/bytecode/StructureSet.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -27,13 +27,15 @@
</span><span class="cx"> #define StructureSet_h
</span><span class="cx">
</span><span class="cx"> #include "ArrayProfile.h"
</span><ins>+#include "DumpContext.h"
</ins><span class="cx"> #include "SpeculatedType.h"
</span><span class="cx"> #include "Structure.h"
</span><del>-#include "DumpContext.h"
</del><span class="cx"> #include <wtf/TinyPtrSet.h>
</span><span class="cx">
</span><span class="cx"> namespace JSC {
</span><span class="cx">
</span><ins>+class TrackedReferences;
+
</ins><span class="cx"> namespace DFG {
</span><span class="cx"> class StructureAbstractValue;
</span><span class="cx"> struct AbstractValue;
</span><span class="lines">@@ -77,6 +79,8 @@
</span><span class="cx">
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx"> void dump(PrintStream&) const;
</span><ins>+
+ void validateReferences(const TrackedReferences&) const;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } // namespace JSC
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeTrackedReferencescpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/bytecode/TrackedReferences.cpp (0 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/TrackedReferences.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/TrackedReferences.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -0,0 +1,81 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "TrackedReferences.h"
+
+#include "JSCInlines.h"
+#include <wtf/CommaPrinter.h>
+
+namespace JSC {
+
+TrackedReferences::TrackedReferences()
+{
+}
+
+TrackedReferences::~TrackedReferences()
+{
+}
+
+void TrackedReferences::add(JSCell* cell)
+{
+ if (cell)
+ m_references.add(cell);
+}
+
+void TrackedReferences::add(JSValue value)
+{
+ if (value.isCell())
+ add(value.asCell());
+}
+
+void TrackedReferences::check(JSCell* cell) const
+{
+ if (!cell)
+ return;
+
+ if (m_references.contains(cell))
+ return;
+
+ dataLog("Found untracked reference: ", RawPointer(cell), "\n");
+ dataLog("All tracked references: ", *this, "\n");
+ RELEASE_ASSERT_NOT_REACHED();
+}
+
+void TrackedReferences::check(JSValue value) const
+{
+ if (value.isCell())
+ check(value.asCell());
+}
+
+void TrackedReferences::dump(PrintStream& out) const
+{
+ CommaPrinter comma;
+ for (JSCell* cell : m_references)
+ out.print(comma, RawPointer(cell));
+}
+
+} // namespace JSC
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeTrackedReferencesh"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/bytecode/TrackedReferences.h (0 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/TrackedReferences.h (rev 0)
+++ trunk/Source/JavaScriptCore/bytecode/TrackedReferences.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -0,0 +1,56 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef TrackedReferences_h
+#define TrackedReferences_h
+
+#include "JSCJSValue.h"
+#include "JSCell.h"
+#include <wtf/HashSet.h>
+#include <wtf/PrintStream.h>
+
+namespace JSC {
+
+class TrackedReferences {
+public:
+ TrackedReferences();
+ ~TrackedReferences();
+
+ void add(JSCell*);
+ void add(JSValue);
+
+ void check(JSCell*) const;
+ void check(JSValue) const;
+
+ void dump(PrintStream&) const;
+
+private:
+ HashSet<JSCell*> m_references;
+};
+
+} // namespace JSC
+
+#endif // TrackedReferences_h
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx">
</span><span class="cx"> #include "DFGGraph.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include "TrackedReferences.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><span class="lines">@@ -47,24 +48,6 @@
</span><span class="cx"> checkConsistency();
</span><span class="cx"> }
</span><span class="cx">
</span><del>-void AbstractValue::setOSREntryValue(Graph& graph, const FrozenValue& value)
-{
- if (!!value && value.value().isCell()) {
- Structure* structure = value.structure();
- m_structure = structure;
- m_arrayModes = asArrayModes(structure->indexingType());
- } else {
- m_structure.clear();
- m_arrayModes = 0;
- }
-
- m_type = speculationFromValue(value.value());
- m_value = value.value();
-
- checkConsistency();
- assertIsRegistered(graph);
-}
-
</del><span class="cx"> void AbstractValue::set(Graph& graph, const FrozenValue& value, StructureClobberState clobberState)
</span><span class="cx"> {
</span><span class="cx"> if (!!value && value.value().isCell()) {
</span><span class="lines">@@ -172,6 +155,40 @@
</span><span class="cx"> fixTypeForRepresentation(graph, node->result(), node);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool AbstractValue::mergeOSREntryValue(Graph& graph, JSValue value)
+{
+ AbstractValue oldMe = *this;
+
+ if (isClear()) {
+ FrozenValue* frozenValue = graph.freeze(value);
+ if (frozenValue->pointsToHeap()) {
+ m_structure = frozenValue->structure();
+ m_arrayModes = asArrayModes(frozenValue->structure()->indexingType());
+ } else {
+ m_structure.clear();
+ m_arrayModes = 0;
+ }
+
+ m_type = speculationFromValue(value);
+ m_value = value;
+ } else {
+ mergeSpeculation(m_type, speculationFromValue(value));
+ if (!!value && value.isCell()) {
+ Structure* structure = value.asCell()->structure();
+ graph.registerStructure(structure);
+ mergeArrayModes(m_arrayModes, asArrayModes(structure->indexingType()));
+ m_structure.merge(StructureSet(structure));
+ }
+ if (m_value != value)
+ m_value = JSValue();
+ }
+
+ checkConsistency();
+ assertIsRegistered(graph);
+
+ return oldMe != *this;
+}
+
</ins><span class="cx"> FiltrationResult AbstractValue::filter(Graph& graph, const StructureSet& other)
</span><span class="cx"> {
</span><span class="cx"> if (isClear())
</span><span class="lines">@@ -424,6 +441,12 @@
</span><span class="cx"> out.print(")");
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void AbstractValue::validateReferences(const TrackedReferences& trackedReferences)
+{
+ trackedReferences.check(m_value);
+ m_structure.validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -39,8 +39,12 @@
</span><span class="cx"> #include "DumpContext.h"
</span><span class="cx"> #include "StructureSet.h"
</span><span class="cx">
</span><del>-namespace JSC { namespace DFG {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace DFG {
+
</ins><span class="cx"> class Graph;
</span><span class="cx"> struct Node;
</span><span class="cx">
</span><span class="lines">@@ -193,8 +197,6 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void setOSREntryValue(Graph&, const FrozenValue&);
-
</del><span class="cx"> void set(Graph&, const FrozenValue&, StructureClobberState);
</span><span class="cx"> void set(Graph&, Structure*);
</span><span class="cx"> void set(Graph&, const StructureSet&);
</span><span class="lines">@@ -254,6 +256,8 @@
</span><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ bool mergeOSREntryValue(Graph&, JSValue);
+
</ins><span class="cx"> void merge(SpeculatedType type)
</span><span class="cx"> {
</span><span class="cx"> mergeSpeculation(m_type, type);
</span><span class="lines">@@ -330,6 +334,8 @@
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&);
+
</ins><span class="cx"> // This is a proven constraint on the structures that this value can have right
</span><span class="cx"> // now. The structure of the current value must belong to this set. The set may
</span><span class="cx"> // be TOP, indicating that it is the set of all possible structures, in which
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGByteCodeParsercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -4022,6 +4022,7 @@
</span><span class="cx"> ASSERT(callsiteBlockHead);
</span><span class="cx">
</span><span class="cx"> m_inlineCallFrame = byteCodeParser->m_graph.m_plan.inlineCallFrames->add();
</span><ins>+ byteCodeParser->m_graph.freeze(codeBlock->ownerExecutable());
</ins><span class="cx"> initializeLazyWriteBarrierForInlineCallFrameExecutable(
</span><span class="cx"> byteCodeParser->m_graph.m_plan.writeBarriers,
</span><span class="cx"> m_inlineCallFrame->executable,
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCFAPhasecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -80,12 +80,52 @@
</span><span class="cx"> } while (m_changed);
</span><span class="cx">
</span><span class="cx"> if (m_graph.m_form != SSA) {
</span><ins>+ ASSERT(!m_changed);
+
+ // Widen the abstract values at the block that serves as the must-handle OSR entry.
+ for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
+ BasicBlock* block = m_graph.block(blockIndex);
+ if (!block)
+ continue;
+
+ if (!block->isOSRTarget)
+ continue;
+ if (block->bytecodeBegin != m_graph.m_plan.osrEntryBytecodeIndex)
+ continue;
+
+ bool changed = false;
+ for (size_t i = m_graph.m_plan.mustHandleValues.size(); i--;) {
+ int operand = m_graph.m_plan.mustHandleValues.operandForIndex(i);
+ JSValue value = m_graph.m_plan.mustHandleValues[i];
+ Node* node = block->variablesAtHead.operand(operand);
+ if (!node)
+ continue;
+
+ AbstractValue& target = block->valuesAtHead.operand(operand);
+ changed |= target.mergeOSREntryValue(m_graph, value);
+ target.fixTypeForRepresentation(
+ m_graph, resultFor(node->variableAccessData()->flushFormat()));
+ }
+
+ if (changed) {
+ m_changed = true;
+ block->cfaShouldRevisit = true;
+ }
+ }
+
+ // Propagate any of the changes we just introduced.
+ while (m_changed) {
+ m_changed = false;
+ performForwardCFA();
+ }
+
</ins><span class="cx"> // Make sure we record the intersection of all proofs that we ever allowed the
</span><span class="cx"> // compiler to rely upon.
</span><span class="cx"> for (BlockIndex blockIndex = m_graph.numBlocks(); blockIndex--;) {
</span><span class="cx"> BasicBlock* block = m_graph.block(blockIndex);
</span><span class="cx"> if (!block)
</span><span class="cx"> continue;
</span><ins>+
</ins><span class="cx"> block->intersectionOfCFAHasVisited &= block->cfaHasVisited;
</span><span class="cx"> for (unsigned i = block->intersectionOfPastValuesAtHead.size(); i--;)
</span><span class="cx"> block->intersectionOfPastValuesAtHead[i].filter(block->valuesAtHead[i]);
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCommonDatacpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCommonData.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCommonData.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGCommonData.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -32,6 +32,7 @@
</span><span class="cx"> #include "DFGNode.h"
</span><span class="cx"> #include "DFGPlan.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include "TrackedReferences.h"
</ins><span class="cx"> #include "VM.h"
</span><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="lines">@@ -72,6 +73,24 @@
</span><span class="cx"> return true;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void CommonData::validateReferences(const TrackedReferences& trackedReferences)
+{
+ if (InlineCallFrameSet* set = inlineCallFrames.get()) {
+ for (InlineCallFrame* inlineCallFrame : *set) {
+ for (ValueRecovery& recovery : inlineCallFrame->arguments) {
+ if (recovery.isConstant())
+ trackedReferences.check(recovery.constant());
+ }
+
+ if (ScriptExecutable* executable = inlineCallFrame->executable.get())
+ trackedReferences.check(executable);
+
+ if (inlineCallFrame->calleeRecovery.isConstant())
+ trackedReferences.check(inlineCallFrame->calleeRecovery.constant());
+ }
+ }
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGCommonDatah"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGCommonData.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGCommonData.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGCommonData.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -41,6 +41,7 @@
</span><span class="cx">
</span><span class="cx"> class CodeBlock;
</span><span class="cx"> class Identifier;
</span><ins>+class TrackedReferences;
</ins><span class="cx">
</span><span class="cx"> namespace DFG {
</span><span class="cx">
</span><span class="lines">@@ -86,6 +87,8 @@
</span><span class="cx"> {
</span><span class="cx"> return std::max(frameRegisterCount, requiredRegisterCountForExit);
</span><span class="cx"> }
</span><ins>+
+ void validateReferences(const TrackedReferences&);
</ins><span class="cx">
</span><span class="cx"> RefPtr<InlineCallFrameSet> inlineCallFrames;
</span><span class="cx"> Vector<CodeOrigin, 0, UnsafeVectorOverflow> codeOrigins;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGFrozenValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGFrozenValue.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -41,14 +41,14 @@
</span><span class="cx"> public:
</span><span class="cx"> FrozenValue()
</span><span class="cx"> : m_structure(nullptr)
</span><del>- , m_strength(FragileValue)
</del><ins>+ , m_strength(WeakValue)
</ins><span class="cx"> {
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> FrozenValue(JSValue value)
</span><span class="cx"> : m_value(value)
</span><span class="cx"> , m_structure(nullptr)
</span><del>- , m_strength(FragileValue)
</del><ins>+ , m_strength(WeakValue)
</ins><span class="cx"> {
</span><span class="cx"> RELEASE_ASSERT(!value || !value.isCell());
</span><span class="cx"> }
</span><span class="lines">@@ -60,7 +60,7 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT((!!value && value.isCell()) == !!structure);
</span><span class="cx"> ASSERT(!value || !value.isCell() || value.asCell()->classInfo() == structure->classInfo());
</span><del>- ASSERT(!!structure || (strength == FragileValue));
</del><ins>+ ASSERT(!!structure || (strength == WeakValue));
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> static FrozenValue* emptySingleton();
</span><span class="lines">@@ -89,12 +89,9 @@
</span><span class="cx"> m_strength = merge(m_strength, strength);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- // The strength of the value itself. The structure should be viewed as fragile
- // except if it is watched, in which case it's weak. Note that currently we
- // watch all watchable structures indiscriminantly, and so we also mark them
- // weakly. We could improve on this: any optimization that makes use of a
- // structure could signal that it has done so, and we could avoid watching
- // watchable structures that we had never marked in such a way.
</del><ins>+ bool pointsToHeap() const { return !!value() && value().isCell(); }
+
+ // The strength of the value itself. The structure is almost always weak.
</ins><span class="cx"> ValueStrength strength() const { return m_strength; }
</span><span class="cx">
</span><span class="cx"> void dumpInContext(PrintStream& out, DumpContext* context) const;
</span><span class="lines">@@ -116,7 +113,7 @@
</span><span class="cx"> return FrozenValue(
</span><span class="cx"> value,
</span><span class="cx"> (!!value && value.isCell()) ? value.asCell()->structure() : nullptr,
</span><del>- FragileValue);
</del><ins>+ WeakValue);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> JSValue m_value;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -62,7 +62,6 @@
</span><span class="cx"> , m_codeBlock(m_plan.codeBlock.get())
</span><span class="cx"> , m_profiledBlock(m_codeBlock->alternative())
</span><span class="cx"> , m_allocator(longLivedState.m_allocator)
</span><del>- , m_mustHandleValues(OperandsLike, plan.mustHandleValues)
</del><span class="cx"> , m_nextMachineLocal(0)
</span><span class="cx"> , m_fixpointState(BeforeFixpoint)
</span><span class="cx"> , m_structureRegistrationState(HaveNotStartedRegistering)
</span><span class="lines">@@ -72,9 +71,6 @@
</span><span class="cx"> {
</span><span class="cx"> ASSERT(m_profiledBlock);
</span><span class="cx">
</span><del>- for (unsigned i = m_mustHandleValues.size(); i--;)
- m_mustHandleValues[i] = freezeFragile(plan.mustHandleValues[i]);
-
</del><span class="cx"> m_hasDebuggerEnabled = m_profiledBlock->globalObject()->hasDebugger()
</span><span class="cx"> || Options::forceDebuggerBytecodeGeneration();
</span><span class="cx"> }
</span><span class="lines">@@ -529,6 +525,12 @@
</span><span class="cx"> out.print("\n");
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+ out.print("GC Values:\n");
+ for (FrozenValue* value : m_frozenValues) {
+ if (value->pointsToHeap())
+ out.print(" ", inContext(*value, &myContext), "\n");
+ }
+
</ins><span class="cx"> if (!myContext.isEmpty()) {
</span><span class="cx"> myContext.dump(out);
</span><span class="cx"> out.print("\n");
</span><span class="lines">@@ -1106,13 +1108,13 @@
</span><span class="cx"> m_codeBlock->constants().resize(0);
</span><span class="cx"> m_codeBlock->constantsSourceCodeRepresentation().resize(0);
</span><span class="cx"> for (FrozenValue* value : m_frozenValues) {
</span><del>- if (value->structure())
- ASSERT(m_plan.weakReferences.contains(value->structure()));
</del><ins>+ if (!value->pointsToHeap())
+ continue;
</ins><span class="cx">
</span><ins>+ ASSERT(value->structure());
+ ASSERT(m_plan.weakReferences.contains(value->structure()));
+
</ins><span class="cx"> switch (value->strength()) {
</span><del>- case FragileValue: {
- break;
- }
</del><span class="cx"> case WeakValue: {
</span><span class="cx"> m_plan.weakReferences.addLazily(value->value().asCell());
</span><span class="cx"> break;
</span><span class="lines">@@ -1202,7 +1204,7 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><del>-FrozenValue* Graph::freezeFragile(JSValue value)
</del><ins>+FrozenValue* Graph::freeze(JSValue value)
</ins><span class="cx"> {
</span><span class="cx"> if (UNLIKELY(!value))
</span><span class="cx"> return FrozenValue::emptySingleton();
</span><span class="lines">@@ -1221,16 +1223,9 @@
</span><span class="cx"> return result.iterator->value = m_frozenValues.add(frozenValue);
</span><span class="cx"> }
</span><span class="cx">
</span><del>-FrozenValue* Graph::freeze(JSValue value)
-{
- FrozenValue* result = freezeFragile(value);
- result->strengthenTo(WeakValue);
- return result;
-}
-
</del><span class="cx"> FrozenValue* Graph::freezeStrong(JSValue value)
</span><span class="cx"> {
</span><del>- FrozenValue* result = freezeFragile(value);
</del><ins>+ FrozenValue* result = freeze(value);
</ins><span class="cx"> result->strengthenTo(StrongValue);
</span><span class="cx"> return result;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGGraph.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGGraph.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -186,9 +186,8 @@
</span><span class="cx">
</span><span class="cx"> void dethread();
</span><span class="cx">
</span><del>- FrozenValue* freezeFragile(JSValue value);
- FrozenValue* freeze(JSValue value); // We use weak freezing by default. Shorthand for freezeFragile(value)->strengthenTo(WeakValue);
- FrozenValue* freezeStrong(JSValue value); // Shorthand for freezeFragile(value)->strengthenTo(StrongValue).
</del><ins>+ FrozenValue* freeze(JSValue); // We use weak freezing by default.
+ FrozenValue* freezeStrong(JSValue); // Shorthand for freeze(value)->strengthenTo(StrongValue).
</ins><span class="cx">
</span><span class="cx"> void convertToConstant(Node* node, FrozenValue* value);
</span><span class="cx"> void convertToConstant(Node* node, JSValue value);
</span><span class="lines">@@ -800,8 +799,6 @@
</span><span class="cx">
</span><span class="cx"> NodeAllocator& m_allocator;
</span><span class="cx">
</span><del>- Operands<FrozenValue*> m_mustHandleValues;
-
</del><span class="cx"> Vector< RefPtr<BasicBlock> , 8> m_blocks;
</span><span class="cx"> Vector<Edge, 16> m_varArgChildren;
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGInPlaceAbstractStatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -150,26 +150,6 @@
</span><span class="cx"> block->valuesAtHead.local(i).clear();
</span><span class="cx"> block->valuesAtTail.local(i).clear();
</span><span class="cx"> }
</span><del>- if (m_graph.m_form == SSA)
- continue;
- if (!block->isOSRTarget)
- continue;
- if (block->bytecodeBegin != m_graph.m_plan.osrEntryBytecodeIndex)
- continue;
- for (size_t i = 0; i < m_graph.m_mustHandleValues.size(); ++i) {
- int operand = m_graph.m_mustHandleValues.operandForIndex(i);
- Node* node = block->variablesAtHead.operand(operand);
- if (!node)
- continue;
- AbstractValue source;
- source.setOSREntryValue(m_graph, *m_graph.m_mustHandleValues[i]);
- AbstractValue& target = block->valuesAtHead.operand(operand);
- VariableAccessData* variable = node->variableAccessData();
- FlushFormat format = variable->flushFormat();
- target.merge(source);
- target.fixTypeForRepresentation(m_graph, resultFor(format));
- }
- block->cfaShouldRevisit = true;
</del><span class="cx"> }
</span><span class="cx"> if (m_graph.m_form == SSA) {
</span><span class="cx"> for (BlockIndex blockIndex = 0; blockIndex < m_graph.numBlocks(); ++blockIndex) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCodecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCode.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx">
</span><span class="cx"> #include "CodeBlock.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include "TrackedReferences.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><span class="lines">@@ -170,6 +171,18 @@
</span><span class="cx"> }
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span><span class="cx">
</span><ins>+void JITCode::validateReferences(const TrackedReferences& trackedReferences)
+{
+ common.validateReferences(trackedReferences);
+
+ for (OSREntryData& entry : osrEntry) {
+ for (unsigned i = entry.m_expectedValues.size(); i--;)
+ entry.m_expectedValues[i].validateReferences(trackedReferences);
+ }
+
+ minifiedDFG.validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCode.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCode.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCode.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -38,8 +38,12 @@
</span><span class="cx"> #include "JITCode.h"
</span><span class="cx"> #include <wtf/SegmentedVector.h>
</span><span class="cx">
</span><del>-namespace JSC { namespace DFG {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace DFG {
+
</ins><span class="cx"> class JITCompiler;
</span><span class="cx">
</span><span class="cx"> class JITCode : public DirectJITCode {
</span><span class="lines">@@ -107,6 +111,8 @@
</span><span class="cx"> void setOptimizationThresholdBasedOnCompilationResult(CodeBlock*, CompilationResult);
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&) override;
+
</ins><span class="cx"> void shrinkToFit();
</span><span class="cx">
</span><span class="cx"> private:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilercpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -475,6 +475,54 @@
</span><span class="cx"> }
</span><span class="cx"> #endif
</span><span class="cx">
</span><ins>+void JITCompiler::noticeOSREntry(BasicBlock& basicBlock, JITCompiler::Label blockHead, LinkBuffer& linkBuffer)
+{
+ // OSR entry is not allowed into blocks deemed unreachable by control flow analysis.
+ if (!basicBlock.intersectionOfCFAHasVisited)
+ return;
+
+ OSREntryData* entry = m_jitCode->appendOSREntryData(basicBlock.bytecodeBegin, linkBuffer.offsetOf(blockHead));
+
+ entry->m_expectedValues = basicBlock.intersectionOfPastValuesAtHead;
+
+ // Fix the expected values: in our protocol, a dead variable will have an expected
+ // value of (None, []). But the old JIT may stash some values there. So we really
+ // need (Top, TOP).
+ for (size_t argument = 0; argument < basicBlock.variablesAtHead.numberOfArguments(); ++argument) {
+ Node* node = basicBlock.variablesAtHead.argument(argument);
+ if (!node || !node->shouldGenerate())
+ entry->m_expectedValues.argument(argument).makeHeapTop();
+ }
+ for (size_t local = 0; local < basicBlock.variablesAtHead.numberOfLocals(); ++local) {
+ Node* node = basicBlock.variablesAtHead.local(local);
+ if (!node || !node->shouldGenerate())
+ entry->m_expectedValues.local(local).makeHeapTop();
+ else {
+ VariableAccessData* variable = node->variableAccessData();
+ entry->m_machineStackUsed.set(variable->machineLocal().toLocal());
+
+ switch (variable->flushFormat()) {
+ case FlushedDouble:
+ entry->m_localsForcedDouble.set(local);
+ break;
+ case FlushedInt52:
+ entry->m_localsForcedMachineInt.set(local);
+ break;
+ default:
+ break;
+ }
+
+ if (variable->local() != variable->machineLocal()) {
+ entry->m_reshufflings.append(
+ OSREntryReshuffling(
+ variable->local().offset(), variable->machineLocal().offset()));
+ }
+ }
+ }
+
+ entry->m_reshufflings.shrinkToFit();
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGJITCompilerh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGJITCompiler.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013-2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -265,53 +265,7 @@
</span><span class="cx"> #endif
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void noticeOSREntry(BasicBlock& basicBlock, JITCompiler::Label blockHead, LinkBuffer& linkBuffer)
- {
- // OSR entry is not allowed into blocks deemed unreachable by control flow analysis.
- if (!basicBlock.intersectionOfCFAHasVisited)
- return;
-
- OSREntryData* entry = m_jitCode->appendOSREntryData(basicBlock.bytecodeBegin, linkBuffer.offsetOf(blockHead));
-
- entry->m_expectedValues = basicBlock.intersectionOfPastValuesAtHead;
-
- // Fix the expected values: in our protocol, a dead variable will have an expected
- // value of (None, []). But the old JIT may stash some values there. So we really
- // need (Top, TOP).
- for (size_t argument = 0; argument < basicBlock.variablesAtHead.numberOfArguments(); ++argument) {
- Node* node = basicBlock.variablesAtHead.argument(argument);
- if (!node || !node->shouldGenerate())
- entry->m_expectedValues.argument(argument).makeHeapTop();
- }
- for (size_t local = 0; local < basicBlock.variablesAtHead.numberOfLocals(); ++local) {
- Node* node = basicBlock.variablesAtHead.local(local);
- if (!node || !node->shouldGenerate())
- entry->m_expectedValues.local(local).makeHeapTop();
- else {
- VariableAccessData* variable = node->variableAccessData();
- entry->m_machineStackUsed.set(variable->machineLocal().toLocal());
-
- switch (variable->flushFormat()) {
- case FlushedDouble:
- entry->m_localsForcedDouble.set(local);
- break;
- case FlushedInt52:
- entry->m_localsForcedMachineInt.set(local);
- break;
- default:
- break;
- }
-
- if (variable->local() != variable->machineLocal()) {
- entry->m_reshufflings.append(
- OSREntryReshuffling(
- variable->local().offset(), variable->machineLocal().offset()));
- }
- }
- }
-
- entry->m_reshufflings.shrinkToFit();
- }
</del><ins>+ void noticeOSREntry(BasicBlock&, JITCompiler::Label blockHead, LinkBuffer&);
</ins><span class="cx">
</span><span class="cx"> RefPtr<JITCode> jitCode() { return m_jitCode; }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMinifiedGraphcpp"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.cpp (0 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.cpp (rev 0)
+++ trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -0,0 +1,53 @@
</span><ins>+/*
+ * Copyright (C) 2015 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "DFGMinifiedGraph.h"
+
+#if ENABLE(DFG_JIT)
+
+#include "JSCInlines.h"
+#include "TrackedReferences.h"
+
+namespace JSC { namespace DFG {
+
+void MinifiedGraph::prepareAndShrink()
+{
+ std::sort(m_list.begin(), m_list.end(), MinifiedNode::compareByNodeIndex);
+ m_list.shrinkToFit();
+}
+
+void MinifiedGraph::validateReferences(const TrackedReferences& trackedReferences)
+{
+ for (MinifiedNode& node : m_list) {
+ if (node.hasConstant())
+ trackedReferences.check(node.constant());
+ }
+}
+
+} } // namespace JSC::DFG
+
+#endif // ENABLE(DFG_JIT)
+
</ins></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGMinifiedGraphh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGMinifiedGraph.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2012 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2012, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -33,8 +33,12 @@
</span><span class="cx"> #include <wtf/StdLibExtras.h>
</span><span class="cx"> #include <wtf/Vector.h>
</span><span class="cx">
</span><del>-namespace JSC { namespace DFG {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace DFG {
+
</ins><span class="cx"> class MinifiedGraph {
</span><span class="cx"> public:
</span><span class="cx"> MinifiedGraph() { }
</span><span class="lines">@@ -50,12 +54,10 @@
</span><span class="cx"> m_list.append(node);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void prepareAndShrink()
- {
- std::sort(m_list.begin(), m_list.end(), MinifiedNode::compareByNodeIndex);
- m_list.shrinkToFit();
- }
</del><ins>+ void prepareAndShrink();
</ins><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&);
+
</ins><span class="cx"> private:
</span><span class="cx"> Vector<MinifiedNode> m_list;
</span><span class="cx"> };
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSREntrycpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSREntry.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013, 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013, 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -35,9 +35,61 @@
</span><span class="cx"> #include "JIT.h"
</span><span class="cx"> #include "JSStackInlines.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include <wtf/CommaPrinter.h>
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><ins>+void OSREntryData::dumpInContext(PrintStream& out, DumpContext* context) const
+{
+ out.print("bc#", m_bytecodeIndex, ", machine code offset = ", m_machineCodeOffset);
+ out.print(", stack rules = [");
+
+ auto printOperand = [&] (VirtualRegister reg) {
+ out.print(inContext(m_expectedValues.operand(reg), context), " (");
+ VirtualRegister toReg;
+ bool overwritten = false;
+ for (OSREntryReshuffling reshuffling : m_reshufflings) {
+ if (reg == VirtualRegister(reshuffling.fromOffset)) {
+ toReg = VirtualRegister(reshuffling.toOffset);
+ break;
+ }
+ if (reg == VirtualRegister(reshuffling.toOffset))
+ overwritten = true;
+ }
+ if (!overwritten && !toReg.isValid())
+ toReg = reg;
+ if (toReg.isValid()) {
+ if (toReg.isLocal() && !m_machineStackUsed.get(toReg.toLocal()))
+ out.print("ignored");
+ else
+ out.print("maps to ", toReg);
+ } else
+ out.print("overwritten");
+ if (reg.isLocal() && m_localsForcedDouble.get(reg.toLocal()))
+ out.print(", forced double");
+ if (reg.isLocal() && m_localsForcedMachineInt.get(reg.toLocal()))
+ out.print(", forced machine int");
+ out.print(")");
+ };
+
+ CommaPrinter comma;
+ for (size_t argumentIndex = m_expectedValues.numberOfArguments(); argumentIndex--;) {
+ out.print(comma, "arg", argumentIndex, ":");
+ printOperand(virtualRegisterForArgument(argumentIndex));
+ }
+ for (size_t localIndex = 0; localIndex < m_expectedValues.numberOfLocals(); ++localIndex) {
+ out.print(comma, "loc", localIndex, ":");
+ printOperand(virtualRegisterForLocal(localIndex));
+ }
+
+ out.print("], machine stack used = ", m_machineStackUsed);
+}
+
+void OSREntryData::dump(PrintStream& out) const
+{
+ dumpInContext(out, nullptr);
+}
+
</ins><span class="cx"> void* prepareOSREntry(ExecState* exec, CodeBlock* codeBlock, unsigned bytecodeIndex)
</span><span class="cx"> {
</span><span class="cx"> ASSERT(JITCode::isOptimizingJIT(codeBlock->jitType()));
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGOSREntryh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGOSREntry.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGOSREntry.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGOSREntry.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2011, 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2011, 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -60,6 +60,9 @@
</span><span class="cx"> BitVector m_localsForcedMachineInt;
</span><span class="cx"> Vector<OSREntryReshuffling> m_reshufflings;
</span><span class="cx"> BitVector m_machineStackUsed;
</span><ins>+
+ void dumpInContext(PrintStream&, DumpContext*) const;
+ void dump(PrintStream&) const;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> inline unsigned getOSREntryDataBytecodeIndex(OSREntryData* osrEntryData)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGPlancpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -76,6 +76,7 @@
</span><span class="cx"> #include "JSCInlines.h"
</span><span class="cx"> #include "OperandsInlines.h"
</span><span class="cx"> #include "ProfilerDatabase.h"
</span><ins>+#include "TrackedReferences.h"
</ins><span class="cx"> #include <wtf/CurrentTime.h>
</span><span class="cx">
</span><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="lines">@@ -536,6 +537,21 @@
</span><span class="cx">
</span><span class="cx"> reallyAdd(codeBlock->jitCode()->dfgCommon());
</span><span class="cx">
</span><ins>+ if (validationEnabled()) {
+ TrackedReferences trackedReferences;
+
+ for (WriteBarrier<JSCell>& reference : codeBlock->jitCode()->dfgCommon()->weakReferences)
+ trackedReferences.add(reference.get());
+ for (WriteBarrier<Structure>& reference : codeBlock->jitCode()->dfgCommon()->weakStructureReferences)
+ trackedReferences.add(reference.get());
+ for (WriteBarrier<Unknown>& constant : codeBlock->constants())
+ trackedReferences.add(constant.get());
+
+ // Check that any other references that we have anywhere in the JITCode are also
+ // tracked either strongly or weakly.
+ codeBlock->jitCode()->validateReferences(trackedReferences);
+ }
+
</ins><span class="cx"> return CompilationSuccessful;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJITcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1631,6 +1631,15 @@
</span><span class="cx"> m_jit.noticeOSREntry(*block, m_osrEntryHeads[osrEntryIndex++], linkBuffer);
</span><span class="cx"> }
</span><span class="cx"> ASSERT(osrEntryIndex == m_osrEntryHeads.size());
</span><ins>+
+ if (verboseCompilationEnabled()) {
+ DumpContext dumpContext;
+ dataLog("OSR Entries:\n");
+ for (OSREntryData& entryData : m_jit.jitCode()->osrEntry)
+ dataLog(" ", inContext(entryData, &dumpContext), "\n");
+ if (!dumpContext.isEmpty())
+ dumpContext.dump(WTF::dataFile());
+ }
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> void SpeculativeJIT::compileDoublePutByVal(Node* node, SpeculateCellOperand& base, SpeculateStrictInt32Operand& property)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStructureAbstractValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -386,6 +386,13 @@
</span><span class="cx"> dumpInContext(out, 0);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void StructureAbstractValue::validateReferences(const TrackedReferences& trackedReferences) const
+{
+ if (isTop())
+ return;
+ m_set.validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::DFG
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(DFG_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGStructureAbstractValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGStructureAbstractValue.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -34,8 +34,12 @@
</span><span class="cx"> #include "DumpContext.h"
</span><span class="cx"> #include "StructureSet.h"
</span><span class="cx">
</span><del>-namespace JSC { namespace DFG {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace DFG {
+
</ins><span class="cx"> class StructureAbstractValue {
</span><span class="cx"> public:
</span><span class="cx"> StructureAbstractValue() { }
</span><span class="lines">@@ -214,6 +218,8 @@
</span><span class="cx"> bool overlaps(const StructureSet& other) const;
</span><span class="cx"> bool overlaps(const StructureAbstractValue& other) const;
</span><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&) const;
+
</ins><span class="cx"> private:
</span><span class="cx"> static const uintptr_t clobberedFlag = StructureSet::reservedFlag;
</span><span class="cx"> static const uintptr_t topValue = StructureSet::reservedValue;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValidatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -252,6 +252,10 @@
</span><span class="cx"> VALIDATE((node), !variant.oldStructureForTransition()->dfgShouldWatch());
</span><span class="cx"> }
</span><span class="cx"> break;
</span><ins>+ case DoubleConstant:
+ case Int52Constant:
+ VALIDATE((node), node->isNumberConstant());
+ break;
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValueStrengthcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGValueStrength.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -35,9 +35,6 @@
</span><span class="cx"> void printInternal(PrintStream& out, ValueStrength strength)
</span><span class="cx"> {
</span><span class="cx"> switch (strength) {
</span><del>- case FragileValue:
- out.print("Fragile");
- return;
</del><span class="cx"> case WeakValue:
</span><span class="cx"> out.print("Weak");
</span><span class="cx"> return;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGValueStrengthh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/dfg/DFGValueStrength.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2014 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2014, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -33,12 +33,6 @@
</span><span class="cx"> namespace JSC { namespace DFG {
</span><span class="cx">
</span><span class="cx"> enum ValueStrength {
</span><del>- // The value is known to the DFG but no optimizations have been performed that require the
- // value to be kept alive. All OSR entry values are fragile until we do some optimization that
- // uses them, like actually constant folding a variable to that value. By convention we say
- // that all non-cells are fragile.
- FragileValue,
-
</del><span class="cx"> // The value has been used for optimization and it arose through inference. We don't want the
</span><span class="cx"> // fact that we optimized the code to result in the GC keeping this value alive unnecessarily,
</span><span class="cx"> // so we'd rather kill the code and recompile than keep the object alive longer.
</span><span class="lines">@@ -52,18 +46,14 @@
</span><span class="cx"> inline ValueStrength merge(ValueStrength a, ValueStrength b)
</span><span class="cx"> {
</span><span class="cx"> switch (a) {
</span><del>- case FragileValue:
- return b;
</del><span class="cx"> case WeakValue:
</span><del>- if (b == StrongValue)
- return StrongValue;
- return WeakValue;
</del><ins>+ return b;
</ins><span class="cx"> case StrongValue:
</span><span class="cx"> return StrongValue;
</span><span class="cx"> }
</span><span class="cx"> RELEASE_ASSERT_NOT_REACHED();
</span><span class="cx">
</span><del>- return FragileValue;
</del><ins>+ return WeakValue;
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::DFG
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitPropertyValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -40,6 +40,11 @@
</span><span class="cx"> out.print(m_location, " => ", m_value);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ExitPropertyValue::validateReferences(const TrackedReferences& trackedReferences) const
+{
+ m_value.validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::FTL
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitPropertyValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitPropertyValue.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -31,8 +31,12 @@
</span><span class="cx"> #include "DFGPromotedHeapLocation.h"
</span><span class="cx"> #include "FTLExitValue.h"
</span><span class="cx">
</span><del>-namespace JSC { namespace FTL {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace FTL {
+
</ins><span class="cx"> class ExitPropertyValue {
</span><span class="cx"> public:
</span><span class="cx"> ExitPropertyValue()
</span><span class="lines">@@ -54,6 +58,8 @@
</span><span class="cx"> ExitPropertyValue withLocalsOffset(int offset) const;
</span><span class="cx">
</span><span class="cx"> void dump(PrintStream& out) const;
</span><ins>+
+ void validateReferences(const TrackedReferences&) const;
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> DFG::PromotedLocationDescriptor m_location;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -70,6 +70,12 @@
</span><span class="cx"> out.print(RawPointer(this), ":", Graph::opName(m_type), "(", listDump(m_properties), ")");
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ExitTimeObjectMaterialization::validateReferences(const TrackedReferences& trackedReferences) const
+{
+ for (ExitPropertyValue value : m_properties)
+ value.validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::FTL
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitTimeObjectMaterializationh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitTimeObjectMaterialization.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -33,8 +33,12 @@
</span><span class="cx"> #include "FTLExitValue.h"
</span><span class="cx"> #include <wtf/Noncopyable.h>
</span><span class="cx">
</span><del>-namespace JSC { namespace FTL {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace FTL {
+
</ins><span class="cx"> class ExitTimeObjectMaterialization {
</span><span class="cx"> WTF_MAKE_NONCOPYABLE(ExitTimeObjectMaterialization)
</span><span class="cx"> public:
</span><span class="lines">@@ -53,6 +57,8 @@
</span><span class="cx">
</span><span class="cx"> void dump(PrintStream& out) const;
</span><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&) const;
+
</ins><span class="cx"> private:
</span><span class="cx"> DFG::NodeType m_type;
</span><span class="cx"> CodeOrigin m_origin;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitValue.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -30,6 +30,7 @@
</span><span class="cx">
</span><span class="cx"> #include "FTLExitTimeObjectMaterialization.h"
</span><span class="cx"> #include "JSCInlines.h"
</span><ins>+#include "TrackedReferences.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace FTL {
</span><span class="cx">
</span><span class="lines">@@ -126,6 +127,12 @@
</span><span class="cx"> dumpInContext(out, 0);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void ExitValue::validateReferences(const TrackedReferences& trackedReferences) const
+{
+ if (isConstant())
+ trackedReferences.check(constant());
+}
+
</ins><span class="cx"> } } // namespace JSC::FTL
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLExitValueh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLExitValue.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLExitValue.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLExitValue.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -34,8 +34,12 @@
</span><span class="cx"> #include "VirtualRegister.h"
</span><span class="cx"> #include <wtf/PrintStream.h>
</span><span class="cx">
</span><del>-namespace JSC { namespace FTL {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace FTL {
+
</ins><span class="cx"> // This is like ValueRecovery, but respects the way that the FTL does OSR
</span><span class="cx"> // exit: the live non-constant non-flushed values are passed as arguments
</span><span class="cx"> // to a noreturn tail call. ExitValue is hence mostly responsible for
</span><span class="lines">@@ -222,6 +226,8 @@
</span><span class="cx"> void dump(PrintStream&) const;
</span><span class="cx"> void dumpInContext(PrintStream&, DumpContext*) const;
</span><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&) const;
+
</ins><span class="cx"> private:
</span><span class="cx"> ExitValueKind m_kind;
</span><span class="cx"> union {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLJITCodecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLJITCode.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLJITCode.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLJITCode.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -125,6 +125,14 @@
</span><span class="cx"> return &common;
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void JITCode::validateReferences(const TrackedReferences& trackedReferences)
+{
+ common.validateReferences(trackedReferences);
+
+ for (OSRExit& exit : osrExit)
+ exit.validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::FTL
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLJITCodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLJITCode.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLJITCode.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLJITCode.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2015 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -47,8 +47,12 @@
</span><span class="cx">
</span><span class="cx"> #define SECTION_NAME(NAME) (SECTION_NAME_PREFIX NAME)
</span><span class="cx">
</span><del>-namespace JSC { namespace FTL {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace FTL {
+
</ins><span class="cx"> class JITCode : public JSC::JITCode {
</span><span class="cx"> public:
</span><span class="cx"> JITCode();
</span><span class="lines">@@ -67,6 +71,8 @@
</span><span class="cx"> void initializeArityCheckEntrypoint(CodeRef);
</span><span class="cx"> void initializeAddressForCall(CodePtr);
</span><span class="cx">
</span><ins>+ void validateReferences(const TrackedReferences&) override;
+
</ins><span class="cx"> const Vector<RefPtr<ExecutableMemoryHandle>>& handles() const { return m_handles; }
</span><span class="cx"> const Vector<RefPtr<DataSection>>& dataSections() const { return m_dataSections; }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExitcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExit.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExit.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExit.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -61,6 +61,15 @@
</span><span class="cx"> m_patchableCodeOffset);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void OSRExit::validateReferences(const TrackedReferences& trackedReferences)
+{
+ for (unsigned i = m_values.size(); i--;)
+ m_values[i].validateReferences(trackedReferences);
+
+ for (ExitTimeObjectMaterialization* materialization : m_materializations)
+ materialization->validateReferences(trackedReferences);
+}
+
</ins><span class="cx"> } } // namespace JSC::FTL
</span><span class="cx">
</span><span class="cx"> #endif // ENABLE(FTL_JIT)
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLOSRExith"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/ftl/FTLOSRExit.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -41,8 +41,12 @@
</span><span class="cx"> #include "ValueProfile.h"
</span><span class="cx"> #include "VirtualRegister.h"
</span><span class="cx">
</span><del>-namespace JSC { namespace FTL {
</del><ins>+namespace JSC {
</ins><span class="cx">
</span><ins>+class TrackedReferences;
+
+namespace FTL {
+
</ins><span class="cx"> // Tracks one OSR exit site within the FTL JIT. OSR exit in FTL works by deconstructing
</span><span class="cx"> // the crazy that is OSR down to simple SSA CFG primitives that any compiler backend
</span><span class="cx"> // (including of course LLVM) can grok and do meaningful things to. An exit is just a
</span><span class="lines">@@ -159,6 +163,8 @@
</span><span class="cx"> {
</span><span class="cx"> OSRExitBase::considerAddingAsFrequentExitSite(profiledCodeBlock, ExitFromFTL);
</span><span class="cx"> }
</span><ins>+
+ void validateReferences(const TrackedReferences&);
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::FTL
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCodecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCode.cpp (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCode.cpp 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/jit/JITCode.cpp 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -64,6 +64,10 @@
</span><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void JITCode::validateReferences(const TrackedReferences&)
+{
+}
+
</ins><span class="cx"> JSValue JITCode::execute(VM* vm, ProtoCallFrame* protoCallFrame)
</span><span class="cx"> {
</span><span class="cx"> void* entryAddress;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorejitJITCodeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/jit/JITCode.h (186690 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/jit/JITCode.h 2015-07-10 21:17:47 UTC (rev 186690)
+++ trunk/Source/JavaScriptCore/jit/JITCode.h 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -46,6 +46,7 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> struct ProtoCallFrame;
</span><ins>+class TrackedReferences;
</ins><span class="cx"> class VM;
</span><span class="cx">
</span><span class="cx"> class JITCode : public ThreadSafeRefCounted<JITCode> {
</span><span class="lines">@@ -183,6 +184,8 @@
</span><span class="cx"> virtual FTL::JITCode* ftl();
</span><span class="cx"> virtual FTL::ForOSREntryJITCode* ftlForOSREntry();
</span><span class="cx">
</span><ins>+ virtual void validateReferences(const TrackedReferences&);
+
</ins><span class="cx"> JSValue execute(VM*, ProtoCallFrame*);
</span><span class="cx">
</span><span class="cx"> void* start() { return dataAddressAtOffset(0); }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressdeadosrentryvaluejs"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/dead-osr-entry-value.js (0 => 186691)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/dead-osr-entry-value.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/dead-osr-entry-value.js 2015-07-10 21:19:51 UTC (rev 186691)
</span><span class="lines">@@ -0,0 +1,16 @@
</span><ins>+function foo() {
+ var o = {f:42};
+ var result = 0;
+ OSRExit();
+ for (var i = 0; i < 10000; ++i) {
+ if (!DFGTrue())
+ result += o.f;
+ }
+ return result;
+}
+
+for (var i = 0; i < 1000; ++i) {
+ foo();
+ fullGC();
+}
+
</ins></span></pre>
</div>
</div>
</body>
</html>