<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[200906] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/200906">200906</a></dd>
<dt>Author</dt> <dd>sbarati@apple.com</dd>
<dt>Date</dt> <dd>2016-05-13 19:03:10 -0700 (Fri, 13 May 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>DFG/FTL have a few bugs in their reasoning about the scope
https://bugs.webkit.org/show_bug.cgi?id=157696
Reviewed by Benjamin Poulain.
1. When the debugger is enabled, it is easier for the DFG to reason
about the scope register by simply claiming all nodes read the scope
register. This prevents us from ever entering the runtime where we
may take a stack trace but there isn't a scope on the stack.
2. This patch fixes a bug where the FTL compilation wasn't properly
setting the CodeBlock register. It was only doing this when there
was inline data, but when the debugger is enabled, we never inline.
So this code just needed to be removed from that loop. It was never
right for it to be inside the loop.
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* ftl/FTLCompile.cpp:
(JSC::FTL::compile):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGClobberizeh">trunk/Source/JavaScriptCore/dfg/DFGClobberize.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreftlFTLCompilecpp">trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (200905 => 200906)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-05-14 00:20:24 UTC (rev 200905)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-05-14 02:03:10 UTC (rev 200906)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2016-05-13 Saam barati <sbarati@apple.com>
+
+ DFG/FTL have a few bugs in their reasoning about the scope
+ https://bugs.webkit.org/show_bug.cgi?id=157696
+
+ Reviewed by Benjamin Poulain.
+
+ 1. When the debugger is enabled, it is easier for the DFG to reason
+ about the scope register by simply claiming all nodes read the scope
+ register. This prevents us from ever entering the runtime where we
+ may take a stack trace but there isn't a scope on the stack.
+
+ 2. This patch fixes a bug where the FTL compilation wasn't properly
+ setting the CodeBlock register. It was only doing this when there
+ was inline data, but when the debugger is enabled, we never inline.
+ So this code just needed to be removed from that loop. It was never
+ right for it to be inside the loop.
+
+ * dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * ftl/FTLCompile.cpp:
+ (JSC::FTL::compile):
+
</ins><span class="cx"> 2016-05-13 Benjamin Poulain <bpoulain@apple.com>
</span><span class="cx">
</span><span class="cx"> [JSC] SetLocal without exit do not need phantoms
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGClobberizeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGClobberize.h (200905 => 200906)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-05-14 00:20:24 UTC (rev 200905)
+++ trunk/Source/JavaScriptCore/dfg/DFGClobberize.h 2016-05-14 02:03:10 UTC (rev 200906)
</span><span class="lines">@@ -117,6 +117,17 @@
</span><span class="cx"> if (inlineCallFrame->isVarargs())
</span><span class="cx"> read(AbstractHeap(Stack, inlineCallFrame->stackOffset + JSStack::ArgumentCount));
</span><span class="cx"> }
</span><ins>+
+ // We don't want to specifically account which nodes can read from the scope
+ // when the debugger is enabled. It's helpful to just claim all nodes do.
+ // Specifically, if a node allocates, this may call into the debugger's machinery.
+ // The debugger's machinery is free to take a stack trace and try to read from
+ // a scope which is expected to be flushed to the stack.
+ if (graph.hasDebuggerEnabled()) {
+ ASSERT(!node->origin.semantic.inlineCallFrame);
+ read(AbstractHeap(Stack, graph.m_codeBlock->scopeRegister()));
+ }
+
</ins><span class="cx">
</span><span class="cx"> switch (node->op()) {
</span><span class="cx"> case JSConstant:
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreftlFTLCompilecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp (200905 => 200906)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp 2016-05-14 00:20:24 UTC (rev 200905)
+++ trunk/Source/JavaScriptCore/ftl/FTLCompile.cpp 2016-05-14 02:03:10 UTC (rev 200906)
</span><span class="lines">@@ -103,9 +103,11 @@
</span><span class="cx"> inlineCallFrame->calleeRecovery.withLocalsOffset(localsOffset);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- if (graph.hasDebuggerEnabled())
- codeBlock->setScopeRegister(codeBlock->scopeRegister() + localsOffset);
</del><span class="cx"> }
</span><ins>+
+ if (graph.hasDebuggerEnabled())
+ codeBlock->setScopeRegister(codeBlock->scopeRegister() + localsOffset);
+
</ins><span class="cx"> for (OSRExitDescriptor& descriptor : state.jitCode->osrExitDescriptors) {
</span><span class="cx"> for (unsigned i = descriptor.m_values.size(); i--;)
</span><span class="cx"> descriptor.m_values[i] = descriptor.m_values[i].withLocalsOffset(localsOffset);
</span></span></pre>
</div>
</div>
</body>
</html>