<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[202689] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/202689">202689</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2016-06-30 11:13:26 -0700 (Thu, 30 Jun 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Generators violate bytecode liveness validation
https://bugs.webkit.org/show_bug.cgi?id=159279
Reviewed by Yusuke Suzuki.
PerformanceTests:
Add Basic to our test harness.
Also made some cosmetic changes to the benchmark harness.
* ES6SampleBench/Basic/basic-tests.yaml: Added.
* ES6SampleBench/Basic/stress-test.js: Added.
(preciseTime):
* ES6SampleBench/driver.js:
(Driver):
(Driver.prototype.start):
(Driver.prototype.reportError):
* ES6SampleBench/glue.js:
* ES6SampleBench/index.html:
Source/JavaScriptCore:
Fix a liveness bug found by Basic. The problem is that resume's intended liveness rule is:
"live-in is just the token argument", but the liveness analysis thought that the rule was
"live-in is live-out minus defs plus live-at-catch". Clearly these two rules are quite
different. The way this sort of worked before is that we would define the defs of resume
as being equal to our prediction of what the live-outs would be. We did this in the hope
that we would subtract all live-outs. But, this misses the live-at-catch part. So, this
change adds another hack to neutralize live-at-catch.
This would make a lot more sense if we wrote a new liveness analysis that was just for
generator conversion. It could reuse BytecodeUseDef but otherwise it would be a new thing.
It would be easy to write crazy rules for save/resume in such an analysis, especially if
that analysis rewrote the bytecode. We could then just have an op_yield that is a no-op.
We would just record the live-outs of op_yield and use that for rewriting the code in terms
of a switch statement.
* bytecode/BytecodeLivenessAnalysis.cpp:
(JSC::stepOverInstruction):
(JSC::BytecodeLivenessAnalysis::dumpResults):
* bytecode/CodeBlock.cpp:
(JSC::CodeBlock::dumpBytecode):
Tools:
Add Basic to our test harness.
* Scripts/run-javascriptcore-tests:
(runJSCStressTests):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkPerformanceTestsChangeLog">trunk/PerformanceTests/ChangeLog</a></li>
<li><a href="#trunkPerformanceTestsES6SampleBenchdriverjs">trunk/PerformanceTests/ES6SampleBench/driver.js</a></li>
<li><a href="#trunkPerformanceTestsES6SampleBenchgluejs">trunk/PerformanceTests/ES6SampleBench/glue.js</a></li>
<li><a href="#trunkPerformanceTestsES6SampleBenchindexhtml">trunk/PerformanceTests/ES6SampleBench/index.html</a></li>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeLivenessAnalysiscpp">trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeBytecodeUseDefh">trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h</a></li>
<li><a href="#trunkSourceJavaScriptCorebytecodeCodeBlockcpp">trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp</a></li>
<li><a href="#trunkToolsChangeLog">trunk/Tools/ChangeLog</a></li>
<li><a href="#trunkToolsScriptsrunjavascriptcoretests">trunk/Tools/Scripts/run-javascriptcore-tests</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkPerformanceTestsES6SampleBenchBasicbasictestsyaml">trunk/PerformanceTests/ES6SampleBench/Basic/basic-tests.yaml</a></li>
<li><a href="#trunkPerformanceTestsES6SampleBenchBasicstresstestjs">trunk/PerformanceTests/ES6SampleBench/Basic/stress-test.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkPerformanceTestsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/PerformanceTests/ChangeLog (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/ChangeLog 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/PerformanceTests/ChangeLog 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2016-06-29 Filip Pizlo <fpizlo@apple.com>
+
+ Generators violate bytecode liveness validation
+ https://bugs.webkit.org/show_bug.cgi?id=159279
+
+ Reviewed by Yusuke Suzuki.
+
+ Add Basic to our test harness.
+
+ Also made some cosmetic changes to the benchmark harness.
+
+ * ES6SampleBench/Basic/basic-tests.yaml: Added.
+ * ES6SampleBench/Basic/stress-test.js: Added.
+ (preciseTime):
+ * ES6SampleBench/driver.js:
+ (Driver):
+ (Driver.prototype.start):
+ (Driver.prototype.reportError):
+ * ES6SampleBench/glue.js:
+ * ES6SampleBench/index.html:
+
</ins><span class="cx"> 2016-06-28 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> ES6SampleBench should have a harness
</span></span></pre></div>
<a id="trunkPerformanceTestsES6SampleBenchBasicbasictestsyaml"></a>
<div class="addfile"><h4>Added: trunk/PerformanceTests/ES6SampleBench/Basic/basic-tests.yaml (0 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/ES6SampleBench/Basic/basic-tests.yaml (rev 0)
+++ trunk/PerformanceTests/ES6SampleBench/Basic/basic-tests.yaml 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -0,0 +1,28 @@
</span><ins>+# Copyright (C) 2016 Apple Inc. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY APPLE AND ITS CONTRIBUTORS "AS IS" AND ANY
+# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+# DISCLAIMED. IN NO EVENT SHALL APPLE OR ITS CONTRIBUTORS BE LIABLE FOR ANY
+# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+- path: .
+ tests:
+ - stress-test.js
+ cmd: defaultRunNoisyTest unless parseRunCommands
+
</ins></span></pre></div>
<a id="trunkPerformanceTestsES6SampleBenchBasicstresstestjs"></a>
<div class="addfile"><h4>Added: trunk/PerformanceTests/ES6SampleBench/Basic/stress-test.js (0 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/ES6SampleBench/Basic/stress-test.js (rev 0)
+++ trunk/PerformanceTests/ES6SampleBench/Basic/stress-test.js 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -0,0 +1,54 @@
</span><ins>+/*
+ * Copyright (C) 2016 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+"use strict";
+
+load("ast.js");
+load("basic.js");
+load("caseless_map.js");
+load("lexer.js");
+load("number.js");
+load("parser.js");
+load("random.js");
+load("state.js");
+load("util.js");
+load("benchmark.js");
+
+let benchmark = new Benchmark();
+let before = preciseTime();
+
+// Run for at least 10 iterations.
+for (let i = 0; i < 10; ++i) {
+ print("Running mandatory iteration #" + (i + 1) + ":");
+ benchmark.runIteration();
+}
+
+// Run until we have been running for two seconds.
+while (preciseTime() < before + 2) {
+ print("Running bonus iteration:");
+ benchmark.runIteration();
+}
+
+print("Success!");
+
</ins></span></pre></div>
<a id="trunkPerformanceTestsES6SampleBenchdriverjs"></a>
<div class="modfile"><h4>Modified: trunk/PerformanceTests/ES6SampleBench/driver.js (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/ES6SampleBench/driver.js 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/PerformanceTests/ES6SampleBench/driver.js 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -25,18 +25,15 @@
</span><span class="cx"> "use strict";
</span><span class="cx">
</span><span class="cx"> class Driver {
</span><del>- constructor(triggerCell, magicCell, summaryCell, key)
</del><ins>+ constructor(triggerCell, triggerLink, magicCell, summaryCell, key)
</ins><span class="cx"> {
</span><del>- if (!magicCell)
- throw new Error("Need magic cell");
- if (!summaryCell)
- throw new Error("Need summary cell");
-
</del><span class="cx"> this._benchmarks = new Map();
</span><span class="cx"> this._triggerCell = triggerCell;
</span><ins>+ this._triggerLink = triggerLink;
</ins><span class="cx"> this._magicCell = magicCell;
</span><span class="cx"> this._summary = new Stats(summaryCell);
</span><span class="cx"> this._key = key;
</span><ins>+ this._hadErrors = false;
</ins><span class="cx"> window[key] = this;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -47,7 +44,6 @@
</span><span class="cx">
</span><span class="cx"> start(numIterations)
</span><span class="cx"> {
</span><del>- this._triggerCellSaved = this._triggerCell.innerHTML;
</del><span class="cx"> this._updateIterations();
</span><span class="cx">
</span><span class="cx"> this._summary.reset();
</span><span class="lines">@@ -70,6 +66,7 @@
</span><span class="cx"> {
</span><span class="cx"> this._benchmarks.get(this._benchmark).reportError(...args);
</span><span class="cx"> this._recomputeSummary();
</span><ins>+ this._hadErrors = true;
</ins><span class="cx"> this._iterate();
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -120,7 +117,9 @@
</span><span class="cx"> this._benchmark = this._iterator ? this._iterator.next().value : null;
</span><span class="cx"> if (!this._benchmark) {
</span><span class="cx"> if (!this._numIterations) {
</span><del>- this._triggerCell.innerHTML = this._triggerCellSaved;
</del><ins>+ this._triggerCell.innerHTML =
+ (this._hadErrors ? "Failures encountered!" : "Success!") +
+ ` <a href="${this._triggerLink}">Restart Benchmark</a>`;
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx"> this._numIterations--;
</span></span></pre></div>
<a id="trunkPerformanceTestsES6SampleBenchgluejs"></a>
<div class="modfile"><h4>Modified: trunk/PerformanceTests/ES6SampleBench/glue.js (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/ES6SampleBench/glue.js 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/PerformanceTests/ES6SampleBench/glue.js 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -26,6 +26,7 @@
</span><span class="cx">
</span><span class="cx"> const driver = new Driver(
</span><span class="cx"> document.getElementById("trigger"),
</span><ins>+ "driver.start(10)",
</ins><span class="cx"> document.getElementById("magic"),
</span><span class="cx"> document.getElementById("Geomean"),
</span><span class="cx"> "sampleBench");
</span></span></pre></div>
<a id="trunkPerformanceTestsES6SampleBenchindexhtml"></a>
<div class="modfile"><h4>Modified: trunk/PerformanceTests/ES6SampleBench/index.html (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/PerformanceTests/ES6SampleBench/index.html 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/PerformanceTests/ES6SampleBench/index.html 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -3,6 +3,12 @@
</span><span class="cx"> <title>ES6 Sample Bench</title>
</span><span class="cx"> <link rel="stylesheet" type="text/css" href="style.css">
</span><span class="cx"> </head>
</span><ins>+<script>
+window.onerror = function(message, url, lineNumber)
+{
+ document.getElementById("trigger").innerHTML = "ERROR: " + url + ":" + lineNumber + ": " + message;
+}
+</script>
</ins><span class="cx"> <script src="driver.js"></script>
</span><span class="cx"> <script src="results.js"></script>
</span><span class="cx"> <script src="stats.js"></script>
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -1,3 +1,31 @@
</span><ins>+2016-06-29 Filip Pizlo <fpizlo@apple.com>
+
+ Generators violate bytecode liveness validation
+ https://bugs.webkit.org/show_bug.cgi?id=159279
+
+ Reviewed by Yusuke Suzuki.
+
+ Fix a liveness bug found by Basic. The problem is that resume's intended liveness rule is:
+ "live-in is just the token argument", but the liveness analysis thought that the rule was
+ "live-in is live-out minus defs plus live-at-catch". Clearly these two rules are quite
+ different. The way this sort of worked before is that we would define the defs of resume
+ as being equal to our prediction of what the live-outs would be. We did this in the hope
+ that we would subtract all live-outs. But, this misses the live-at-catch part. So, this
+ change adds another hack to neutralize live-at-catch.
+
+ This would make a lot more sense if we wrote a new liveness analysis that was just for
+ generator conversion. It could reuse BytecodeUseDef but otherwise it would be a new thing.
+ It would be easy to write crazy rules for save/resume in such an analysis, especially if
+ that analysis rewrote the bytecode. We could then just have an op_yield that is a no-op.
+ We would just record the live-outs of op_yield and use that for rewriting the code in terms
+ of a switch statement.
+
+ * bytecode/BytecodeLivenessAnalysis.cpp:
+ (JSC::stepOverInstruction):
+ (JSC::BytecodeLivenessAnalysis::dumpResults):
+ * bytecode/CodeBlock.cpp:
+ (JSC::CodeBlock::dumpBytecode):
+
</ins><span class="cx"> 2016-06-30 Commit Queue <commit-queue@webkit.org>
</span><span class="cx">
</span><span class="cx"> Unreviewed, rolling out r202659.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeLivenessAnalysiscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeLivenessAnalysis.cpp 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -132,9 +132,17 @@
</span><span class="cx"> // If we have an exception handler, we want the live-in variables of the
</span><span class="cx"> // exception handler block to be included in the live-in of this particular bytecode.
</span><span class="cx"> if (HandlerInfo* handler = codeBlock->handlerForBytecodeOffset(bytecodeOffset)) {
</span><del>- BytecodeBasicBlock* handlerBlock = findBasicBlockWithLeaderOffset(basicBlocks, handler->target);
- ASSERT(handlerBlock);
- handlerBlock->in().forEachSetBit(use);
</del><ins>+ // FIXME: This resume check should not be needed.
+ // https://bugs.webkit.org/show_bug.cgi?id=159281
+ Interpreter* interpreter = codeBlock->vm()->interpreter;
+ Instruction* instructionsBegin = codeBlock->instructions().begin();
+ Instruction* instruction = &instructionsBegin[bytecodeOffset];
+ OpcodeID opcodeID = interpreter->getOpcodeID(instruction->u.opcode);
+ if (opcodeID != op_resume) {
+ BytecodeBasicBlock* handlerBlock = findBasicBlockWithLeaderOffset(basicBlocks, handler->target);
+ ASSERT(handlerBlock);
+ handlerBlock->in().forEachSetBit(use);
+ }
</ins><span class="cx"> }
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -289,6 +297,7 @@
</span><span class="cx">
</span><span class="cx"> void BytecodeLivenessAnalysis::dumpResults()
</span><span class="cx"> {
</span><ins>+ dataLog("\nDumping bytecode liveness for ", *m_codeBlock, ":\n");
</ins><span class="cx"> Interpreter* interpreter = m_codeBlock->vm()->interpreter;
</span><span class="cx"> Instruction* instructionsBegin = m_codeBlock->instructions().begin();
</span><span class="cx"> for (unsigned i = 0; i < m_basicBlocks.size(); i++) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeBytecodeUseDefh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/Source/JavaScriptCore/bytecode/BytecodeUseDef.h 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -478,6 +478,8 @@
</span><span class="cx"> }
</span><span class="cx"> case op_resume: {
</span><span class="cx"> RELEASE_ASSERT(block->successors().size() == 1);
</span><ins>+ // FIXME: This is really dirty.
+ // https://bugs.webkit.org/show_bug.cgi?id=159281
</ins><span class="cx"> block->successors()[0]->in().forEachSetBit([&](unsigned local) {
</span><span class="cx"> functor(codeBlock, instruction, opcodeID, virtualRegisterForLocal(local).offset());
</span><span class="cx"> });
</span></span></pre></div>
<a id="trunkSourceJavaScriptCorebytecodeCodeBlockcpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -1666,7 +1666,9 @@
</span><span class="cx"> int generator = (++it)->u.operand;
</span><span class="cx"> unsigned liveCalleeLocalsIndex = (++it)->u.unsignedValue;
</span><span class="cx"> int offset = (++it)->u.operand;
</span><del>- const FastBitVector& liveness = m_rareData->m_liveCalleeLocalsAtYield[liveCalleeLocalsIndex];
</del><ins>+ FastBitVector liveness;
+ if (liveCalleeLocalsIndex < m_rareData->m_liveCalleeLocalsAtYield.size())
+ liveness = m_rareData->m_liveCalleeLocalsAtYield[liveCalleeLocalsIndex];
</ins><span class="cx"> printLocationAndOp(out, exec, location, it, "save");
</span><span class="cx"> out.printf("%s, ", registerName(generator).data());
</span><span class="cx"> liveness.dump(out);
</span><span class="lines">@@ -1676,7 +1678,9 @@
</span><span class="cx"> case op_resume: {
</span><span class="cx"> int generator = (++it)->u.operand;
</span><span class="cx"> unsigned liveCalleeLocalsIndex = (++it)->u.unsignedValue;
</span><del>- const FastBitVector& liveness = m_rareData->m_liveCalleeLocalsAtYield[liveCalleeLocalsIndex];
</del><ins>+ FastBitVector liveness;
+ if (liveCalleeLocalsIndex < m_rareData->m_liveCalleeLocalsAtYield.size())
+ liveness = m_rareData->m_liveCalleeLocalsAtYield[liveCalleeLocalsIndex];
</ins><span class="cx"> printLocationAndOp(out, exec, location, it, "resume");
</span><span class="cx"> out.printf("%s, ", registerName(generator).data());
</span><span class="cx"> liveness.dump(out);
</span></span></pre></div>
<a id="trunkToolsChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Tools/ChangeLog (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/ChangeLog 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/Tools/ChangeLog 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-06-29 Filip Pizlo <fpizlo@apple.com>
+
+ Generators violate bytecode liveness validation
+ https://bugs.webkit.org/show_bug.cgi?id=159279
+
+ Reviewed by Yusuke Suzuki.
+
+ Add Basic to our test harness.
+
+ * Scripts/run-javascriptcore-tests:
+ (runJSCStressTests):
+
</ins><span class="cx"> 2016-06-30 Per Arne Vollan <pvollan@apple.com>
</span><span class="cx">
</span><span class="cx"> [Win][Debug] Assertion fails in TestWTF.
</span></span></pre></div>
<a id="trunkToolsScriptsrunjavascriptcoretests"></a>
<div class="modfile"><h4>Modified: trunk/Tools/Scripts/run-javascriptcore-tests (202688 => 202689)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Tools/Scripts/run-javascriptcore-tests 2016-06-30 18:06:12 UTC (rev 202688)
+++ trunk/Tools/Scripts/run-javascriptcore-tests 2016-06-30 18:13:26 UTC (rev 202689)
</span><span class="lines">@@ -269,6 +269,7 @@
</span><span class="cx"> "PerformanceTests/SunSpider/tests/sunspider-1.0",
</span><span class="cx"> "PerformanceTests/JetStream/cdjs/cdjs-tests.yaml",
</span><span class="cx"> "PerformanceTests/ES6SampleBench/Air/airjs-tests.yaml",
</span><ins>+ "PerformanceTests/ES6SampleBench/Basic/basic-tests.yaml",
</ins><span class="cx"> "Source/JavaScriptCore/tests/executableAllocationFuzz.yaml",
</span><span class="cx"> "Source/JavaScriptCore/tests/exceptionFuzz.yaml",
</span><span class="cx"> "PerformanceTests/SunSpider/no-architecture-specific-optimizations.yaml",
</span></span></pre>
</div>
</div>
</body>
</html>