[Webkit-unassigned] [Bug 161492] New: ObjectAllocationSinkingPhase::insertOSRHintsForUpdate() fails to emit updated hints in some cases
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Sep 1 10:39:37 PDT 2016
https://bugs.webkit.org/show_bug.cgi?id=161492
Bug ID: 161492
Summary: ObjectAllocationSinkingPhase::insertOSRHintsForUpdate(
) fails to emit updated hints in some cases
Classification: Unclassified
Product: WebKit
Version: WebKit Nightly Build
Hardware: All
OS: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: fpizlo at apple.com
This seems to cause trouble:
a: CreateActivation()
MovHint(@a, loc1)
b: NewFunction(@a)
MovHint(@b, loc2)
c: NewFunction(@b)
MovHint(@c, loc3)
Escape(@b)
I'm seeing code like this:
a: PhantomCreateActivation()
MovHint(@a, loc1)
b: PhantomNewFunction(@a)
PutHint(@b, @a, scope)
MovHint(@b, loc2)
c: PhantomNewFunction(@b)
PutHint(@c, @a, scope)
MovHint(@c, loc3)
d: MaterializeCreateActivation()
e: NewFunction(@d)
MovHint(@d, loc1)
MovHint(@e, loc2)
Escape(@e)
But this is wrong, because if we exit, then we will recreate @c pointing at a newly materialized activation, rather than at @d. In other words, the phase should have produced this code instead:
a: PhantomCreateActivation()
MovHint(@a, loc1)
b: PhantomNewFunction(@a)
PutHint(@b, @a, scope)
MovHint(@b, loc2)
c: PhantomNewFunction(@b)
PutHint(@c, @a, scope)
MovHint(@c, loc3)
d: MaterializeCreateActivation()
e: NewFunction(@d)
PutHint(@c, @e, scope) <---- THIS
MovHint(@d, loc1)
MovHint(@e, loc2)
Escape(@e)
The phase seems to have code to do this. I'm still investigating what goes wrong.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160901/ab0f0c53/attachment.html>
More information about the webkit-unassigned
mailing list