commit 07e9078a2734f7dfc946eb0a2c69847e85a19d80
author fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed May 13 17:39:02 2015 +0000
committer fpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> Wed May 13 17:39:02 2015 +0000
tree c7cd3cf1b0a99a50b68bbefd9d9c737210f8d1db
parent 965344ff5db92e2128e4d0909ce719295445ea17

REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase
https://bugs.webkit.org/show_bug.cgi?id=144951

Reviewed by Michael Saboff.
        
There were two issues here:
        
- In r184260 we expected a small number of possible use kinds in Check nodes, and
  UntypedUse was not one of them. That seemed like a sensible assumption because we don't
  create Check nodes unless it's to have a check. But, SSAConversionPhase was creating a
  Check that could have UntypedUse. I fixed this. It's cleaner for SSAConversionPhase to
  follow the same idiom as everyone else and not create tautological checks.
        
- It's clearly not very robust to assume that Checks will not be used tautologically. So,
  this changes how we validate Checks in the escape analyses. We now use willHaveCheck,
  which catches cases that AI would have already marked as unnecessary. It then also uses
  a new helper called alreadyChecked(), which allows us to just ask if the check is
  unnecessary for objects. That's a good fall-back in case AI hadn't run yet.

* dfg/DFGArgumentsEliminationPhase.cpp:
* dfg/DFGMayExit.cpp:
* dfg/DFGObjectAllocationSinkingPhase.cpp:
(JSC::DFG::ObjectAllocationSinkingPhase::handleNode):
* dfg/DFGSSAConversionPhase.cpp:
(JSC::DFG::SSAConversionPhase::run):
* dfg/DFGUseKind.h:
(JSC::DFG::alreadyChecked):
* dfg/DFGVarargsForwardingPhase.cpp:



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@184288 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp

diff --git a/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp b/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
index 45c96dc..f7d2383 100644
--- a/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
@@ -841,28 +841,13 @@
             m_graph.doToChildren(
                 node,
                 [&] (Edge edge) {
-                    bool ok = true;
-
-                    switch (edge.useKind()) {
-                    case KnownCellUse:
-                    case CellUse:
-                    case ObjectUse:
-                        // All of our allocations will pass this.
-                        break;
-                        
-                    case FunctionUse:
-                        // Function allocations will pass this.
-                        if (edge->op() != NewFunction)
-                            ok = false;
-                        break;
-                        
-                    default:
-                        ok = false;
-                        break;
-                    }
+                    if (edge.willNotHaveCheck())
+                        return;
                     
-                    if (!ok)
-                        escape(edge.node());
+                    if (alreadyChecked(edge.useKind(), SpecObject))
+                        return;
+                    
+                    escape(edge.node());
                 });
             break;