Google Git
Sign in
webkit / WebKit / cacd7dc7a4ca1a002e821258b200edced82f613a^! / . / Source / JavaScriptCore / ChangeLog
commitcacd7dc7a4ca1a002e821258b200edced82f613a[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Jul 09 23:28:53 2012 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Mon Jul 09 23:28:53 2012 +0000
tree81c49f6a97b5ec44bc9c2a93b5d42078942192b1
parent746b8c5bcb3baa8ca94efed38fa16f84098e1d74 [diff] [blame]
Source/JavaScriptCore: DFG may get stuck in an infinite fix point if it constant folds a mispredicted node
https://bugs.webkit.org/show_bug.cgi?id=90829
<rdar://problem/11823843>

Reviewed by Oliver Hunt.
        
If a node is shown to have been mispredicted during CFA, then don't allow constant
folding to make the graph even more degenerate. Instead, pull back on constant folding
and allow the normal OSR machinery to fix our profiling so that a future recompilation
doesn't see the same mistake.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGAbstractState.h:
(JSC::DFG::AbstractState::trySetConstant):
(AbstractState):
* dfg/DFGPhase.h:
(JSC::DFG::Phase::name):
(Phase):
(JSC::DFG::runAndLog):
(DFG):
(JSC::DFG::runPhase):

LayoutTests: DFG may get stuck in an infinite fix point if it constant folds a mispredicted node
https://bugs.webkit.org/show_bug.cgi?id=90829

Reviewed by Oliver Hunt.

* fast/js/dfg-constant-fold-misprediction-expected.txt: Added.
* fast/js/dfg-constant-fold-misprediction.html: Added.
* fast/js/script-tests/dfg-constant-fold-misprediction.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@122167 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/ChangeLog b/Source/JavaScriptCore/ChangeLog
index 61814ec..c2429c4 100644
--- a/Source/JavaScriptCore/ChangeLog
+++ b/Source/JavaScriptCore/ChangeLog

@@ -1,5 +1,30 @@
 2012-07-09  Filip Pizlo  <fpizlo@apple.com>
 
+        DFG may get stuck in an infinite fix point if it constant folds a mispredicted node
+        https://bugs.webkit.org/show_bug.cgi?id=90829
+        <rdar://problem/11823843>
+
+        Reviewed by Oliver Hunt.
+        
+        If a node is shown to have been mispredicted during CFA, then don't allow constant
+        folding to make the graph even more degenerate. Instead, pull back on constant folding
+        and allow the normal OSR machinery to fix our profiling so that a future recompilation
+        doesn't see the same mistake.
+
+        * dfg/DFGAbstractState.cpp:
+        (JSC::DFG::AbstractState::execute):
+        * dfg/DFGAbstractState.h:
+        (JSC::DFG::AbstractState::trySetConstant):
+        (AbstractState):
+        * dfg/DFGPhase.h:
+        (JSC::DFG::Phase::name):
+        (Phase):
+        (JSC::DFG::runAndLog):
+        (DFG):
+        (JSC::DFG::runPhase):
+
+2012-07-09  Filip Pizlo  <fpizlo@apple.com>
+
         It should be possible to jettison JIT stub routines even if they are currently running
         https://bugs.webkit.org/show_bug.cgi?id=90731