Google Git
Sign in
webkit / WebKit / edcb7a9ee9d7d237b9d139b5d57b00d696f9c68a^! / . / Source / JavaScriptCore / dfg / DFGBasicBlock.h
commitedcb7a9ee9d7d237b9d139b5d57b00d696f9c68a[log] [tgz]
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jul 13 05:31:05 2012 +0000
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>Fri Jul 13 05:31:05 2012 +0000
tree84fc19534c3b18ec6ffde74b61cb3f32303b7713
parent5c639742543b9393a0e371cf1c189c8f97a80c8a [diff] [blame]
DFG CFA may get overzealous in loops that have code that must exit
https://bugs.webkit.org/show_bug.cgi?id=91188

Source/JavaScriptCore: 

Reviewed by Gavin Barraclough.

Ensure that if the CFA assumes that an operation must exit, then it will always exit
no matter what happens after. That's necessary to preserve soundness.
        
Remove a broken fixup done by the DFG simplifier, where it was trying to say that the
variable-at-head was the first access in the second block in the merge, if the first
block did not read the variable. That's totally wrong, if the first block was in fact
doing a phantom read. I removed that fixup and instead hardened the rest of the
compiler.

* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::endBasicBlock):
* dfg/DFGBasicBlock.h:
(JSC::DFG::BasicBlock::BasicBlock):
(BasicBlock):
* dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::performBlockCFA):
* dfg/DFGCFGSimplificationPhase.cpp:
(JSC::DFG::CFGSimplificationPhase::mergeBlocks):
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
(JSC::DFG::ConstantFoldingPhase::run):
(ConstantFoldingPhase):
(JSC::DFG::ConstantFoldingPhase::foldConstants):
(JSC::DFG::ConstantFoldingPhase::paintUnreachableCode):
* dfg/DFGVariableEventStream.cpp:
(JSC::DFG::VariableEventStream::reconstruct):

LayoutTests: 

Reviewed by Gavin Baraclough.

* fast/js/dfg-force-exit-then-sparse-conditional-constant-prop-in-loop-expected.txt: Added.
* fast/js/dfg-force-exit-then-sparse-conditional-constant-prop-in-loop.html: Added.
* fast/js/script-tests/dfg-force-exit-then-sparse-conditional-constant-prop-in-loop.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@122541 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/JavaScriptCore/dfg/DFGBasicBlock.h b/Source/JavaScriptCore/dfg/DFGBasicBlock.h
index 9128f08..441e2e7 100644
--- a/Source/JavaScriptCore/dfg/DFGBasicBlock.h
+++ b/Source/JavaScriptCore/dfg/DFGBasicBlock.h

@@ -45,6 +45,7 @@
         , cfaHasVisited(false)
         , cfaShouldRevisit(false)
         , cfaFoundConstants(false)
+        , cfaDidFinish(true)
 #if !ASSERT_DISABLED
         , isLinked(false)
 #endif
@@ -103,6 +104,7 @@
     bool cfaHasVisited;
     bool cfaShouldRevisit;
     bool cfaFoundConstants;
+    bool cfaDidFinish;
 #if !ASSERT_DISABLED
     bool isLinked;
 #endif