Title: [97240] trunk/Source/_javascript_Core
- Revision
- 97240
- Author
- [email protected]
- Date
- 2011-10-12 01:01:11 -0700 (Wed, 12 Oct 2011)
Log Message
Layout tests crashing in DFG JIT code
https://bugs.webkit.org/show_bug.cgi?id=69897
Reviewed by Gavin Barraclough.
Abstract value filtration didn't take into account cases where a structure
set filter, combined with predicted type knowledge, could lead to a stronger
filter for the structure abstract value.
This bug would have been benign in release builds; it would have just meant
that the analysis was less precise and some optimization opportunities would
be missed. I have an ASSERT that is meant to catch such cases, and it was
triggering sporadically in one of the LayoutTests.
* dfg/DFGAbstractValue.h:
(JSC::DFG::AbstractValue::filter):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (97239 => 97240)
--- trunk/Source/_javascript_Core/ChangeLog 2011-10-12 07:33:04 UTC (rev 97239)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-10-12 08:01:11 UTC (rev 97240)
@@ -1,3 +1,22 @@
+2011-10-12 Filip Pizlo <[email protected]>
+
+ Layout tests crashing in DFG JIT code
+ https://bugs.webkit.org/show_bug.cgi?id=69897
+
+ Reviewed by Gavin Barraclough.
+
+ Abstract value filtration didn't take into account cases where a structure
+ set filter, combined with predicted type knowledge, could lead to a stronger
+ filter for the structure abstract value.
+
+ This bug would have been benign in release builds; it would have just meant
+ that the analysis was less precise and some optimization opportunities would
+ be missed. I have an ASSERT that is meant to catch such cases, and it was
+ triggering sporadically in one of the LayoutTests.
+
+ * dfg/DFGAbstractValue.h:
+ (JSC::DFG::AbstractValue::filter):
+
2011-10-11 Gavin Barraclough <[email protected]>
Unreviewed, temporarily reverted r97216 due to bug #69897.
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h (97239 => 97240)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h 2011-10-12 07:33:04 UTC (rev 97239)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractValue.h 2011-10-12 08:01:11 UTC (rev 97240)
@@ -402,6 +402,13 @@
{
m_type &= other.predictionFromStructures();
m_structure.filter(other);
+
+ // It's possible that prior to the above two statements we had (Foo, TOP), where
+ // Foo is a PredictedType that is disjoint with the passed StructureSet. In that
+ // case, we will now have (None, [someStructure]). In general, we need to make
+ // sure that new information gleaned from the PredictedType needs to be fed back
+ // into the information gleaned from the StructureSet.
+ m_structure.filter(m_type);
}
void filter(PredictedType type)
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
