Changeset 124555 in webkit

Timestamp:

Aug 2, 2012 8:27:08 PM (12 years ago)

Author:

fpizlo@apple.com

Message:

ASSERTION FAILED: at(m_compileIndex).canExit()

m_isCheckingArgumentTypes

​https://bugs.webkit.org/show_bug.cgi?id=91074

Reviewed by Mark Hahnenberg.

Source/JavaScriptCore:

Fixes a bug where the speculative JIT was performing an unnecessary speculation that the
CFA had proven shouldn't be performed, leading to asserts that a node should not have
exit sites. This is a debug-only assert with no release symptom - we were just emitting
a check that was not reachable.

Also found, and fixed, a bug where structure check hoisting was slightly confusing the
CFA by inserting GetLocal's into the graph. CSE would clean the GetLocal's up, which
would make the backend happy - but the CFA would produce subtly wrong results.

• bytecode/SpeculatedType.h:

(JSC::isOtherOrEmptySpeculation):
(JSC):

• dfg/DFGDriver.cpp:

(JSC::DFG::compile):

• dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):

LayoutTests:

Added a test for this specific case (dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object)
as well as three other tests to cover similar, though not necessarily currently broken, cases, since it was previously the
case that we apparently had no explicit coverage for these code paths.

• fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: Added.
• fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html: Added.
• fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: Added.
• fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.html: Added.
• fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: Added.
• fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html: Added.
• fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: Added.
• fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.html: Added.
• fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js: Added.

(foo):

• fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.js: Added.

(foo):

• fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js: Added.

(foo):

• fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.js: Added.

(foo):

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt (added)
• LayoutTests/fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html (added)
• LayoutTests/fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt (added)
• LayoutTests/fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.html (added)
• LayoutTests/fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt (added)
• LayoutTests/fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html (added)
• LayoutTests/fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt (added)
• LayoutTests/fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.html (added)
• LayoutTests/fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js (added)
• LayoutTests/fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.js (added)
• LayoutTests/fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js (added)
• LayoutTests/fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.js (added)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/bytecode/SpeculatedType.h (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGDriver.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGGraph.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-08-02  Filip Pizlo  <fpizlo@apple.com>
+
+        ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes
+        https://bugs.webkit.org/show_bug.cgi?id=91074
+
+        Reviewed by Mark Hahnenberg.
+
+        Added a test for this specific case (dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object)
+        as well as three other tests to cover similar, though not necessarily currently broken, cases, since it was previously the
+        case that we apparently had no explicit coverage for these code paths.
+
+        * fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: Added.
+        * fast/js/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html: Added.
+        * fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: Added.
+        * fast/js/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.html: Added.
+        * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object-expected.txt: Added.
+        * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.html: Added.
+        * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object-expected.txt: Added.
+        * fast/js/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.html: Added.
+        * fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-compare-final-object-to-final-object-or-other-when-proven-final-object.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other-when-both-proven-final-object.js: Added.
+        (foo):
+        * fast/js/script-tests/dfg-peephole-compare-final-object-to-final-object-or-other-when-proven-final-object.js: Added.
+        (foo):
+
 2012-08-02  Yoshifumi Inoue  <yosin@chromium.org>
 

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2012-08-02  Filip Pizlo  <fpizlo@apple.com>
+
+        ASSERTION FAILED: at(m_compileIndex).canExit() || m_isCheckingArgumentTypes
+        https://bugs.webkit.org/show_bug.cgi?id=91074
+
+        Reviewed by Mark Hahnenberg.
+
+        Fixes a bug where the speculative JIT was performing an unnecessary speculation that the
+        CFA had proven shouldn't be performed, leading to asserts that a node should not have
+        exit sites. This is a debug-only assert with no release symptom - we were just emitting
+        a check that was not reachable.
+        
+        Also found, and fixed, a bug where structure check hoisting was slightly confusing the
+        CFA by inserting GetLocal's into the graph. CSE would clean the GetLocal's up, which
+        would make the backend happy - but the CFA would produce subtly wrong results.
+
+        * bytecode/SpeculatedType.h:
+        (JSC::isOtherOrEmptySpeculation):
+        (JSC):
+        * dfg/DFGDriver.cpp:
+        (JSC::DFG::compile):
+        * dfg/DFGGraph.cpp:
+        (JSC::DFG::Graph::dump):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
+        (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
+
 2012-08-02  Filip Pizlo  <fpizlo@apple.com>
 

trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

@@ -244 +244 @@
 }
 
+inline bool isOtherOrEmptySpeculation(SpeculatedType value)
+{
+    return !value || value == SpecOther;
+}
+
 inline bool isEmptySpeculation(SpeculatedType value)
 {

trunk/Source/JavaScriptCore/dfg/DFGDriver.cpp

@@ -103 +103 @@
         performFixup(dfg);
     }
-    if (performStructureCheckHoisting(dfg))
-        performCFA(dfg); // Need to recompute CFA since nodes were added or changed.
+    bool shouldRedoCFA = performStructureCheckHoisting(dfg);
     performCSE(dfg, FixpointConverged);
+    if (shouldRedoCFA)
+        performCFA(dfg);
 #if DFG_ENABLE(DEBUG_VERBOSE)
     dataLog("DFG optimization fixpoint converged in %u iterations.\n", cnt);

trunk/Source/JavaScriptCore/dfg/DFGGraph.cpp

@@ -208 +208 @@
     }
 
-    if (node.flags()) {
+    if (strlen(nodeFlagsAsString(node.flags()))) {
         dataLog("%s%s", hasPrinted ? ", " : "", nodeFlagsAsString(node.flags()));
         hasPrinted = true;

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -1579 +1579 @@
     // We know that within this branch, rightChild must not be a cell. Check if that is enough to
     // prove that it is either null or undefined.
-    if (!isOtherSpeculation(m_state.forNode(rightChild).m_type & ~SpecCell)) {
+    if (!isOtherOrEmptySpeculation(m_state.forNode(rightChild).m_type & ~SpecCell)) {
         m_jit.move(op2GPR, resultGPR);
         m_jit.andPtr(MacroAssembler::TrustedImm32(~TagBitUndefined), resultGPR);
@@ -1650 +1650 @@
     // We know that within this branch, rightChild must not be a cell. Check if that is enough to
     // prove that it is either null or undefined.
-    if (isOtherSpeculation(m_state.forNode(rightChild).m_type & ~SpecCell))
+    if (isOtherOrEmptySpeculation(m_state.forNode(rightChild).m_type & ~SpecCell))
         rightNotCell.link(&m_jit);
     else {