Context Navigation

← Previous Changeset
Next Changeset →

Changeset 247183 in webkit

Timestamp:

Jul 5, 2019 4:05:56 PM (5 years ago)

Author:

mark.lam@apple.com

Message:

ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
https://bugs.webkit.org/show_bug.cgi?id=199533
<rdar://problem/52669111>

Reviewed by Filip Pizlo.

JSTests:

stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.

Source/JavaScriptCore:

dfg/DFGArgumentsEliminationPhase.cpp:

Location:

trunk

Files:

: 1 added
: 3 edited

JSTests/ChangeLog (modified) (1 diff)
JSTests/stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js (added)
Source/JavaScriptCore/ChangeLog (modified) (1 diff)
Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed

trunk/JSTests/ChangeLog

-                      r247173
+                      r247183
+-07-05  Mark Lam  <mark.lam@apple.com>
+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
+        https://bugs.webkit.org/show_bug.cgi?id=199533
+        <rdar://problem/52669111>
+        Reviewed by Filip Pizlo.
+        * stress/ArgumentsEliminationPhase-eliminateCandidatesThatEscape-should-not-decrement-nodeIndex-pass-zero.js: Added.
 -07-05  Alexey Shvayka  <shvaikalesh@gmail.com>

trunk/Source/JavaScriptCore/ChangeLog

-                      r247175
+                      r247183
+-07-05  Mark Lam  <mark.lam@apple.com>
+        ArgumentsEliminationPhase::eliminateCandidatesThatInterfere() should not decrement nodeIndex pass zero.
+        https://bugs.webkit.org/show_bug.cgi?id=199533
+        <rdar://problem/52669111>
+        Reviewed by Filip Pizlo.
+        * dfg/DFGArgumentsEliminationPhase.cpp:
 -07-05  Yusuke Suzuki  <ysuzuki@apple.com>

trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp

-                      r246075
+                      r247183
                         // This loop considers all nodes up to the nodeIndex, excluding the nodeIndex.
+                        while (nodeIndex--) {
+                        //
+                        // Note: nodeIndex here has a double meaning. Before entering this
+                        // while loop, it refers to the remaining number of nodes that have
+                        // yet to be processed. Inside the look, it refers to the index
+                        // of the current node to process (after we decrement it).
+                        //
+                        // If the remaining number of nodes is 0, we should not decrement nodeIndex.
+                        // Hence, we must only decrement nodeIndex inside the while loop instead of
+                        // in its condition statement. Note that this while loop is embedded in an
+                        // outer for loop. If we decrement nodeIndex in the condition statement, a
+                        // nodeIndex of 0 will become UINT_MAX, and the outer loop will wrongly
+                        // treat this as there being UINT_MAX remaining nodes to process.
+                        while (nodeIndex) {
+                            --nodeIndex;
                             Node* node = block->at(nodeIndex);
                             if (node == candidate)

Note: See TracChangeset for help on using the changeset viewer.