Changeset 254996 in webkit


Ignore:
Timestamp:
Jan 23, 2020 12:11:33 PM (4 years ago)
Author:
sbarati@apple.com
Message:

OptimizeAssociativeExpressionTrees should reset value owners before running
https://bugs.webkit.org/show_bug.cgi?id=206670
<rdar://problem/58535628>

Reviewed by Robin Morisset.

We have a crash inside OptimizeAssociativeExpressionTrees and we don't know
how to reproduce it. Also, based on Mark's auditing of the crash site's
assembly, Mark thinks we're crashing on a "currupt" basic block.

After I audited the code, I saw that we rely on value owners in this phase.
However, we don't actually reset them before running the phase. This patch
adds that as a speculative fix for the crash we're seeing.

  • b3/B3OptimizeAssociativeExpressionTrees.cpp:

(JSC::B3::OptimizeAssociativeExpressionTrees::run):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/JavaScriptCore/ChangeLog

    r254975 r254996  
     12020-01-23  Saam Barati  <sbarati@apple.com>
     2
     3        OptimizeAssociativeExpressionTrees should reset value owners before running
     4        https://bugs.webkit.org/show_bug.cgi?id=206670
     5        <rdar://problem/58535628>
     6
     7        Reviewed by Robin Morisset.
     8
     9        We have a crash inside OptimizeAssociativeExpressionTrees and we don't know
     10        how to reproduce it. Also, based on Mark's auditing of the crash site's
     11        assembly, Mark thinks we're crashing on a "currupt" basic block.
     12       
     13        After I audited the code, I saw that we rely on value owners in this phase.
     14        However, we don't actually reset them before running the phase. This patch
     15        adds that as a speculative fix for the crash we're seeing.
     16
     17        * b3/B3OptimizeAssociativeExpressionTrees.cpp:
     18        (JSC::B3::OptimizeAssociativeExpressionTrees::run):
     19
    1202020-01-23  Yusuke Suzuki  <ysuzuki@apple.com>
    221
  • trunk/Source/JavaScriptCore/b3/B3OptimizeAssociativeExpressionTrees.cpp

    r244088 r254996  
    250250    // We need the use counts to avoid duplicating code.
    251251
     252    m_proc.resetValueOwners();
     253
    252254    Vector<unsigned> useCounts(m_proc.values().size(), 0); // Mapping from Value::m_index to use counts.
    253255    HashSet<Value*> expressionTreeRoots;
Note: See TracChangeset for help on using the changeset viewer.