Changeset 97240 in webkit


Ignore:
Timestamp:
Oct 12, 2011 1:01:11 AM (13 years ago)
Author:
fpizlo@apple.com
Message:

Layout tests crashing in DFG JIT code
https://bugs.webkit.org/show_bug.cgi?id=69897

Reviewed by Gavin Barraclough.

Abstract value filtration didn't take into account cases where a structure
set filter, combined with predicted type knowledge, could lead to a stronger
filter for the structure abstract value.

This bug would have been benign in release builds; it would have just meant
that the analysis was less precise and some optimization opportunities would
be missed. I have an ASSERT that is meant to catch such cases, and it was
triggering sporadically in one of the LayoutTests.

  • dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::filter):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r97235 r97240  
     12011-10-12  Filip Pizlo  <fpizlo@apple.com>
     2
     3        Layout tests crashing in DFG JIT code
     4        https://bugs.webkit.org/show_bug.cgi?id=69897
     5
     6        Reviewed by Gavin Barraclough.
     7       
     8        Abstract value filtration didn't take into account cases where a structure
     9        set filter, combined with predicted type knowledge, could lead to a stronger
     10        filter for the structure abstract value.
     11       
     12        This bug would have been benign in release builds; it would have just meant
     13        that the analysis was less precise and some optimization opportunities would
     14        be missed. I have an ASSERT that is meant to catch such cases, and it was
     15        triggering sporadically in one of the LayoutTests.
     16
     17        * dfg/DFGAbstractValue.h:
     18        (JSC::DFG::AbstractValue::filter):
     19
    1202011-10-11  Gavin Barraclough  <baraclough@apple.com>
    221

  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h

    r97218 r97240  
    403403        m_type &= other.predictionFromStructures();
    404404        m_structure.filter(other);
     405       
     406        // It's possible that prior to the above two statements we had (Foo, TOP), where
     407        // Foo is a PredictedType that is disjoint with the passed StructureSet. In that
     408        // case, we will now have (None, [someStructure]). In general, we need to make
     409        // sure that new information gleaned from the PredictedType needs to be fed back
     410        // into the information gleaned from the StructureSet.
     411        m_structure.filter(m_type);
    405412    }
    406413   
Note: See TracChangeset for help on using the changeset viewer.