Bug 137315

Summary: Object allocation sinking should have a sound story for picking materialization points
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, commit-queue, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on: 137310    
Bug Blocks: 137126, 137168    
Attachments:
Description Flags
work in progress
none
the patch oliver: review+

Description Filip Pizlo 2014-10-01 14:46:47 PDT 
The current code has roughly the right intuition for picking materialization sites: you need to forward flow the "I was materialized" property.  It's true that this is an important input.  Where the logic goes wrong is that it then tries to do materializations at the *escaping sites* where an object goes from "not materialized" to "materialized".  In the case of loops (and probably some crazy irreducible control flow) you may have a point where an object becomes materialized is not an escaping site.  The code should handle that case.
Comment 1 Filip Pizlo 2014-10-02 12:05:27 PDT 
Created attachment 239126 [details]
work in progress
Comment 2 Filip Pizlo 2014-10-02 12:14:01 PDT 
Created attachment 239127 [details]
the patch
Comment 3 WebKit Commit Bot 2014-10-02 12:15:56 PDT 
Attachment 239127 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGGraph.h:854:  The parameter name "block" adds no information, so it should be removed.  [readability/parameter_name] [5]
Total errors found: 1 in 11 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 4 Filip Pizlo 2014-10-02 12:16:30 PDT 
(In reply to comment #3)
> Attachment 239127 [details] did not pass style-queue:
> 
> 
> ERROR: Source/JavaScriptCore/dfg/DFGGraph.h:854:  The parameter name "block" adds no information, so it should be removed.  [readability/parameter_name] [5]
> Total errors found: 1 in 11 files
> 
> 
> If any of these errors are false positives, please file a bug against check-webkit-style.

Fixed.
Comment 5 Oliver Hunt 2014-10-02 12:18:39 PDT 
Comment on attachment 239127 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=239127&action=review

> Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:761
> +        Node* result;

For my sanity initialize result = nullptr;
Comment 6 Filip Pizlo 2014-10-02 12:23:59 PDT 
(In reply to comment #5)
> (From update of attachment 239127 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=239127&action=review
> 
> > Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:761
> > +        Node* result;
> 
> For my sanity initialize result = nullptr;

OK!
Comment 7 Filip Pizlo 2014-10-02 12:38:25 PDT 
Landed in http://trac.webkit.org/changeset/174224