Bug 144176

Summary: Function allocation sinking works for wrong reasons
Product: WebKit Reporter: Basile Clement <basile_clement>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, ggaren, mark.lam, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Should do the right thing
none
Seems to be doing the right thing
none
Seems to be doing the right thing
fpizlo: review-
MaterializeNewObject is also sinkable...
fpizlo: review+, fpizlo: commit-queue+
Remove spurious MustGenerate none

Basile Clement
Reported 2015-04-24 17:42:52 PDT
It is by design that we don't support sinking of function allocation through any related operations. Object allocation, however, does sink through field assignment (PutByOffset etc.), so we have a check that is supposed to prevent function allocations from sinking through these. However that check is misguided and (a) do not prevent function allocation sinking through field assignment and (b) ensures that if a function allocation ever sinks through a PutByOffset, very bad things happen instead. Fortunately, PutByOffset (and their relatives) require first allocating a custom structure for the JSFunction object, thus the PutByOffset will always be preceded by an AllocatePropertyStorage through which no allocation can sink, and materialization would always be triggered before the PutByOffset - so this works by chance. Anyway, this should be done the proper way, and I will submit a patch soon to prevent properly have checks preventing function allocation sinking through PutByOffset et al.
Attachments
Should do the right thing (3.23 KB, patch)
2015-04-24 18:01 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
Seems to be doing the right thing (4.65 KB, patch)
2015-04-27 11:57 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
Seems to be doing the right thing (4.62 KB, patch)
2015-04-27 12:06 PDT, Basile Clement 		fpizlo: review-
DetailsFormatted DiffDiff
MaterializeNewObject is also sinkable... (5.25 KB, patch)
2015-04-27 12:29 PDT, Basile Clement 		fpizlo: review+
fpizlo: commit-queue+
DetailsFormatted DiffDiff
Remove spurious MustGenerate (5.22 KB, patch)
2015-04-27 12:47 PDT, Basile Clement 		no flags
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Basile Clement
Comment 1 2015-04-24 18:01:54 PDT
Created attachment 251602 [details] Should do the right thing Compiles, but untested - will check my understanding of the nodes is correct and does not prevent valid object allocation sinking and add a ChangeLog entry on Monday.
Basile Clement
Comment 2 2015-04-27 11:57:32 PDT
Created attachment 251763 [details] Seems to be doing the right thing
Basile Clement
Comment 3 2015-04-27 12:06:42 PDT
Created attachment 251764 [details] Seems to be doing the right thing
Basile Clement
Comment 4 2015-04-27 12:08:50 PDT
Comment on attachment 251764 [details] Seems to be doing the right thing View in context: https://bugs.webkit.org/attachment.cgi?id=251764&action=review > Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:812 > + if (target->op() != NewObject) Unsure if I should add a helper function in DFG::Node for that...
Filip Pizlo
Comment 5 2015-04-27 12:10:00 PDT
You should rebase :-)
Filip Pizlo
Comment 6 2015-04-27 12:11:57 PDT
Comment on attachment 251764 [details] Seems to be doing the right thing View in context: https://bugs.webkit.org/attachment.cgi?id=251764&action=review >> Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:812 >> + if (target->op() != NewObject) > > Unsure if I should add a helper function in DFG::Node for that... Seems wrong - MaterializeNewObject is also a sink candidate.
Basile Clement
Comment 7 2015-04-27 12:17:05 PDT
(In reply to comment #6) > Comment on attachment 251764 [details] > Seems to be doing the right thing > > View in context: > https://bugs.webkit.org/attachment.cgi?id=251764&action=review > > >> Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:812 > >> + if (target->op() != NewObject) > > > > Unsure if I should add a helper function in DFG::Node for that... > > Seems wrong - MaterializeNewObject is also a sink candidate. Oh, duh, indeed. Fixing that, w/ a helper function then.
Basile Clement
Comment 8 2015-04-27 12:29:31 PDT
Created attachment 251768 [details] MaterializeNewObject is also sinkable...
Basile Clement
Comment 9 2015-04-27 12:40:07 PDT
Sorry, should have tried a clean build.
Basile Clement
Comment 10 2015-04-27 12:47:34 PDT
Created attachment 251771 [details] Remove spurious MustGenerate
WebKit Commit Bot
Comment 11 2015-04-27 13:43:41 PDT
Comment on attachment 251771 [details] Remove spurious MustGenerate Clearing flags on attachment: 251771 Committed r183419: <http://trac.webkit.org/changeset/183419>
WebKit Commit Bot
Comment 12 2015-04-27 13:43:45 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.