The current code has roughly the right intuition for picking materialization sites: you need to forward flow the "I was materialized" property. It's true that this is an important input. Where the logic goes wrong is that it then tries to do materializations at the *escaping sites* where an object goes from "not materialized" to "materialized". In the case of loops (and probably some crazy irreducible control flow) you may have a point where an object becomes materialized is not an escaping site. The code should handle that case.
Created attachment 239126 [details] work in progress
Created attachment 239127 [details] the patch
Attachment 239127 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGGraph.h:854: The parameter name "block" adds no information, so it should be removed. [readability/parameter_name] [5] Total errors found: 1 in 11 files If any of these errors are false positives, please file a bug against check-webkit-style.
(In reply to comment #3) > Attachment 239127 [details] did not pass style-queue: > > > ERROR: Source/JavaScriptCore/dfg/DFGGraph.h:854: The parameter name "block" adds no information, so it should be removed. [readability/parameter_name] [5] > Total errors found: 1 in 11 files > > > If any of these errors are false positives, please file a bug against check-webkit-style. Fixed.
Comment on attachment 239127 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=239127&action=review > Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:761 > + Node* result; For my sanity initialize result = nullptr;
(In reply to comment #5) > (From update of attachment 239127 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=239127&action=review > > > Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:761 > > + Node* result; > > For my sanity initialize result = nullptr; OK!
Landed in http://trac.webkit.org/changeset/174224