168140 – Object allocation sinking phase doesn't properly handle control flow when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object

RESOLVED FIXED168140

Object allocation sinking phase doesn't properly handle control flow when emitting a PutHint of a materialized object into a PromotedHeapLocation of a still sunken object

https://bugs.webkit.org/show_bug.cgi?id=168140

Summary Object allocation sinking phase doesn't properly handle control flow when emi...

Saam Barati

Reported 2017-02-10 11:58:38 PST

For example, if you have a control flow diamond, where we materialize along both sides of the diamond, we will emit PutHints along both sides. But we won't emit a PutHint if the Phi of the two materializations at the join point.

Attachments
patch (17.12 KB, patch) 2017-02-10 18:44 PST, Saam Barati	fpizlo: review+	Details Formatted Diff Diff
patch for landing (17.29 KB, patch) 2017-02-10 18:55 PST, Saam Barati	no flags	Details Formatted Diff Diff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Saam Barati

Comment 1 2017-02-10 15:33:38 PST

An example program: What ToT produces ``` bb#0: b: PhantomActivation() a: PhantomNewFunction() c: PutHint(@a, @b, ActivationLoc) Branch(#1, #2) bb#1: d: MaterializeActivation() e: PutHint(@a, @d, ActivationLoc) f: Upsilon(@d, ^p) Jump(#3) bb#2: g: MaterializeActivation() h: PutHint(@a, @g, ActivationLoc) i: Upsilon(@d, ^p) Jump(#3) bb#3: p: Phi() // What is PromotedHeapLocation(@a, ActivationLoc) here? // What would we do if we exited? // We need to do is PutHint the Phi. ``` What we should produce as IR is: ``` bb#0: b: PhantomActivation() a: PhantomNewFunction() c: PutHint(@a, @b, ActivationLoc) Branch(#1, #2) bb#1: d: MaterializeActivation() e: PutHint(@a, @d, ActivationLoc) f: Upsilon(@d, ^p) Jump(#3) bb#2: g: MaterializeActivation() h: PutHint(@a, @g, ActivationLoc) i: Upsilon(@d, ^p) Jump(#3) bb#3: p: Phi() j: PutHint(@a, @p, ActivationLoc) ```

Saam Barati

Comment 2 2017-02-10 17:46:08 PST

<rdar://problem/30205880>

Saam Barati

Comment 3 2017-02-10 18:44:36 PST

Created attachment 301233 [details] patch

Saam Barati

Comment 4 2017-02-10 18:55:10 PST

Created attachment 301235 [details] patch for landing

WebKit Commit Bot

Comment 5 2017-02-10 20:06:41 PST

Comment on attachment 301235 [details] patch for landing Clearing flags on attachment: 301235 Committed r212177: <http://trac.webkit.org/changeset/212177>

WebKit Commit Bot

Comment 6 2017-02-10 20:06:46 PST

All reviewed patches have been landed. Closing bug.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component JavaScriptCore

Assignee

Saam Barati

Reported

2017-02-10 11:58 PST

Modified

2017-02-10 20:06 PST History

CC List

13 users Show

URL

Keywords InRadar

Depends on

Blocks