RESOLVED FIXED 71071
If the bytecode generator emits code after the return in the first basic block, DFG's inliner crashes 
https://bugs.webkit.org/show_bug.cgi?id=71071
Summary If the bytecode generator emits code after the return in the first basic bloc...
Filip Pizlo
Reported 2011-10-27 15:49:27 PDT
The bytecode generator will emit some code after a return in the first basic block in some cases. One silly case is: function foo(a) { { return a; } } The bytecode will be something like: op_enter op_ret arg1 op_ret undefined The DFG bytecode parser will then crash when inlining this function because it thinks that an early return (i.e. a return prior to the end position in the bytecode stream) implies that multiple basic blocks have been created prior to reaching that return. This is clearly not the case here. The DFG bytecode parser should be smart enough to realize that an early return in the first basic block means that subsequent basic blocks are dead and should not be parsed.
Attachments
the patch (8.74 KB, patch)
2011-10-27 16:24 PDT, Filip Pizlo 		barraclough: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2011-10-27 16:24:08 PDT
Created attachment 112777 [details] the patch Looks like it's neutral, as it should be, since it just fixes a bug and doesn't change functionality. SunSpider seems to be minutely slower (which is likely a fluke) and V8 seems to be minutely faster (which is also likely a fluke). Benchmark report for SunSpider, V8, and Kraken. VMs tested: "TipOfTree" at /Volumes/Data/pizlo/tertiary/OpenSource/WebKitBuild/Release/jsc "FixInline" at /Volumes/Data/pizlo/secondary/OpenSource/WebKitBuild/Release/jsc Collected 30 samples per benchmark/VM, with 10 VM invocations per benchmark. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. TipOfTree FixInline SunSpider: 3d-cube 7.9344+-0.0320 7.8820+-0.0225 3d-morph 8.5841+-0.0860 8.4711+-0.0500 might be 1.0133x faster 3d-raytrace 8.2999+-0.0640 8.2174+-0.0586 might be 1.0100x faster access-binary-trees 1.6960+-0.0093 1.6945+-0.0072 access-fannkuch 7.7455+-0.0103 ? 7.7500+-0.0076 ? access-nbody 4.5338+-0.0142 4.5296+-0.0044 access-nsieve 3.1827+-0.0098 ? 3.1951+-0.0147 ? bitops-3bit-bits-in-byte 1.3242+-0.0113 1.3106+-0.0043 might be 1.0104x faster bitops-bits-in-byte 5.2605+-0.0161 ? 5.2806+-0.0234 ? bitops-bitwise-and 3.4436+-0.0341 ? 3.4595+-0.0364 ? bitops-nsieve-bits 5.6491+-0.0274 ? 5.6611+-0.0202 ? controlflow-recursive 2.3468+-0.0148 2.3281+-0.0039 crypto-aes 7.6320+-0.0476 7.6013+-0.0347 crypto-md5 2.8600+-0.0106 2.8524+-0.0106 crypto-sha1 2.6321+-0.0060 2.6287+-0.0093 date-format-tofte 10.7093+-0.1242 ? 10.7880+-0.0720 ? date-format-xparb 10.0605+-0.0794 ? 10.1817+-0.0950 ? might be 1.0120x slower math-cordic 7.6231+-0.1588 ? 7.8671+-0.1592 ? might be 1.0320x slower math-partial-sums 10.5893+-0.0261 ? 10.5935+-0.0235 ? math-spectral-norm 2.8851+-0.0047 2.8787+-0.0037 regexp-dna 13.3672+-0.0932 ? 13.3794+-0.1069 ? string-base64 4.4312+-0.0183 ? 4.4355+-0.0156 ? string-fasta 7.1090+-0.0185 ? 7.1505+-0.0273 ? string-tagcloud 13.3075+-0.0916 13.2323+-0.0913 string-unpack-code 22.8460+-0.1244 ! 23.5282+-0.1190 ! definitely 1.0299x slower string-validate-input 5.5839+-0.0196 ! 5.6866+-0.0335 ! definitely 1.0184x slower <arithmetic> * 6.9860+-0.0156 ! 7.0224+-0.0147 ! definitely 1.0052x slower <geometric> 5.6452+-0.0098 ? 5.6575+-0.0094 ? <harmonic> 4.4661+-0.0088 4.4638+-0.0071 TipOfTree FixInline V8: crypto 81.2127+-0.1841 ? 81.2527+-0.1860 ? deltablue 199.1947+-0.6705 ^ 196.8202+-0.4793 ^ definitely 1.0121x faster earley-boyer 112.0324+-0.4968 ? 112.5080+-0.4266 ? raytrace 69.9737+-0.3062 69.9153+-0.3008 regexp 123.7585+-0.3561 ? 124.3841+-0.3320 ? richards 145.9443+-0.5814 ? 147.5387+-1.0848 ? might be 1.0109x slower splay 125.0304+-0.3685 ^ 120.4484+-0.3863 ^ definitely 1.0380x faster <arithmetic> 122.4495+-0.1382 ^ 121.8382+-0.2280 ^ definitely 1.0050x faster <geometric> * 116.2151+-0.1299 ^ 115.7251+-0.1967 ^ definitely 1.0042x faster <harmonic> 110.2609+-0.1421 ^ 109.8818+-0.1792 ^ definitely 1.0035x faster TipOfTree FixInline Kraken: ai-astar 819.5233+-7.1237 ? 827.2304+-5.6091 ? audio-beat-detection 212.2996+-0.5437 ? 213.4709+-1.0935 ? audio-dft 262.5330+-1.3032 260.5046+-2.6966 audio-fft 133.2512+-0.4026 ? 133.2666+-0.5060 ? audio-oscillator 291.3085+-0.6306 291.2467+-0.6328 imaging-darkroom 459.5202+-10.8254 450.0512+-1.7868 might be 1.0210x faster imaging-desaturate 245.4631+-0.2857 245.2796+-0.0991 imaging-gaussian-blur 621.0583+-0.2760 ? 621.1637+-0.2007 ? json-parse-financial 69.8446+-0.1768 ! 72.5795+-0.0612 ! definitely 1.0392x slower json-stringify-tinderbox 80.0725+-0.2529 ^ 79.4883+-0.2136 ^ definitely 1.0074x faster stanford-crypto-aes 153.4442+-1.0282 151.6245+-0.9526 might be 1.0120x faster stanford-crypto-ccm 116.9021+-1.1085 115.6602+-0.6819 might be 1.0107x faster stanford-crypto-pbkdf2 237.2313+-1.4347 235.1331+-0.8966 stanford-crypto-sha256-iterative 85.2637+-0.1620 ^ 84.8783+-0.1208 ^ definitely 1.0045x faster <arithmetic> * 270.5511+-0.7269 270.1127+-0.5107 <geometric> 206.2089+-0.3840 205.9494+-0.2818 <harmonic> 162.0812+-0.2498 ? 162.3720+-0.1838 ? TipOfTree FixInline All benchmarks: <arithmetic> 102.6915+-0.2210 102.4900+-0.1484 <geometric> 25.8690+-0.0327 ? 25.8742+-0.0310 ? <harmonic> 7.8707+-0.0152 7.8667+-0.0122 TipOfTree FixInline Geomean of preferred means: <scaled-result> 60.3360+-0.0807 60.3230+-0.0684
Filip Pizlo
Comment 2 2011-10-27 16:36:40 PDT
Landed in http://trac.webkit.org/changeset/98658.
Note You need to log in before you can comment on or make changes to this bug.