Structure check hoisting fails to consider the possibility of conflicting...
Structure check hoisting fails to consider the possibility of conflicting checks on the source of the first assignment to the hoisted variable https://bugs.webkit.org/show_bug.cgi?id=96872 Reviewed by Oliver Hunt. This does a few related things: - It turns off the use of ForceOSRExit for sure-to-fail CheckStructures, because I noticed that this would sometimes happen for a ForwardCheckStructure. The problem is that ForceOSRExit exits backwards, not forwards. Since the code that led to those ForceOSRExit's being inserted was written out of paranoia rather than need, I removed it. Specifically, I removed the m_isValid = false code for CheckStructure/StructureTransitionWatchpoint in AbstractState. - If a structure check causes a structure set to go empty, we don't want a PutStructure to revive the set. It should instead be smart enough to realize that an empty set implies that the code can't execute. This was the only "bug" that the use of m_isValid = false was preventing. - Finally, the main change: structure check hoisting looks at the source of the SetLocals on structure-check-hoistable variables and ensures that the source is not checked with a conflicting structure. This is O(n^2) but it does not show up at all in performance tests. The first two parts of this change were auxiliary bugs that were revealed by the structure check hoister doing bad things. * dfg/DFGAbstractState.cpp: (JSC::DFG::AbstractState::initialize): (JSC::DFG::AbstractState::execute): * dfg/DFGStructureCheckHoistingPhase.cpp: (JSC::DFG::StructureCheckHoistingPhase::run): git-svn-id: http://svn.webkit.org/repository/webkit/trunk@128699 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Showing with 83 additions and 24 deletions