Skip to content

Commit

Permalink
[1.9>master] [1.8>1.9] [MERGE #4627 @meg-gupta] Fix missed copyprop o…
Browse files Browse the repository at this point in the history 
…pportunity due to unhandled InitFld case

Merge pull request #4627 from meg-gupta:fixopt

```var num = 50;
function inlineCall(tnum) {
  return {x : tnum};  // InitFld
}
function foo (obj) {
  var tnum = num;
  var sum = 0;
  while (tnum >= 0) {
    var retObj = inlineCall(tnum);
    if (tnum > 10) {
      sum += retObj.x;  // missed copy prop opportunity
    }
    tnum--;
  }
  return sum;
}

var obj = {};
foo(obj);
foo(obj);
foo(obj)
```
We were not setting a property initialized from InitFld instruction on the liveFields bit vector,
this led to returning null valueInfo when we queried through GlobOptBlockData::FindPropertyValue,
because that function checks if the property is live first and then queries its valauenumber from the symToValue map.

This pattern comes up in forof on array iterators, the constructor returns an object literal and we miss copy proping "done" and "value" fields of the iterator object.
  • Loading branch information
meg-gupta committed Feb 1, 2018
2 parents 6802d82 + 965f779 commit 265b278
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 2 deletions.
3 changes: 2 additions & 1 deletion lib/Backend/GlobOpt.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3662,7 +3662,6 @@ GlobOpt::CopyProp(IR::Opnd *opnd, IR::Instr *instr, Value *val, IR::IndirOpnd *p

ValueInfo *valueInfo = val->GetValueInfo();


if (this->func->HasFinally())
{
// s0 = undefined was added on functions with early exit in try-finally functions, that can get copy-proped and case incorrect results
Expand Down Expand Up @@ -4847,6 +4846,8 @@ GlobOpt::ValueNumberDst(IR::Instr **pInstr, Value *src1Val, Value *src2Val)
case Js::OpCode::StRootFld:
case Js::OpCode::StFldStrict:
case Js::OpCode::StRootFldStrict:
case Js::OpCode::InitFld:
case Js::OpCode::InitComputedProperty:
if (DoFieldCopyProp())
{
if (src1Val == nullptr)
Expand Down
6 changes: 5 additions & 1 deletion lib/Backend/GlobOptFields.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -473,6 +473,10 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
KillLiveElems(dstOpnd->AsIndirOpnd(), bv, inGlobOpt, instr->m_func);
break;

case Js::OpCode::InitComputedProperty:
KillLiveElems(dstOpnd->AsIndirOpnd(), bv, inGlobOpt, instr->m_func);
break;

case Js::OpCode::DeleteElemI_A:
case Js::OpCode::DeleteElemIStrict_A:
Assert(dstOpnd != nullptr);
Expand Down Expand Up @@ -504,7 +508,7 @@ GlobOpt::ProcessFieldKills(IR::Instr *instr, BVSparse<JitArenaAllocator> *bv, bo
this->KillAllObjectTypes(bv);
}
break;

case Js::OpCode::InitFld:
case Js::OpCode::StFld:
case Js::OpCode::StRootFld:
case Js::OpCode::StFldStrict:
Expand Down

0 comments on commit 265b278

Please sign in to comment.