[turbofan] BitcastWordToTagged must not be pure.

[turbofan] BitcastWordToTagged must not be pure.

The BitcastWordToTagged operator is used for bump pointer allocation to
construct the actual HeapObject pointer. The input to this operator is
a naked pointer (derived from the allocation top). If this input value
is live across an allocation, then the resulting tagged pointer is
invalid because the GC might have scavenged new space in the meantime.

That means we must not allow Node splitting (in the Scheduler) for these
instructions, as that could extend the live range of the naked pointer
input across arbitrary code. As such, this operator must not be marked
as pure.

R=jarin@chromium.org
BUG=v8:6059
Review-Url: https://codereview.chromium.org/2739093002
Cr-Commit-Position: refs/heads/master@{#43683}
Committed: https://chromium.googlesource.com/v8/v8/+/64fbb3041fe835784a7c7640d75712b39f62de18

[Benedikt Meurer, 2017-03-09 05:27:15]

The CQ bit was checked by bmeurer@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-03-09 05:27:16]

Dry run: CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[Jarin, 2017-03-09 05:31:15]

lgtm

[Benedikt Meurer, 2017-03-09 05:31:30]

The CQ bit was unchecked by bmeurer@chromium.org

[Benedikt Meurer, 2017-03-09 05:31:34]

The CQ bit was checked by bmeurer@chromium.org

[commit-bot: I haz the power, 2017-03-09 05:31:39]

CQ is trying da patch. Follow status at
 
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-03-09 05:51:47]

CQ is committing da patch.

Bot data: {"patchset_id": 1, "attempt_start_ts": 1489037494472330, "parent_rev":
"cce8a1971b0162dbadb640e5f489292672d671e5", "commit_rev":
"64fbb3041fe835784a7c7640d75712b39f62de18"}

[commit-bot: I haz the power, 2017-03-09 05:51:53]

Description was changed from

==========
[turbofan] BitcastWordToTagged must not be pure.

The BitcastWordToTagged operator is used for bump pointer allocation to
construct the actual HeapObject pointer. The input to this operator is
a naked pointer (derived from the allocation top). If this input value
is live across an allocation, then the resulting tagged pointer is
invalid because the GC might have scavenged new space in the meantime.

That means we must not allow Node splitting (in the Scheduler) for these
instructions, as that could extend the live range of the naked pointer
input across arbitrary code. As such, this operator must not be marked
as pure.

R=jarin@chromium.org
BUG=v8:6059
==========

to

==========
[turbofan] BitcastWordToTagged must not be pure.

The BitcastWordToTagged operator is used for bump pointer allocation to
construct the actual HeapObject pointer. The input to this operator is
a naked pointer (derived from the allocation top). If this input value
is live across an allocation, then the resulting tagged pointer is
invalid because the GC might have scavenged new space in the meantime.

That means we must not allow Node splitting (in the Scheduler) for these
instructions, as that could extend the live range of the naked pointer
input across arbitrary code. As such, this operator must not be marked
as pure.

R=jarin@chromium.org
BUG=v8:6059

Review-Url: https://codereview.chromium.org/2739093002
Cr-Commit-Position: refs/heads/master@{#43683}
Committed:
https://chromium.googlesource.com/v8/v8/+/64fbb3041fe835784a7c7640d75712b39f6...
==========

[commit-bot: I haz the power, 2017-03-09 05:51:53]

Committed patchset #1 (id:1) as
https://chromium.googlesource.com/v8/v8/+/64fbb3041fe835784a7c7640d75712b39f6...

[Michael Achenbach, 2017-03-09 12:33:25]

Any chance for a regression test?

[Benedikt Meurer, 2017-03-09 12:34:11]

We tried for like 6 hours, but didn't succeed. We have to live with the
regression test via WebGL conformance suite for now. :-(