[webkit-changes] [WebKit/WebKit] 2f7262: DFG should update backwards propogation after fixup.

Justin Michaud noreply at github.com
Thu Jul 6 20:50:16 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 2f7262436c990b072f944bc6ed08cf55746fb017
      https://github.com/WebKit/WebKit/commit/2f7262436c990b072f944bc6ed08cf55746fb017
  Author: Justin Michaud <justin_michaud at apple.com>
  Date:   2023-07-06 (Thu, 06 Jul 2023)

  Changed paths:
    A JSTests/stress/propogate-PureInt-double-use.js
    M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.h
    M Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
    M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp

  Log Message:
  -----------
  DFG should update backwards propogation after fixup.
https://bugs.webkit.org/show_bug.cgi?id=257949
rdar://110661900

Reviewed by Keith Miller.

PureInt means that we cannot observe a difference between this value when
represented as a double or when represented as a UInt32.

Today, PureInt is not a proven property, but rather a speculation guide.
The DFG fixup phase is responsible for inserting speculations and fixing
up edges to ensure that we can prove the properties that we want.

UInt32ToNumber speculates that a value fits in an Int32. DoubleRep takes
an Int32 and stuffs the bits appropriately to turn it into a double.

ValueAdd is expecting a DoubleRep because it has a double argument.

In FixupPhase, we remove UInt32ToNumber because we see that it is PureInt.
If it is actually PureInt, then this is fine. But DoubleRep can observe it
as non-PureInt, and DoubleRep not inserted until well after BackwardsPropogationPhase has run.

We add a separate phase that runs after fixup, and pessimizes these speculation properties.
Then, we are free to use them as proven properties.

Finally, we move any checks in fixup that use these properties to strength reduction.

* JSTests/stress/propogate-PureInt-double-use.js: Added.
(opt):
(noInline.opt.o):
(noInline.o.main):
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.cpp:
(JSC::DFG::BackwardsPropagationPhase::BackwardsPropagationPhase):
(JSC::DFG::BackwardsPropagationPhase::propagate):
(JSC::DFG::performBackwardsPropagation):
(JSC::DFG::performBackwardsPropagationAfterFixup):
* Source/JavaScriptCore/dfg/DFGBackwardsPropagationPhase.h:
* Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileUInt32ToNumber):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):

fix

.

Canonical link: https://commits.webkit.org/265833@main

More information about the webkit-changes mailing list