[webkit-changes] [WebKit/WebKit] 3af657: [JSC] CFA should clear abstract values first befor...

Commit Queue noreply at github.com
Fri May 19 18:25:30 PDT 2023 

  Branch: refs/heads/main
  Home:   https://github.com/WebKit/WebKit
  Commit: 3af657fdb0401840e45d495b73ecf570f4c93401
      https://github.com/WebKit/WebKit/commit/3af657fdb0401840e45d495b73ecf570f4c93401
  Author: Yijia Huang <yijia_huang at apple.com>
  Date:   2023-05-19 (Fri, 19 May 2023)

  Changed paths:
    A JSTests/stress/regress-109263765.js
    M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
    M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
    M Source/JavaScriptCore/dfg/DFGCFAPhase.cpp
    M Source/JavaScriptCore/dfg/DFGFlowMap.h
    M Source/JavaScriptCore/dfg/DFGGraph.cpp
    M Source/JavaScriptCore/dfg/DFGGraph.h
    M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h
    M Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.cpp
    M Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.h
    M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
    M Source/JavaScriptCore/dfg/DFGPlan.cpp
    M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

  Log Message:
  -----------
  [JSC] CFA should clear abstract values first before reconstruction
https://bugs.webkit.org/show_bug.cgi?id=257044
rdar://109576467

Reviewed by Yusuke Suzuki.

Graph::packNodeIndices updates DFG nodes' indexes after packing,
which is usually performed in LivenessAnalysis phase. Since node
index is used for associating its abstract value, we usually need
to perform CFA subsequently to reconstruct abstract values for DFG graph.

However, the current implementation for CFA to reconstruct abstract
values is to reset their content according the new speculation without
cleaning first. This will bring us a problem that for some DFG nodes
e.g., EnumeratorNextUpdateIndexAndMode which shouldn't have speculation
type but might be updated with new node indexes after Graph::packNodeIndices.
With those updated node indexes, those DFG nodes might associate to typed
abstract values which is wrong. In this case, even CFA is performed subsequently,
those abstract values are still typed.

This patch fixes this issue by:
1. Clear abstract values after packing graph in debug build.
2. Do perform CFA in AI validation.
3. Clear abstract value for EnumeratorNextUpdateIndexAndMode in AI.

* JSTests/stress/regress-109263765.js: Added.
(foo):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::createOrClearValueForNode):
(JSC::DFG::AtTailAbstractState::createValueForNode): Deleted.
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h:
* Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::createOrClearValueForNode):
(JSC::DFG::InPlaceAbstractState::createValueForNode): Deleted.
* Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.cpp:
(JSC::DFG::performGraphPackingAndLivenessAnalysis):
(JSC::DFG::performLivenessAnalysis): Deleted.
* Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.h:
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::compileNode):

Canonical link: https://commits.webkit.org/264281@main

More information about the webkit-changes mailing list