<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[195422] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/195422">195422</a></dd>
<dt>Author</dt> <dd>benjamin@webkit.org</dd>
<dt>Date</dt> <dd>2016-01-21 14:56:21 -0800 (Thu, 21 Jan 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>[JSC] foldPathConstants() makes invalid assumptions with Switch
https://bugs.webkit.org/show_bug.cgi?id=153324
Reviewed by Filip Pizlo.
If a Switch() has two cases pointing to the same basic block, foldPathConstants()
was adding two override for that block with two different constants.
If the block with the Switch dominates the target, both override were equally valid
and we were assuming any of the constants as the value in the target block.
See testSwitchTargettingSameBlockFoldPathConstant() for an example that breaks.
This patch adds checks to ignore any block that is reached more than
once by the control value.
* b3/B3FoldPathConstants.cpp:
* b3/B3Generate.cpp:
(JSC::B3::generateToAir):
* b3/testb3.cpp:
(JSC::B3::testSwitchTargettingSameBlock):
(JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
(JSC::B3::run):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3FoldPathConstantscpp">trunk/Source/JavaScriptCore/b3/B3FoldPathConstants.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3Generatecpp">trunk/Source/JavaScriptCore/b3/B3Generate.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3testb3cpp">trunk/Source/JavaScriptCore/b3/testb3.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (195421 => 195422)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-01-21 21:51:39 UTC (rev 195421)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-01-21 22:56:21 UTC (rev 195422)
</span><span class="lines">@@ -1,3 +1,28 @@
</span><ins>+2016-01-21 Benjamin Poulain <benjamin@webkit.org>
+
+ [JSC] foldPathConstants() makes invalid assumptions with Switch
+ https://bugs.webkit.org/show_bug.cgi?id=153324
+
+ Reviewed by Filip Pizlo.
+
+ If a Switch() has two cases pointing to the same basic block, foldPathConstants()
+ was adding two override for that block with two different constants.
+ If the block with the Switch dominates the target, both override were equally valid
+ and we were assuming any of the constants as the value in the target block.
+
+ See testSwitchTargettingSameBlockFoldPathConstant() for an example that breaks.
+
+ This patch adds checks to ignore any block that is reached more than
+ once by the control value.
+
+ * b3/B3FoldPathConstants.cpp:
+ * b3/B3Generate.cpp:
+ (JSC::B3::generateToAir):
+ * b3/testb3.cpp:
+ (JSC::B3::testSwitchTargettingSameBlock):
+ (JSC::B3::testSwitchTargettingSameBlockFoldPathConstant):
+ (JSC::B3::run):
+
</ins><span class="cx"> 2016-01-21 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Unreviewed, undo DFGCommon.h change that accidentally enabled the B3 JIT.
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3FoldPathConstantscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3FoldPathConstants.cpp (195421 => 195422)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3FoldPathConstants.cpp 2016-01-21 21:51:39 UTC (rev 195421)
+++ trunk/Source/JavaScriptCore/b3/B3FoldPathConstants.cpp 2016-01-21 22:56:21 UTC (rev 195422)
</span><span class="lines">@@ -90,6 +90,8 @@
</span><span class="cx"> ControlValue* branch = block->last()->as<ControlValue>();
</span><span class="cx"> switch (branch->opcode()) {
</span><span class="cx"> case Branch:
</span><ins>+ if (branch->successorBlock(0) == branch->successorBlock(1))
+ continue;
</ins><span class="cx"> addOverride(
</span><span class="cx"> block, branch->child(0),
</span><span class="cx"> Override::nonZero(branch->successorBlock(0)));
</span><span class="lines">@@ -97,13 +99,21 @@
</span><span class="cx"> block, branch->child(0),
</span><span class="cx"> Override::constant(branch->successorBlock(1), 0));
</span><span class="cx"> break;
</span><del>- case Switch:
</del><ins>+ case Switch: {
+ HashMap<BasicBlock*, unsigned> targetUses;
+ for (const SwitchCase& switchCase : *branch->as<SwitchValue>())
+ targetUses.add(switchCase.targetBlock(), 0).iterator->value++;
+
</ins><span class="cx"> for (const SwitchCase& switchCase : *branch->as<SwitchValue>()) {
</span><ins>+ if (targetUses.find(switchCase.targetBlock())->value != 1)
+ continue;
+
</ins><span class="cx"> addOverride(
</span><span class="cx"> block, branch->child(0),
</span><span class="cx"> Override::constant(switchCase.targetBlock(), switchCase.caseValue()));
</span><span class="cx"> }
</span><span class="cx"> break;
</span><ins>+ }
</ins><span class="cx"> default:
</span><span class="cx"> break;
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3Generatecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3Generate.cpp (195421 => 195422)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3Generate.cpp 2016-01-21 21:51:39 UTC (rev 195421)
+++ trunk/Source/JavaScriptCore/b3/B3Generate.cpp 2016-01-21 22:56:21 UTC (rev 195422)
</span><span class="lines">@@ -91,7 +91,7 @@
</span><span class="cx">
</span><span class="cx"> if (optLevel >= 1) {
</span><span class="cx"> reduceStrength(procedure);
</span><del>-
</del><ins>+
</ins><span class="cx"> // FIXME: Add more optimizations here.
</span><span class="cx"> // https://bugs.webkit.org/show_bug.cgi?id=150507
</span><span class="cx"> }
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3testb3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/testb3.cpp (195421 => 195422)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/testb3.cpp 2016-01-21 21:51:39 UTC (rev 195421)
+++ trunk/Source/JavaScriptCore/b3/testb3.cpp 2016-01-21 22:56:21 UTC (rev 195422)
</span><span class="lines">@@ -8429,6 +8429,66 @@
</span><span class="cx"> CHECK(!invoke<int32_t>(*code, degree * gap + 1, 42, 11));
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+void testSwitchTargettingSameBlock()
+{
+ Procedure proc;
+ BasicBlock* root = proc.addBlock();
+
+ BasicBlock* terminate = proc.addBlock();
+ terminate->appendNew<ControlValue>(
+ proc, Return, Origin(),
+ terminate->appendNew<Const32Value>(proc, Origin(), 5));
+
+ SwitchValue* switchValue = root->appendNew<SwitchValue>(
+ proc, Origin(),
+ root->appendNew<ArgumentRegValue>(proc, Origin(), GPRInfo::argumentGPR0),
+ FrequentedBlock(terminate));
+
+ BasicBlock* otherTarget = proc.addBlock();
+ otherTarget->appendNew<ControlValue>(
+ proc, Return, Origin(),
+ otherTarget->appendNew<Const32Value>(proc, Origin(), 42));
+ switchValue->appendCase(SwitchCase(3, FrequentedBlock(otherTarget)));
+ switchValue->appendCase(SwitchCase(13, FrequentedBlock(otherTarget)));
+
+ auto code = compile(proc);
+
+ for (unsigned i = 0; i < 20; ++i) {
+ int32_t expected = (i == 3 || i == 13) ? 42 : 5;
+ CHECK(invoke<int32_t>(*code, i) == expected);
+ }
+}
+
+void testSwitchTargettingSameBlockFoldPathConstant()
+{
+ Procedure proc;
+ BasicBlock* root = proc.addBlock();
+
+ BasicBlock* terminate = proc.addBlock();
+ terminate->appendNew<ControlValue>(
+ proc, Return, Origin(),
+ terminate->appendNew<Const32Value>(proc, Origin(), 42));
+
+ Value* argument = root->appendNew<ArgumentRegValue>(proc, Origin(), GPRInfo::argumentGPR0);
+ SwitchValue* switchValue = root->appendNew<SwitchValue>(
+ proc, Origin(),
+ argument,
+ FrequentedBlock(terminate));
+
+ BasicBlock* otherTarget = proc.addBlock();
+ otherTarget->appendNew<ControlValue>(
+ proc, Return, Origin(), argument);
+ switchValue->appendCase(SwitchCase(3, FrequentedBlock(otherTarget)));
+ switchValue->appendCase(SwitchCase(13, FrequentedBlock(otherTarget)));
+
+ auto code = compile(proc);
+
+ for (unsigned i = 0; i < 20; ++i) {
+ int32_t expected = (i == 3 || i == 13) ? i : 42;
+ CHECK(invoke<int32_t>(*code, i) == expected);
+ }
+}
+
</ins><span class="cx"> void testTruncFold(int64_t value)
</span><span class="cx"> {
</span><span class="cx"> Procedure proc;
</span><span class="lines">@@ -10385,6 +10445,9 @@
</span><span class="cx"> RUN(testSwitchChillDiv(100, 1));
</span><span class="cx"> RUN(testSwitchChillDiv(100, 100));
</span><span class="cx">
</span><ins>+ RUN(testSwitchTargettingSameBlock());
+ RUN(testSwitchTargettingSameBlockFoldPathConstant());
+
</ins><span class="cx"> RUN(testTrunc(0));
</span><span class="cx"> RUN(testTrunc(1));
</span><span class="cx"> RUN(testTrunc(-1));
</span></span></pre>
</div>
</div>
</body>
</html>