[Webkit-unassigned] [Bug 84553] DFG should have control flow graph simplification

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Apr 22 19:48:55 PDT 2012 

https://bugs.webkit.org/show_bug.cgi?id=84553





--- Comment #4 from Filip Pizlo <fpizlo at apple.com>  2012-04-22 19:48:55 PST ---
Found some fun issues:

- Merging the taken successor when the branch condition is known is wrong if that successor has multiple predecessors. We should convert the branch to a jump in that case, and insert phantoms for those things that were live in the not-taken successor.

- The handling of constant folding on GetLocal is wrong. First, it fails to deref the child of the GetLocal, which means that the original SetLocal is still executed even if it need not be. This leads to the graph being in an inconsistent state where the SetLocal will have a ref count than is greater than the number of nodes using it. Second, it's not clear that it will correctly inform OSR exit of the value of the local, if the original SetLocal is killed. Likely the best way to fix this would be that for any block in which the valueAtHead is a constant, we insert a JSConstant/dead-SetLocal pair at the top of the block, and link variablesAtHead to that SetLocal. Link variablesAtTail to that SetLocal also, if variablesAtTail was equal to variablesAtHead. Constant folding a GetLocal ought to assert that the local has been relinked in this fashion in this basic block.

But this appears to be dangerous, since a subsequent run of the CFA might get massively confused. Consider that we might have a block that does not use a variable but knows that the variable is a constant. Then it will have a dead SetLocal at the top. But since it's dead, the CFA will assume that the block kills the variable. So the constant value that flowed through this block will not be propagated correctly. Ouch!  I need to think about this more.

All of this does bring up an interesting question: could we perform constant propagation as a block-local analysis separate from CFA, and then propagate results between blocks by observing when a block uses a GetLocal that is linked to SetLocal of a JSConstant. The problem with that approach is that it won't work cleanly with value speculation or sparse conditional constant propagation, since it will depend too much on interleaving with CFG simplification.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list