[Webkit-unassigned] [Bug 130576] New: Constants folded by DFG::ByteCodeParser should not be dead.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 21 03:44:16 PDT 2014
https://bugs.webkit.org/show_bug.cgi?id=130576
Summary: Constants folded by DFG::ByteCodeParser should not be
dead.
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: eun-ji.jeong at samsung.com
CC: ggaren at apple.com, hojong.han at samsung.com,
fpizlo at apple.com, sg5.lee at samsung.com
The testcase below should print "specFailArg", but it prints "0" instead.
function test_true_open()
{
function passThrough(arg) {
var a = true;
var b = arg * 0.1;
if (a)
return arg;
else
return 0;
}
for (var i = 0; i < 1000; i++) {
passThrough(i);
}
var specFailArg = "specFailArg";
print(passThrough(specFailArg));
}
Generated bytecode for function passThrough():
[ 0] enter
[ 1] mov loc0, True(@k0)
[ 4] mul loc1, arg1, Double: 4591870180066957722, 0.100000(@k1)
[ 9] jfalse loc0, 7(->16)
[ 12] ret arg1
[ 14] jmp 4(->18)
[ 16] ret Int32: 0(@k2)
[ 18] ret Undefined(@k3)
OSR exit occurs when passThrough() is called with the argument "specFailArg", at dfg code generated by bc#4.
However the OSR exit thunk writes Undefined to loc0,
so when executing baseline jit code generated by bc#9, it reads Undefined value and returns 0.
Generated DFG graph for function passThrough():
Block #0 (bc#0): (OSR target)
Predecessors:
Dominated by: #0
Dominates: #0
vars before: arg1:(Top, TOP, TOP, TOP) arg0:(Top, TOP, TOP, TOP)
var links: arg1:@1
0: <!0:-> Phantom(MustGen|CanExit, bc#0)
1: < 2:-> SetArgument(IsFlushed, arg1(B~<Int32>/FlushedJSValue), machine:arg1, W:SideState, bc#0) predicting Int32
2: <!0:-> Phantom(MustGen|CanExit, Other, bc#0)
3: skipped < 0:-> ZombieHint(loc0, W:SideState, bc#0)
4: <!0:-> Phantom(MustGen|CanExit, bc#0)
5: skipped < 0:-> ZombieHint(loc1, W:SideState, bc#0)
6: <!0:-> Phantom(MustGen|CanExit, bc#0)
7: <!0:-> Phantom(MustGen|CanExit, Bool, bc#1)
8: skipped < 0:-> ZombieHint(loc0, W:SideState, bc#1)
9: <!0:-> Phantom(MustGen|CanExit, bc#4)
10: < 3:-1> GetLocal(@1, JS|UseAsOther, Int32, arg1(B~<Int32>/FlushedJSValue), machine:arg1, R:Variables(7), bc#4) predicting Int32
11: <!0:-> Phantom(MustGen|CanExit, Nonintasdouble, bc#4)
26: <!0:-> Phantom(Check:Number:@10<Int32>, MustGen|CanExit, Int52asdouble, bc#4)
12: <!0:-> Phantom(MustGen|CanExit, Int52asdoubleNonintasdouble, bc#4)
27: <!0:-> Phantom(@10<Int32>, MustGen, bc#4)
13: skipped < 0:-> ZombieHint(loc1, W:SideState, bc#4)
14: <!0:-> Phantom(MustGen|CanExit, bc#9)
16: <!0:-> Flush(@1, MustGen|IsFlushed, arg1(B~<Int32>/FlushedJSValue), machine:arg1, W:SideState, bc#12) predicting Int32
17: <!0:-> Phantom(MustGen|CanExit, Int32, bc#12)
18: <!0:-> Return(@10<Int32>, MustGen, W:SideState, bc#12)
vars after:
var links: arg1:@10<Int32>
The nodes generated by bc#1 becomes dead,
as a result of constant folding in DFG::ByteCodeParser().
I think DFG::ByteCodeParser should tell the backend optimization phase that the folded constant should not be dead.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list