[Webkit-unassigned] [Bug 148649] New: DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 31 15:10:33 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=148649

            Bug ID: 148649
           Summary: DFG AI assertions about not having to do type checks
                    at the point of a Known use kind are unsound
    Classification: Unclassified
           Product: WebKit
           Version: Other
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fpizlo at apple.com

We often generate IR like:

Check(Int32:@x)
...
Foo(KnownInt32:@x)

It would be valid for any optimization that somehow proves the type of @x to remove the Check node entirely.  But then, AI might fail on an assertion at Foo() because of the KnownInt32 use kind, if AI isn't smart enough to construct the same proof that the former optimization used for removing the Check.

The correct solution is probably to remove the compile-time assertions about Known use kinds having already been checked.  It's OK for those to be debug-only JIT assertions.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150831/7b44dc47/attachment.html>

More information about the webkit-unassigned mailing list