[Webkit-unassigned] [Bug 144527] New: DFG::LICMPhase shouldn't hoist type checks unless it knows that the check will succeed at the loop pre-header

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat May 2 11:35:59 PDT 2015 

https://bugs.webkit.org/show_bug.cgi?id=144527

            Bug ID: 144527
           Summary: DFG::LICMPhase shouldn't hoist type checks unless it
                    knows that the check will succeed at the loop
                    pre-header
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: All
                OS: All
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: fpizlo at apple.com

If a node has a type check - even something like a CheckStructure - then we should
only hoist the node if we know that it will execute on every loop iteration or if we know
that the type check will always succeed at the loop pre-header through some other means
(like looking at prediction propagation results). Otherwise, we might make a mistake like
this:

var o = ...; // sometimes null and sometimes an object with structure S1.
for (...) {
    if (o)
        ... = o.f; // CheckStructure and GetByOffset, which we will currently hoist.
}

When we encounter such code, we'll hoist the CheckStructure and GetByOffset and then we
will have a recompile. We'll then end up thinking that the get_by_id needs to be
polymorphic, which is false.

We can counter this by either having a control flow equivalence check, or by consulting
prediction propagation to see if the check would always succeed. Prediction propagation
would not be enough for things like:

var p = ...; // some boolean predicate
var o = {};
if (p)
    o.f = 42;
for (...) {
    if (p)
        ... = o.f;
}

Prediction propagation can't tell us anything about the structure, and the CheckStructure
will appear to be hoistable because the loop doesn't clobber structures. The cell check
in the CheckStructure will be hoistable though, since prediction propagation can tell us
that o is always SpecFinalObject. In cases like this, control flow equivalence is the
only effective guard.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150502/ea54062b/attachment.html>

More information about the webkit-unassigned mailing list