[Webkit-unassigned] [Bug 164600] New: Graph::methodOfGettingAValueProfileFor() should be returning the profile for operand node.

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Thu Nov 10 10:30:29 PST 2016


            Bug ID: 164600
           Summary: Graph::methodOfGettingAValueProfileFor() should be
                    returning the profile for operand node.
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: mark.lam at apple.com

Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG node that it is provided with always has a different origin than the node that is using that operand.  For example, in a DFG graph that looks like this:
    a: ...
    b: ArithAdd(@a, ...)

... when emitting speculation checks on @a for the ArithAdd node at @b, Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to originate from a different bytecode than @b.

However, op_negate can be compiled into the following series of nodes:

    a: BooleanToNumber(...)
    b: DoubleRep(@a)
    c: ArithNegate(@b)

All 3 nodes maps to the same op_negate bytecode i.e. they have the same origin.  When the speculativeJIT does a speculationCheck in DoubleRep, it calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the BooleanToNumber node.  But because all 3 nodes have the same origin, Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for the op_negate.  Subsequently, the OSR exit ramp will modify the ArithProfile of the op_negate and corrupt its profile.  Instead, what the OSR exit ramp should be doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's operand in this case.

The fix is to always pass the current node we're generating code for (in addition to the operand node) to Graph::methodOfGettingAValueProfileFor().  This way, we can determine if the profile is valid if and only if the current node and its operand node does not have the same origin.

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161110/88789fa4/attachment.html>

More information about the webkit-unassigned mailing list