[Webkit-unassigned] [Bug 193438] New: [JSC] CSE breaks the previous proven AI's AbstractValue

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Jan 15 00:08:08 PST 2019 

https://bugs.webkit.org/show_bug.cgi?id=193438

            Bug ID: 193438
           Summary: [JSC] CSE breaks the previous proven AI's
                    AbstractValue
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: yusukesuzuki at slowstart.org

Let's consider the following code.

32:<!0:-> GetLocal(Check:Untyped:@1, JS|MustGen|UseAsOther, StringIdent|Other, arg1(B~/FlushedJSValue), R:Stack(6), bc#15, ExitValid)  predicting StringIdent|Other
33:<!0:-> PutByOffset(KnownCell:@29, KnownCell:@29, Check:Untyped:@32, MustGen, id0{y}, 0, inferredType = Bottom, W:NamedProperties(0), ClobbersExit, bc#15, ExitValid)
47:< 1:-> GetByOffset(KnownCell:@29, KnownCell:@29, JS|UseAsOther, StringIdent, id0{y}, 0, inferredType = String, R:NamedProperties(0), Exits, bc#39, ExitValid)  predicting StringIdent
...
49:< 1:-> SetLocal(Cell:@47, IsFlushed, loc11(Q<StringIdent>/FlushedCell), W:Stack(-12), bc#39, exit: bc#44, ExitValid)  predicting StringIdent
...
87:<!0:->   GetLocal(Check:Untyped:@154, JS|MustGen|UseAsOther, StringIdent, loc11(Q<StringIdent>/FlushedCell), R:Stack(-12), bc#16, ExitValid)  predicting StringIdent
...
173:<!0:->   Check(String:@87, MustGen, bc#16, ExitValid)
...
89:<!0:->   GetByVal(KnownCell:@87, Int32:@88, Check:Untyped:@174, JS|MustGen|VarArgs|PureInt, StringIdent, String+NonArray+InBounds+AsIs+Read, Exits, bc#16, ExitValid)  predicting StringIdent

In the first AI phase, PutByOffset and GetByOffset prove that given @32 value is always String by using inferred type.
So, @47 becomes String. And @173 will be removed since @87 is now proven as String (SetLocal and GetLocal).

But, after that, we perform LocalCSE. At that time,

@47 GetByOffset is converted to @32 by using heap location information.
@87 GetLocal is converted to @32 by using stack location information.

And then, after the conversion, we will get the following code.

32:<!0:-> GetLocal(Check:Untyped:@1, JS|MustGen|UseAsOther, StringIdent|Other, arg1(B~/FlushedJSValue), R:Stack(6), bc#15, ExitValid)  predicting StringIdent|Other
...
89:<!0:->   GetByVal(KnownCell:@32, Int32:@79, Check:Untyped:@174, JS|MustGen|VarArgs|PureInt, StringIdent, String+NonArray+InBounds+AsIs+Read, Exits, bc#16, ExitValid)  predicting StringIdent

Then, the problem is that, GetLocal's AbstractValue is no longer proven as String. Our CSE weaken the AbstractValue, so that this is now Cell.
Then, DFGSpeculativeJIT.cpp assertion hits in GetByVal compiling code.

    ArrayMode(Array::String, Array::Read).alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.child(node, 0)))

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190115/eb08fb69/attachment.html>

More information about the webkit-unassigned mailing list