[Webkit-unassigned] [Bug 193438] New: [JSC] CSE breaks the previous proven AI's AbstractValue
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Jan 15 00:08:08 PST 2019
https://bugs.webkit.org/show_bug.cgi?id=193438
Bug ID: 193438
Summary: [JSC] CSE breaks the previous proven AI's
AbstractValue
Product: WebKit
Version: WebKit Nightly Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: yusukesuzuki at slowstart.org
Let's consider the following code.
32:<!0:-> GetLocal(Check:Untyped:@1, JS|MustGen|UseAsOther, StringIdent|Other, arg1(B~/FlushedJSValue), R:Stack(6), bc#15, ExitValid) predicting StringIdent|Other
33:<!0:-> PutByOffset(KnownCell:@29, KnownCell:@29, Check:Untyped:@32, MustGen, id0{y}, 0, inferredType = Bottom, W:NamedProperties(0), ClobbersExit, bc#15, ExitValid)
47:< 1:-> GetByOffset(KnownCell:@29, KnownCell:@29, JS|UseAsOther, StringIdent, id0{y}, 0, inferredType = String, R:NamedProperties(0), Exits, bc#39, ExitValid) predicting StringIdent
...
49:< 1:-> SetLocal(Cell:@47, IsFlushed, loc11(Q<StringIdent>/FlushedCell), W:Stack(-12), bc#39, exit: bc#44, ExitValid) predicting StringIdent
...
87:<!0:-> GetLocal(Check:Untyped:@154, JS|MustGen|UseAsOther, StringIdent, loc11(Q<StringIdent>/FlushedCell), R:Stack(-12), bc#16, ExitValid) predicting StringIdent
...
173:<!0:-> Check(String:@87, MustGen, bc#16, ExitValid)
...
89:<!0:-> GetByVal(KnownCell:@87, Int32:@88, Check:Untyped:@174, JS|MustGen|VarArgs|PureInt, StringIdent, String+NonArray+InBounds+AsIs+Read, Exits, bc#16, ExitValid) predicting StringIdent
In the first AI phase, PutByOffset and GetByOffset prove that given @32 value is always String by using inferred type.
So, @47 becomes String. And @173 will be removed since @87 is now proven as String (SetLocal and GetLocal).
But, after that, we perform LocalCSE. At that time,
@47 GetByOffset is converted to @32 by using heap location information.
@87 GetLocal is converted to @32 by using stack location information.
And then, after the conversion, we will get the following code.
32:<!0:-> GetLocal(Check:Untyped:@1, JS|MustGen|UseAsOther, StringIdent|Other, arg1(B~/FlushedJSValue), R:Stack(6), bc#15, ExitValid) predicting StringIdent|Other
...
89:<!0:-> GetByVal(KnownCell:@32, Int32:@79, Check:Untyped:@174, JS|MustGen|VarArgs|PureInt, StringIdent, String+NonArray+InBounds+AsIs+Read, Exits, bc#16, ExitValid) predicting StringIdent
Then, the problem is that, GetLocal's AbstractValue is no longer proven as String. Our CSE weaken the AbstractValue, so that this is now Cell.
Then, DFGSpeculativeJIT.cpp assertion hits in GetByVal compiling code.
ArrayMode(Array::String, Array::Read).alreadyChecked(m_jit.graph(), node, m_state.forNode(m_graph.child(node, 0)))
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190115/eb08fb69/attachment.html>
More information about the webkit-unassigned
mailing list