[Webkit-unassigned] [Bug 256872] New: DFG::PutStackSinkingPhase inserts PutStack with wrong value that from ssaCalculator.reachingDefAtHead
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 16 20:08:37 PDT 2023
https://bugs.webkit.org/show_bug.cgi?id=256872
Bug ID: 256872
Summary: DFG::PutStackSinkingPhase inserts PutStack with wrong
value that from ssaCalculator.reachingDefAtHead
Product: WebKit
Version: WebKit Local Build
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: q602706150 at gmail.com
Created attachment 466374
--> https://bugs.webkit.org/attachment.cgi?id=466374&action=review
poc with wrong result
run with:
./WebKitBuild/Debug/bin/jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 test.js
`opt` function's IR after PutStack sinking:
```
#0
D at 22 : JSConstant(3333)
#6
D at 68 : Phi(...)
D at 190: MovHint(D at 68,arg1)
D at 162: PutStack(D at 22, arg1) <-- inserted by PutStackSinkingPhase, which is wrong
D at 126: ArithAdd(CheckOverflow) <-- osr exit here
D at 131: Return(D at 68)
```
expected output:
1111
actual output:
3333
I think it's because `ssaCalculator.reachingDefAtHead` found the value `3333` from the dominator #0, but not the missing phi(probably around D at 68), leading to a misjudgment of the variable reference. When analyzing the `then branch` of the first if statement, `a` is marked as `DeadFlush`, and the `functor` argument of `ssaCalculator.computePhis` (in DFGPutStackSinkingPhase.cpp) returns nullptr. The nullptr prevents subsequent ssa calculation, so the `phi` on the last block is not created.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230517/353a6387/attachment.htm>
More information about the webkit-unassigned
mailing list