[Webkit-unassigned] [Bug 263882] New: ValueMod is eliminated incorrectly which changes the semantics of the JavaScript program

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Oct 30 05:23:33 PDT 2023 

https://bugs.webkit.org/show_bug.cgi?id=263882

            Bug ID: 263882
           Summary: ValueMod is eliminated incorrectly which changes the
                    semantics of the JavaScript program
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: entryhii at gmail.com

=======================test.js============
function main() {
  for (let v36 = 0; v36 < 1000; v36++) {
    try {
      1n % 0n            
    } catch (ee) {
      print("hello")
    }
  }
}

main()
==========================================

Run args: ./jsc -f test.js --useConcurrentJIT=0  --jitPolicyScale=0

JSC should print 1000 "hello", but it actually only print two.

This bug is related to DCE and DFGMovHintRemovalPhase which is similar to bug263881.

However, these two bugs execute different conditions in DFGMovHintRemovalPhase.cpp:

```
            if (node->op() == MovHint) {
                Epoch localEpoch = m_state.operand(node->unlinkedOperand());
                if (DFGMovHintRemovalPhaseInternal::verbose)
                    dataLog("    At ", node, " (", node->unlinkedOperand(), "): current = ", currentEpoch, ", local = ", localEpoch, "\n");
                if (!localEpoch || localEpoch == currentEpoch) {
                    // Now, MovHint will put bottom value to dead locals. This means that if you insert a new DFG node which introduce
                    // a new OSR exit, then it gets confused with the already-determined-dead locals. So this phase runs at very end of
                    // DFG pipeline, and we do not insert a node having a new OSR exit (if it is existing OSR exit, or if it does not exit,
                    // then it is totally fine).
                    node->setOpAndDefaultFlags(ZombieHint);
                    UseKind useKind = node->child1().useKind();
                    Node* constant = m_constants.ensure(static_cast<std::underlying_type_t<UseKind>>(useKind), [&]() -> Node* {
                        return m_insertionSet.insertBottomConstantForUse(0, m_graph.block(0)->at(0)->origin, useKind).node();
                    }).iterator->value;
                    node->child1() = Edge(constant, useKind);
                    m_changed = true;
                }
                m_state.operand(node->unlinkedOperand()) = Epoch();
            }
```

In this bug, the `localEpoch` of `MovHint` for `ValueMod` is none. In bug263881, the `localEpoch` of `MovHint` for `BitURShift` equals currentEpoch.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20231030/e9967ff1/attachment.htm>

More information about the webkit-unassigned mailing list