Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: dc60e5a7e380d2ae15227b874109eb04962e6195
https://github.com/WebKit/WebKit/commit/dc60e5a7e380d2ae15227b874109eb04962e6195
Author: Yusuke Suzuki <[email protected]>
Date: 2026-01-22 (Thu, 22 Jan 2026)
Changed paths:
A JSTests/stress/dfg-strength-reduction-keep-checks-arith-mul.js
M Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp
Log Message:
-----------
[JSC] ArithMul strength reduction should insert original checks even for
constants
https://bugs.webkit.org/show_bug.cgi?id=305721
rdar://168397840
Reviewed by Dan Hecht.
DFG strength reduction converts `ArithMul(@a, 2)` to `ArithAdd(@a, @a)`.
This is important performance optimization, but it is checking constant
`2` regardless of checks etc. So if we have a weird graph code like
`ArithMul(Int32:@a, Check:Int32:double-constant-2)`, then it gets
converted to `ArithAdd(Int32:@a, Int32:@a)`. This is fine, but since AI
already proved that Check:Int32:double-constant-2 fails because they are
not Int32, then we encounter to the Unreachable DFG node emitted by DFG
constant folding phase. This is deterministic explicit crash.
As a fix, we preserve the original checks when converting them. So these
OSR exit semantics is kept.
* JSTests/stress/dfg-strength-reduction-keep-checks-arith-mul.js: Added.
(v2.f4):
* Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
Canonical link: https://commits.webkit.org/306060@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
