[webkit-changes] [189219] trunk/Source/JavaScriptCore

[fpizlo]

Title: [189219] trunk/Source/_javascript_Core

Revision

189219

Author

fpi...@apple.com

Date

2015-09-01 11:27:13 -0700 (Tue, 01 Sep 2015)

Log Message

DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound
https://bugs.webkit.org/show_bug.cgi?id=148649

Reviewed by Saam Barati.

We often generate IR like:

Check(Int32:@x)
...
Foo(KnownInt32:@x)

It would be valid for any optimization that somehow proves the type of @x to remove the
Check node entirely. But then, AI might fail on an assertion at Foo() because of the
KnownInt32 use kind, if AI isn't smart enough to construct the same proof that the former
optimization used for removing the Check.

The correct solution is to remove the compile-time assertions about Known use kinds
having already been checked.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (189218 => 189219)

--- trunk/Source/_javascript_Core/ChangeLog	2015-09-01 17:52:15 UTC (rev 189218)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-09-01 18:27:13 UTC (rev 189219)
@@ -1,3 +1,27 @@
+2015-09-01  Filip Pizlo  <fpi...@apple.com>
+
+        DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound
+        https://bugs.webkit.org/show_bug.cgi?id=148649
+
+        Reviewed by Saam Barati.
+
+        We often generate IR like:
+
+        Check(Int32:@x)
+        ...
+        Foo(KnownInt32:@x)
+
+        It would be valid for any optimization that somehow proves the type of @x to remove the
+        Check node entirely. But then, AI might fail on an assertion at Foo() because of the
+        KnownInt32 use kind, if AI isn't smart enough to construct the same proof that the former
+        optimization used for removing the Check.
+
+        The correct solution is to remove the compile-time assertions about Known use kinds
+        having already been checked.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
+
 2015-09-01  Brian Burg  <bb...@apple.com>
 
         Web Inspector: tighten up lifetimes for InspectorController-owned objects; add brace initializers to agents

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (189218 => 189219)

--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-09-01 17:52:15 UTC (rev 189218)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-09-01 18:27:13 UTC (rev 189219)
@@ -108,6 +108,12 @@
 template<typename AbstractStateType>
 void AbstractInterpreter<AbstractStateType>::verifyEdge(Node* node, Edge edge)
 {
+    // Some use kinds are required to not have checks, because we know somehow that the incoming
+    // value will already have the type we want. In those cases, AI may not be smart enough to
+    // prove that this is indeed the case.
+    if (shouldNotHaveTypeCheck(edge.useKind()))
+        return;
+    
     if (!(forNode(edge).m_type & ~typeFilterFor(edge.useKind())))
         return;
     

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes