Bug 109389

Summary:

DFG DCE might eliminate checks unsoundly

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

barraclough, ggaren, gyuyoung.kim, mark.lam, mhahnenberg, msaboff, oliver, rakuco, sam, webkit.review.bot

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Bug Depends on:

109371, 110840, 110948, 111102, 111119, 111205, 111209

Bug Blocks:

111506, 111520

Attachments:

Description	Flags
work in progress	none
more	none
more	none
it compiles	none
it's starting to do things	none
it's starting to run bigger things	none
runs the main benchmarks	none
getting close	none
the patch	none
the patch	oliver: review+

Description Filip Pizlo 2013-02-10 14:07:58 PST

We sort of guard against this in common cases by preventing DCE entirely for some nodes (like ArithAdd and friends) but the bottom line is that DCE is just broken.

Comment 1 Filip Pizlo 2013-02-10 14:54:32 PST

Note that https://bugs.webkit.org/show_bug.cgi?id=109371 is a great step towards fixing this.  After that bug is fixed, we will be able to easily DCE while preserving checks by turning the relevant node into a Phantom that still has the same Edges.

Comment 2 Filip Pizlo 2013-02-28 12:43:51 PST

*** Bug 109388 has been marked as a duplicate of this bug. ***

Comment 3 Filip Pizlo 2013-02-28 14:58:18 PST

Created attachment 190815 [details]
work in progress

Comment 4 Filip Pizlo 2013-02-28 17:08:17 PST

Created attachment 190848 [details]
more

Comment 5 Filip Pizlo 2013-03-01 12:28:48 PST

Created attachment 191009 [details]
more

Comment 6 Filip Pizlo 2013-03-01 13:09:38 PST

Created attachment 191020 [details]
it compiles

on 64-bit Mac at least

Comment 7 Filip Pizlo 2013-03-01 13:42:57 PST

Created attachment 191029 [details]
it's starting to do things

Comment 8 Filip Pizlo 2013-03-01 16:09:36 PST

Created attachment 191061 [details]
it's starting to run bigger things

Comment 9 Filip Pizlo 2013-03-01 16:49:56 PST

Created attachment 191071 [details]
runs the main benchmarks

But it still needs some performance love.

Comment 10 Filip Pizlo 2013-03-01 18:22:22 PST

Created attachment 191085 [details]
getting close

Comment 11 Filip Pizlo 2013-03-04 23:59:18 PST

Created attachment 191416 [details]
the patch

Comment 12 WebKit Review Bot 2013-03-05 00:42:29 PST

Attachment 191416 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/Target.pri', u'Source/JavaScriptCore/dfg/DFGAbstractState.cpp', u'Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGBasicBlock.h', u'Source/JavaScriptCore/dfg/DFGBasicBlockInlines.h', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGCFAPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCSEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.h', u'Source/JavaScriptCore/dfg/DFGDriver.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.h', u'Source/JavaScriptCore/dfg/DFGInsertionSet.h', u'Source/JavaScriptCore/dfg/DFGNode.h', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGValidate.cpp']" exit_code: 1
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2034:  When wrapping a line, only indent 4 spaces.  [whitespace/indent] [3]
Source/JavaScriptCore/dfg/DFGBasicBlock.h:105:  The parameter name "valueParams" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1981:  When wrapping a line, only indent 4 spaces.  [whitespace/indent] [3]
Total errors found: 3 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 13 Filip Pizlo 2013-03-05 13:34:14 PST

Created attachment 191551 [details]
the patch

Rabased and fixed two style goofs.

Comment 14 WebKit Review Bot 2013-03-05 13:36:25 PST

Attachment 191551 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/Target.pri', u'Source/JavaScriptCore/dfg/DFGAbstractState.cpp', u'Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGBasicBlock.h', u'Source/JavaScriptCore/dfg/DFGBasicBlockInlines.h', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGCFAPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCSEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.h', u'Source/JavaScriptCore/dfg/DFGDriver.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.h', u'Source/JavaScriptCore/dfg/DFGInsertionSet.h', u'Source/JavaScriptCore/dfg/DFGNode.h', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGValidate.cpp']" exit_code: 1
Source/JavaScriptCore/dfg/DFGBasicBlock.h:105:  The parameter name "valueParams" adds no information, so it should be removed.  [readability/parameter_name] [5]
Total errors found: 1 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 15 Filip Pizlo 2013-03-05 18:29:37 PST

Landed in http://trac.webkit.org/changeset/144862