Bug 141107

Summary: Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenb, mmirman, msaboff, nrotem, oliver, saam, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 140660    
Attachments:
Description Flags
the patch msaboff: review+

Description Filip Pizlo 2015-01-30 19:03:50 PST 
Consider that you have code like:

a: ...
b: MovHint(@a)
c: ValueRep(@a)
d: SetLocal(@c)
...
e: Flush(@d)

If the code between @d and @e doesn't observe the flushed value, we current convert this to:

a: ...
b: MovHint(@a)
c: ValueRep(@a)
d: SetLocal(@c)
...
e: Phantom(@c)

That's wrong, because @c is not MovHinted to anything. This causes @a to die and if we exit, we won't have a value for this local.

Our IR supports the notion that two logically equivalent but not identical values may be used for the MovHint and SetLocal.  Phantoms should use the values that MovHints used.  So, when strength-reducing a Flush or PhantomLocal to a Phantom we need to put the Phantom on the value that would have gotten MovHinted into that local.
Comment 1 Filip Pizlo 2015-01-30 19:04:24 PST 
This issue was revealed by the new inlining opportunities introduced by https://bugs.webkit.org/show_bug.cgi?id=140660.
Comment 2 Filip Pizlo 2015-01-30 19:08:06 PST 
Created attachment 245765 [details]
the patch
Comment 3 Michael Saboff 2015-02-02 09:41:25 PST 
Comment on attachment 245765 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245765&action=review

r=me

> Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp:267
> +                // be keeping the last MovHinted value of that local alive.

Would it be better to say "keep" instead of "be keeping"?
Comment 4 Filip Pizlo 2015-02-02 09:56:40 PST 
Comment on attachment 245765 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=245765&action=review

>> Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp:267
>> +                // be keeping the last MovHinted value of that local alive.
> 
> Would it be better to say "keep" instead of "be keeping"?

Good point, will make that change!
Comment 5 Filip Pizlo 2015-02-02 10:16:06 PST 
Landed in http://trac.webkit.org/changeset/179477