Bug 157502

Summary: [JSC] FTL can produce GetByVal nodes without proper bounds checking
Product: WebKit Reporter: Benjamin Poulain <benjamin>
Component: New BugsAssignee: Benjamin Poulain <benjamin>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, fpizlo, keith_miller, mark.lam, msaboff, saam
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Benjamin Poulain
Reported 2016-05-09 20:19:19 PDT
[JSC] FTL can produce GetByVal nodes without proper bounds checking
Attachments
Patch (4.07 KB, patch)
2016-05-09 20:35 PDT, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Patch for landing (4.49 KB, patch)
2016-05-10 14:07 PDT, Benjamin Poulain 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Benjamin Poulain
Comment 1 2016-05-09 20:35:25 PDT
Created attachment 278473 [details] Patch
Filip Pizlo
Comment 2 2016-05-09 21:55:12 PDT
Comment on attachment 278473 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=278473&action=review > Source/JavaScriptCore/dfg/DFGPlan.cpp:422 > + > + performLivenessAnalysis(dfg); > + performIntegerRangeOptimization(dfg); Can you file a bug about this very strange behavior of the IR? Ideally, the IR would be able to tell LICM if it's safe to hoist GetByVal. I think having a bug about this, and referencing it in a FIXME here, would be a good way of not forgetting about this very surprising behavior.
Filip Pizlo
Comment 3 2016-05-10 09:57:38 PDT
(In reply to comment #2) > Comment on attachment 278473 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=278473&action=review > > > Source/JavaScriptCore/dfg/DFGPlan.cpp:422 > > + > > + performLivenessAnalysis(dfg); > > + performIntegerRangeOptimization(dfg); > > Can you file a bug about this very strange behavior of the IR? Ideally, the > IR would be able to tell LICM if it's safe to hoist GetByVal. I think > having a bug about this, and referencing it in a FIXME here, would be a good > way of not forgetting about this very surprising behavior. It's sort of crazy that LICM for GetByVal is only correct if it *also* hoists the CheckInBounds. That's nuts! Please definitely put a FIXME linking a bug somewhere. We don't want to forget how insane this is.
Benjamin Poulain
Comment 4 2016-05-10 14:07:46 PDT
Created attachment 278528 [details] Patch for landing
WebKit Commit Bot
Comment 5 2016-05-10 14:34:44 PDT
Comment on attachment 278528 [details] Patch for landing Clearing flags on attachment: 278528 Committed r200645: <http://trac.webkit.org/changeset/200645>
WebKit Commit Bot
Comment 6 2016-05-10 14:34:48 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.