| Summary: | B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | Saam Barati <saam> | ||||||||
| Component: | JavaScriptCore | Assignee: | Saam Barati <saam> | ||||||||
| Status: | RESOLVED FIXED | ||||||||||
| Severity: | Normal | CC: | benjamin, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, oliver, ticaiolima, ysuzuki | ||||||||
| Priority: | P2 | ||||||||||
| Version: | WebKit Nightly Build | ||||||||||
| Hardware: | Unspecified | ||||||||||
| OS: | Unspecified | ||||||||||
| Attachments: |
|
||||||||||
My hypothesis is that this:
```
void convertPhi(Value* phi)
{
ASSERT(phi->opcode() == Phi);
phi->setType(Float);
m_convertedPhis.add(phi);
}
```
should become:
```
void convertPhi(Value* phi)
{
ASSERT(phi->opcode() == Phi);
if (phi->type() == Double) {
phi->setType(Float);
m_convertedPhis.add(phi);
}
}
```
Otherwise we'll cast all users of a Phi to use FloatToDouble, even though they want float!
Created attachment 297359 [details]
patch
Attachment 297359 [details] did not pass style-queue:
ERROR: Source/JavaScriptCore/b3/testb3.cpp:4579: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/b3/testb3.cpp:4581: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/b3/testb3.cpp:4584: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3]
Total errors found: 3 in 3 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 297359 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=297359&action=review r=me. > Source/JavaScriptCore/ChangeLog:14 > + Double uses by changing them to be uses of ConvertFloatToDouble on the Phi I would say ConvertFloatToDouble on the Phi, instead of the Phi itself. I had to reread that a couple of times. Created attachment 297361 [details]
patch for landing
Attachment 297361 [details] did not pass style-queue:
ERROR: Source/JavaScriptCore/b3/testb3.cpp:4579: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/b3/testb3.cpp:4581: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/b3/testb3.cpp:4584: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3]
Total errors found: 3 in 3 files
If any of these errors are false positives, please file a bug against check-webkit-style.
Comment on attachment 297361 [details] patch for landing Attachment 297361 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2739762 New failing tests: http/tests/navigation/keyboard-events-during-provisional-navigation.html Created attachment 297368 [details]
Archive of layout-test-results from ews112 for mac-yosemite
The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
This crash looks unrelated to my change. It looks like a GC crash. Comment on attachment 297361 [details] patch for landing Clearing flags on attachment: 297361 Committed r209953: <http://trac.webkit.org/changeset/209953> All reviewed patches have been landed. Closing bug. |
It's causing a bug somewhere in a Wasm program by making causing something like transformation to happen: (Note this is IR just after generating) ``` Float @2342 = Phi(ReadsLocalState) ... Float @1772 = BitwiseCast(@2228) Float @1773 = Identity(@2342) Float @1774 = Mul(@1772, @2342) ``` => ``` Float @2342 = Phi(ReadsLocalState) Float @1772 = BitwiseCast(@2228) Double @3202 = FloatToDouble(@2342) Float @1774 = Mul(@1772, @3202) ```