Bug 165946

Summary: B3::DoubleToFloatReduction will accidentally convince itself it converted a Phi from Double to Float and then convert uses of that Phi into a use of FloatToDouble(@Phi)
Product: WebKit Reporter: Saam Barati <saam>
Component: JavaScriptCoreAssignee: Saam Barati <saam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, commit-queue, fpizlo, ggaren, gskachkov, jfbastien, keith_miller, mark.lam, msaboff, oliver, ticaiolima, ysuzuki
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch
keith_miller: review+
patch for landing
none
Archive of layout-test-results from ews112 for mac-yosemite none

Saam Barati
Reported 2016-12-16 01:35:16 PST
It's causing a bug somewhere in a Wasm program by making causing something like transformation to happen: (Note this is IR just after generating) ``` Float @2342 = Phi(ReadsLocalState) ... Float @1772 = BitwiseCast(@2228) Float @1773 = Identity(@2342) Float @1774 = Mul(@1772, @2342) ``` => ``` Float @2342 = Phi(ReadsLocalState) Float @1772 = BitwiseCast(@2228) Double @3202 = FloatToDouble(@2342) Float @1774 = Mul(@1772, @3202) ```
Attachments
patch (5.91 KB, patch)
2016-12-16 14:48 PST, Saam Barati 		keith_miller: review+
DetailsFormatted DiffDiff
patch for landing (5.90 KB, patch)
2016-12-16 15:00 PST, Saam Barati 		no flags
DetailsFormatted DiffDiff
Archive of layout-test-results from ews112 for mac-yosemite (1.59 MB, application/zip)
2016-12-16 16:06 PST, Build Bot 		no flags
Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2016-12-16 01:47:39 PST
My hypothesis is that this: ``` void convertPhi(Value* phi) { ASSERT(phi->opcode() == Phi); phi->setType(Float); m_convertedPhis.add(phi); } ``` should become: ``` void convertPhi(Value* phi) { ASSERT(phi->opcode() == Phi); if (phi->type() == Double) { phi->setType(Float); m_convertedPhis.add(phi); } } ``` Otherwise we'll cast all users of a Phi to use FloatToDouble, even though they want float!
Saam Barati
Comment 2 2016-12-16 14:48:49 PST
Created attachment 297359 [details] patch
WebKit Commit Bot
Comment 3 2016-12-16 14:50:12 PST
Attachment 297359 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/b3/testb3.cpp:4579: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3] ERROR: Source/JavaScriptCore/b3/testb3.cpp:4581: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3] ERROR: Source/JavaScriptCore/b3/testb3.cpp:4584: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3] Total errors found: 3 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Keith Miller
Comment 4 2016-12-16 14:51:46 PST
Comment on attachment 297359 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=297359&action=review r=me. > Source/JavaScriptCore/ChangeLog:14 > + Double uses by changing them to be uses of ConvertFloatToDouble on the Phi I would say ConvertFloatToDouble on the Phi, instead of the Phi itself. I had to reread that a couple of times.
Saam Barati
Comment 5 2016-12-16 15:00:38 PST
Created attachment 297361 [details] patch for landing
WebKit Commit Bot
Comment 6 2016-12-16 15:01:51 PST
Attachment 297361 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/b3/testb3.cpp:4579: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3] ERROR: Source/JavaScriptCore/b3/testb3.cpp:4581: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3] ERROR: Source/JavaScriptCore/b3/testb3.cpp:4584: When wrapping a line, only indent 4 spaces. [whitespace/indent] [3] Total errors found: 3 in 3 files If any of these errors are false positives, please file a bug against check-webkit-style.
Build Bot
Comment 7 2016-12-16 16:06:50 PST
Comment on attachment 297361 [details] patch for landing Attachment 297361 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/2739762 New failing tests: http/tests/navigation/keyboard-events-during-provisional-navigation.html
Build Bot
Comment 8 2016-12-16 16:06:53 PST
Created attachment 297368 [details] Archive of layout-test-results from ews112 for mac-yosemite The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-yosemite Platform: Mac OS X 10.10.5
Saam Barati
Comment 9 2016-12-16 16:41:44 PST
This crash looks unrelated to my change. It looks like a GC crash.
WebKit Commit Bot
Comment 10 2016-12-16 17:08:16 PST
Comment on attachment 297361 [details] patch for landing Clearing flags on attachment: 297361 Committed r209953: <http://trac.webkit.org/changeset/209953>
WebKit Commit Bot
Comment 11 2016-12-16 17:08:20 PST
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.