101871 – DFG ArithMul overflow check elimination is too aggressive

Bug 101871 - DFG ArithMul overflow check elimination is too aggressive

Summary: DFG ArithMul overflow check elimination is too aggressive

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	528+ (Nightly build)
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:

Depends on:
Blocks:

Reported:	2012-11-11 15:58 PST by Filip Pizlo
Modified:	2012-11-12 14:55 PST (History)
CC List:	9 users (show)

See Also:

Attachments
the patch (6.38 KB, patch) 2012-11-11 16:10 PST, Filip Pizlo	fpizlo: review-	Details \| Formatted Diff \| Diff
the patch (6.16 KB, patch) 2012-11-11 16:17 PST, Filip Pizlo	webkit.review.bot: commit-queue-	Details \| Formatted Diff \| Diff
the patch (67.42 KB, patch) 2012-11-11 21:32 PST, Filip Pizlo	oliver: review+	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2012-11-11 15:58:15 PST

It appears to ignore the fact that (a * b) | 0 is not always the same as ((a | 0) * (b | 0)) | 0.  For all of the places where this matters, it's easy to keep the optimization, just by making the compiler a bit smarter about when and how to use it.

Comment 1 Filip Pizlo 2012-11-11 16:10:50 PST

Created attachment 173523 [details]
the patch

Can I also get a rubber stamp for the set of tests I'm hacking up for this?

Comment 2 Filip Pizlo 2012-11-11 16:12:18 PST

Comment on attachment 173523 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=173523&action=review

> Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:147
> +        case JSConstant: {
> +            JSValue immediateValue = node.valueOfJSConstant(codeBlock());
> +            if (!immediateValue.isInt32())
> +                return false;
> +            int32_t intImmediate = immediateValue.asInt32();
> +            return intImmediate > -(1 << power) && intImmediate < (1 << power);
> +        }

I meant to have this case call isWithinPowerOfTwoForConstant().

Comment 3 Filip Pizlo 2012-11-11 16:17:23 PST

Created attachment 173524 [details]
the patch

Again, asking for a rubber stamp for tests.  I still haven't layouttest-ified them.

Comment 4 WebKit Review Bot 2012-11-11 20:24:03 PST

Comment on attachment 173524 [details]
the patch

Attachment 173524 [details] did not pass chromium-ews (chromium-xvfb):
Output: http://queues.webkit.org/results/14803518

New failing tests:
inspector-protocol/debugger-terminate-dedicated-worker-while-paused.html

Comment 5 Filip Pizlo 2012-11-11 21:32:17 PST

Created attachment 173550 [details]
the patch

Now, including tests!

Comment 6 Filip Pizlo 2012-11-12 14:55:27 PST

Landed in http://trac.webkit.org/changeset/134314