Bug 109389 - DFG DCE might eliminate checks unsoundly
Summary: DFG DCE might eliminate checks unsoundly
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
: 109388 (view as bug list)
Depends on: 109371 110840 110948 111102 111119 111205 111209
Blocks: 111506 111520
  Show dependency treegraph
 
Reported: 2013-02-10 14:07 PST by Filip Pizlo
Modified: 2013-03-05 21:38 PST (History)
10 users (show)

See Also:

Attachments
work in progress (19.88 KB, patch)
2013-02-28 14:58 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
more (46.42 KB, patch)
2013-02-28 17:08 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
more (62.95 KB, patch)
2013-03-01 12:28 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
it compiles (69.98 KB, patch)
2013-03-01 13:09 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
it's starting to do things (71.52 KB, patch)
2013-03-01 13:42 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
it's starting to run bigger things (84.88 KB, patch)
2013-03-01 16:09 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
runs the main benchmarks (86.01 KB, patch)
2013-03-01 16:49 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
getting close (88.63 KB, patch)
2013-03-01 18:22 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
the patch (99.96 KB, patch)
2013-03-04 23:59 PST, Filip Pizlo 		no flags Details | Formatted Diff | Diff
the patch (99.92 KB, patch)
2013-03-05 13:34 PST, Filip Pizlo 		oliver: review+
Details | Formatted Diff | Diff
Show Obsolete (9) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2013-02-10 14:07:58 PST 
We sort of guard against this in common cases by preventing DCE entirely for some nodes (like ArithAdd and friends) but the bottom line is that DCE is just broken.
Comment 1 Filip Pizlo 2013-02-10 14:54:32 PST 
Note that https://bugs.webkit.org/show_bug.cgi?id=109371 is a great step towards fixing this.  After that bug is fixed, we will be able to easily DCE while preserving checks by turning the relevant node into a Phantom that still has the same Edges.
Comment 2 Filip Pizlo 2013-02-28 12:43:51 PST 
*** Bug 109388 has been marked as a duplicate of this bug. ***
Comment 3 Filip Pizlo 2013-02-28 14:58:18 PST 
Created attachment 190815 [details]
work in progress
Comment 4 Filip Pizlo 2013-02-28 17:08:17 PST 
Created attachment 190848 [details]
more
Comment 5 Filip Pizlo 2013-03-01 12:28:48 PST 
Created attachment 191009 [details]
more
Comment 6 Filip Pizlo 2013-03-01 13:09:38 PST 
Created attachment 191020 [details]
it compiles

on 64-bit Mac at least
Comment 7 Filip Pizlo 2013-03-01 13:42:57 PST 
Created attachment 191029 [details]
it's starting to do things
Comment 8 Filip Pizlo 2013-03-01 16:09:36 PST 
Created attachment 191061 [details]
it's starting to run bigger things
Comment 9 Filip Pizlo 2013-03-01 16:49:56 PST 
Created attachment 191071 [details]
runs the main benchmarks

But it still needs some performance love.
Comment 10 Filip Pizlo 2013-03-01 18:22:22 PST 
Created attachment 191085 [details]
getting close
Comment 11 Filip Pizlo 2013-03-04 23:59:18 PST 
Created attachment 191416 [details]
the patch
Comment 12 WebKit Review Bot 2013-03-05 00:42:29 PST 
Attachment 191416 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/Target.pri', u'Source/JavaScriptCore/dfg/DFGAbstractState.cpp', u'Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGBasicBlock.h', u'Source/JavaScriptCore/dfg/DFGBasicBlockInlines.h', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGCFAPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCSEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.h', u'Source/JavaScriptCore/dfg/DFGDriver.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.h', u'Source/JavaScriptCore/dfg/DFGInsertionSet.h', u'Source/JavaScriptCore/dfg/DFGNode.h', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGValidate.cpp']" exit_code: 1
Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:2034:  When wrapping a line, only indent 4 spaces.  [whitespace/indent] [3]
Source/JavaScriptCore/dfg/DFGBasicBlock.h:105:  The parameter name "valueParams" adds no information, so it should be removed.  [readability/parameter_name] [5]
Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1981:  When wrapping a line, only indent 4 spaces.  [whitespace/indent] [3]
Total errors found: 3 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 13 Filip Pizlo 2013-03-05 13:34:14 PST 
Created attachment 191551 [details]
the patch

Rabased and fixed two style goofs.
Comment 14 WebKit Review Bot 2013-03-05 13:36:25 PST 
Attachment 191551 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/CMakeLists.txt', u'Source/JavaScriptCore/ChangeLog', u'Source/JavaScriptCore/GNUmakefile.list.am', u'Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj', u'Source/JavaScriptCore/Target.pri', u'Source/JavaScriptCore/dfg/DFGAbstractState.cpp', u'Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGBasicBlock.h', u'Source/JavaScriptCore/dfg/DFGBasicBlockInlines.h', u'Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp', u'Source/JavaScriptCore/dfg/DFGCFAPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCFGSimplificationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCSEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.cpp', u'Source/JavaScriptCore/dfg/DFGCommon.h', u'Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.cpp', u'Source/JavaScriptCore/dfg/DFGDCEPhase.h', u'Source/JavaScriptCore/dfg/DFGDriver.cpp', u'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.cpp', u'Source/JavaScriptCore/dfg/DFGGraph.h', u'Source/JavaScriptCore/dfg/DFGInsertionSet.h', u'Source/JavaScriptCore/dfg/DFGNode.h', u'Source/JavaScriptCore/dfg/DFGNodeType.h', u'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp', u'Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp', u'Source/JavaScriptCore/dfg/DFGStructureCheckHoistingPhase.cpp', u'Source/JavaScriptCore/dfg/DFGValidate.cpp']" exit_code: 1
Source/JavaScriptCore/dfg/DFGBasicBlock.h:105:  The parameter name "valueParams" adds no information, so it should be removed.  [readability/parameter_name] [5]
Total errors found: 1 in 33 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 15 Filip Pizlo 2013-03-05 18:29:37 PST 
Landed in http://trac.webkit.org/changeset/144862