141107 – Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child

RESOLVED FIXED 141107

Converting Flushes and PhantomLocals to Phantoms requires an OSR availability analysis rather than just using the SetLocal's child

https://bugs.webkit.org/show_bug.cgi?id=141107

Summary Converting Flushes and PhantomLocals to Phantoms requires an OSR availability...

Filip Pizlo

Reported 2015-01-30 19:03:50 PST

Consider that you have code like: a: ... b: MovHint(@a) c: ValueRep(@a) d: SetLocal(@c) ... e: Flush(@d) If the code between @d and @e doesn't observe the flushed value, we current convert this to: a: ... b: MovHint(@a) c: ValueRep(@a) d: SetLocal(@c) ... e: Phantom(@c) That's wrong, because @c is not MovHinted to anything. This causes @a to die and if we exit, we won't have a value for this local. Our IR supports the notion that two logically equivalent but not identical values may be used for the MovHint and SetLocal. Phantoms should use the values that MovHints used. So, when strength-reducing a Flush or PhantomLocal to a Phantom we need to put the Phantom on the value that would have gotten MovHinted into that local.

Attachments
the patch (9.03 KB, patch) 2015-01-30 19:08 PST, Filip Pizlo	msaboff: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2015-01-30 19:04:24 PST

This issue was revealed by the new inlining opportunities introduced by https://bugs.webkit.org/show_bug.cgi?id=140660.

Filip Pizlo

Comment 2 2015-01-30 19:08:06 PST

Created attachment 245765 [details] the patch

Michael Saboff

Comment 3 2015-02-02 09:41:25 PST

Comment on attachment 245765 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=245765&action=review r=me > Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp:267 > + // be keeping the last MovHinted value of that local alive. Would it be better to say "keep" instead of "be keeping"?

Filip Pizlo

Comment 4 2015-02-02 09:56:40 PST

Comment on attachment 245765 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=245765&action=review >> Source/JavaScriptCore/dfg/DFGCPSRethreadingPhase.cpp:267 >> + // be keeping the last MovHinted value of that local alive. > > Would it be better to say "keep" instead of "be keeping"? Good point, will make that change!

Filip Pizlo

Comment 5 2015-02-02 10:16:06 PST

Landed in http://trac.webkit.org/changeset/179477

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2015-01-30 19:03 PST

Modified

2015-02-02 10:16 PST History

CC List

10 users Show

URL

Keywords

Depends on

Blocks

140660

Dependencies

tree graph