RESOLVED FIXED 144186
Rationalize DFG DCE handling of nodes that perform checks that propagate through AI 
https://bugs.webkit.org/show_bug.cgi?id=144186
Summary Rationalize DFG DCE handling of nodes that perform checks that propagate thro...
Filip Pizlo
Reported 2015-04-24 23:07:02 PDT
If I do ArithAdd(Int32Use, Int32Use, CheckOverflow) then AI will prove that this returns Int32. We may later perform code simplifications based on the proof that this is Int32, and we may kill all DFG users of this ArithAdd. Then we may prove that there is no exit site at which the ArithAdd is live. This is sufficient to then kill the ArithAdd - except that we still need the overflow check! Currently we mishandle this: - In places where we want the overflow check we need to use MustGenerate(@ArithAdd) as a hack to keep it alive. That's dirty and it's just indicative of a deeper issue. - Our MovHint removal doesn't do Phantom canonicalization which essentially makes it powerless. This was sort of hiding the bug. - Nodes that have checks that AI leverages should always be NodeMustGenerate. You can't kill something that you are relying on for subsequent simplifications.
Attachments
the patch (24.57 KB, patch)
2015-04-24 23:12 PDT, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2015-04-24 23:12:59 PDT
Created attachment 251613 [details] the patch
Filip Pizlo
Comment 2 2015-04-24 23:13:56 PDT
*** Bug 144148 has been marked as a duplicate of this bug. ***
Geoffrey Garen
Comment 3 2015-04-27 10:58:33 PDT
Comment on attachment 251613 [details] the patch r=me
Filip Pizlo
Comment 4 2015-04-27 11:49:42 PDT
Landed in http://trac.webkit.org/changeset/183401
Note You need to log in before you can comment on or make changes to this bug.