Bug 148649 - DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound
Summary: DFG AI assertions about not having to do type checks at the point of a Known ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Other
Hardware: All All
: P2 Normal
Assignee: Filip Pizlo
URL:
Keywords:
Depends on:
Blocks: 148610
  Show dependency treegraph
 
Reported: 2015-08-31 15:10 PDT by Filip Pizlo
Modified: 2015-09-01 11:27 PDT (History)
0 users

See Also:

Attachments
the patch (2.15 KB, patch)
2015-09-01 10:42 PDT, Filip Pizlo 		saam: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2015-08-31 15:10:33 PDT 
We often generate IR like:

Check(Int32:@x)
...
Foo(KnownInt32:@x)

It would be valid for any optimization that somehow proves the type of @x to remove the Check node entirely.  But then, AI might fail on an assertion at Foo() because of the KnownInt32 use kind, if AI isn't smart enough to construct the same proof that the former optimization used for removing the Check.

The correct solution is probably to remove the compile-time assertions about Known use kinds having already been checked.  It's OK for those to be debug-only JIT assertions.
Comment 1 Filip Pizlo 2015-08-31 15:11:41 PDT 
I might end up fixing this before I do property type inference. It looks like that code might reveal this bug.
Comment 2 Filip Pizlo 2015-09-01 10:42:52 PDT 
Created attachment 260369 [details]
the patch
Comment 3 Saam Barati 2015-09-01 10:44:19 PDT 
Comment on attachment 260369 [details]
the patch

r=me
Comment 4 Filip Pizlo 2015-09-01 11:27:51 PDT 
Landed in http://trac.webkit.org/changeset/189219