148649 – DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound

RESOLVED FIXED 148649

DFG AI assertions about not having to do type checks at the point of a Known use kind are unsound

https://bugs.webkit.org/show_bug.cgi?id=148649

Summary DFG AI assertions about not having to do type checks at the point of a Known ...

Filip Pizlo

Reported 2015-08-31 15:10:33 PDT

We often generate IR like: Check(Int32:@x) ... Foo(KnownInt32:@x) It would be valid for any optimization that somehow proves the type of @x to remove the Check node entirely. But then, AI might fail on an assertion at Foo() because of the KnownInt32 use kind, if AI isn't smart enough to construct the same proof that the former optimization used for removing the Check. The correct solution is probably to remove the compile-time assertions about Known use kinds having already been checked. It's OK for those to be debug-only JIT assertions.

Attachments
the patch (2.15 KB, patch) 2015-09-01 10:42 PDT, Filip Pizlo	saam: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2015-08-31 15:11:41 PDT

I might end up fixing this before I do property type inference. It looks like that code might reveal this bug.

Filip Pizlo

Comment 2 2015-09-01 10:42:52 PDT

Created attachment 260369 [details] the patch

Saam Barati

Comment 3 2015-09-01 10:44:19 PDT

Comment on attachment 260369 [details] the patch r=me

Filip Pizlo

Comment 4 2015-09-01 11:27:51 PDT

Landed in http://trac.webkit.org/changeset/189219

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution FIXED

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware All

OS All

Product WebKit

Component JavaScriptCore

Assignee

Filip Pizlo

Reported

2015-08-31 15:10 PDT

Modified

2015-09-01 11:27 PDT History

CC List

0 users

URL

Keywords

Depends on

Blocks

148610

Dependencies

tree graph