RESOLVED FIXED 164600
Graph::methodOfGettingAValueProfileFor() should be returning the profile for the operand node. 
https://bugs.webkit.org/show_bug.cgi?id=164600
Summary Graph::methodOfGettingAValueProfileFor() should be returning the profile for ...
Mark Lam
Reported 2016-11-10 10:30:29 PST
Currently, Graph::methodOfGettingAValueProfileFor() assumes that the operand DFG node that it is provided with always has a different origin than the node that is using that operand. For example, in a DFG graph that looks like this: a: ... b: ArithAdd(@a, ...) ... when emitting speculation checks on @a for the ArithAdd node at @b, Graph::methodOfGettingAValueProfileFor() is passed @a, and expects @a's to originate from a different bytecode than @b. However, op_negate can be compiled into the following series of nodes: a: BooleanToNumber(...) b: DoubleRep(@a) c: ArithNegate(@b) All 3 nodes maps to the same op_negate bytecode i.e. they have the same origin. When the speculativeJIT does a speculationCheck in DoubleRep, it calls Graph::methodOfGettingAValueProfileFor() to get the ArithProfile for the BooleanToNumber node. But because all 3 nodes have the same origin, Graph::methodOfGettingAValueProfileFor() erroneously returns the ArithProfile for the op_negate. Subsequently, the OSR exit ramp will modify the ArithProfile of the op_negate and corrupt its profile. Instead, what the OSR exit ramp should be doing is update the ArithProfile of op_negate's operand i.e. BooleanToNumber's operand in this case. The fix is to always pass the current node we're generating code for (in addition to the operand node) to Graph::methodOfGettingAValueProfileFor(). This way, we can determine if the profile is valid if and only if the current node and its operand node does not have the same origin.
Attachments
proposed patch. (14.22 KB, patch)
2016-11-10 10:54 PST, Mark Lam 		fpizlo: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-11-10 10:30:54 PST
<rdar://problem/28828676>
Mark Lam
Comment 2 2016-11-10 10:54:49 PST
Created attachment 294385 [details] proposed patch.
Filip Pizlo
Comment 3 2016-11-10 11:09:39 PST
Comment on attachment 294385 [details] proposed patch. Thank you for cleaning this up!
Geoffrey Garen
Comment 4 2016-11-10 11:20:25 PST
Seems correct to me. We probably need Phil to review this. > Source/JavaScriptCore/dfg/DFGGraph.cpp:1619 > + Node* node = operandNode; > while (node) { I think this would be clearer as: for (Node* node = operandNode; node; )
Mark Lam
Comment 5 2016-11-10 11:30:04 PST
(In reply to comment #4) > Seems correct to me. We probably need Phil to review this. > > > Source/JavaScriptCore/dfg/DFGGraph.cpp:1619 > > + Node* node = operandNode; > > while (node) { > > I think this would be clearer as: for (Node* node = operandNode; node; ) Thanks. I'll apply this before landing.
Mark Lam
Comment 6 2016-11-10 13:23:58 PST
Thanks for the reviews. Landed in r208560: <http://trac.webkit.org/r208560>.
Note You need to log in before you can comment on or make changes to this bug.