184440 – DFG AI and clobberize should agree with each other

Bug 184440 - DFG AI and clobberize should agree with each other

Summary: DFG AI and clobberize should agree with each other

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	All All

Importance:	P2 Normal
Assignee:	Filip Pizlo

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2018-04-09 22:24 PDT by Filip Pizlo
Modified:	2018-04-10 14:16 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
work in progress (34.02 KB, patch) 2018-04-09 22:24 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
the patch (38.74 KB, patch) 2018-04-09 22:50 PDT, Filip Pizlo	saam: review+	Details \| Formatted Diff \| Diff
patch for landing (45.85 KB, patch) 2018-04-10 10:59 PDT, Filip Pizlo	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (2) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Filip Pizlo 2018-04-09 22:24:15 PDT

Patch forthcoming.

Comment 1 Filip Pizlo 2018-04-09 22:24:43 PDT

Created attachment 337589 [details]
work in progress

Comment 2 Filip Pizlo 2018-04-09 22:50:00 PDT

Created attachment 337592 [details]
the patch

Comment 3 EWS Watchlist 2018-04-09 22:52:15 PDT

Attachment 337592 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:3077:  Multi line control clauses should use braces.  [whitespace/braces] [4]
Total errors found: 1 in 14 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 4 Radar WebKit Bug Importer 2018-04-09 23:12:20 PDT

<rdar://problem/39306180>

Comment 5 Saam Barati 2018-04-09 23:24:30 PDT

Comment on attachment 337592 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=337592&action=review

r=me

> Source/JavaScriptCore/dfg/DFGClobberize.h:979
> +            read(Butterfly_publicLength);
> +            read(Butterfly_vectorLength);
> +            read(ArrayStorageProperties);
> +            write(ArrayStorageProperties);

For setters, are they always !mayStoreToHole?

> Source/JavaScriptCore/dfg/DFGClobberize.h:1331
> +        case UntypedUse:
> +            read(World);
> +            write(Heap);
> +            return;

Seems like this would be a good test to add since we don't have one.

> Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:96
> +    // Would have the last executed node clobbered the world had we not found a way to fold it?

clobbering the world seems like the wrong comment to have here, since doing a transition doesn't necessarily entail clobbering the world, but would return true here. Maybe make the comment say something that allows for both clobbering the world and transitions?

Comment 6 Filip Pizlo 2018-04-09 23:27:30 PDT

(In reply to Saam Barati from comment #5)
> Comment on attachment 337592 [details]
> the patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=337592&action=review
> 
> r=me
> 
> > Source/JavaScriptCore/dfg/DFGClobberize.h:979
> > +            read(Butterfly_publicLength);
> > +            read(Butterfly_vectorLength);
> > +            read(ArrayStorageProperties);
> > +            write(ArrayStorageProperties);
> 
> For setters, are they always !mayStoreToHole?

SlowPutArrayStorage means you may have accessors. So, storing to a hole means possibly calling an accessor.

> 
> > Source/JavaScriptCore/dfg/DFGClobberize.h:1331
> > +        case UntypedUse:
> > +            read(World);
> > +            write(Heap);
> > +            return;
> 
> Seems like this would be a good test to add since we don't have one.

This is already covered by a test thanks to the new assertion!

> 
> > Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:96
> > +    // Would have the last executed node clobbered the world had we not found a way to fold it?
> 
> clobbering the world seems like the wrong comment to have here, since doing
> a transition doesn't necessarily entail clobbering the world, but would
> return true here. Maybe make the comment say something that allows for both
> clobbering the world and transitions?

I made it say "clobbered things".  This returns true if the node clobbers anything that the AI knows about how to clobber, which currently just means structures.

Comment 7 Filip Pizlo 2018-04-10 08:26:39 PDT

I think that it would be best if I wrote a test case for all of the cases that I found even though the new assertion gives us such cases for free.  I'll do that and then land.

Comment 8 Filip Pizlo 2018-04-10 10:59:52 PDT

Created attachment 337621 [details]
patch for landing

Comment 9 EWS Watchlist 2018-04-10 11:06:35 PDT

Attachment 337621 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:3075:  Multi line control clauses should use braces.  [whitespace/braces] [4]
Total errors found: 1 in 22 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 10 Filip Pizlo 2018-04-10 12:46:34 PDT

Landed in https://trac.webkit.org/changeset/230488/webkit

Comment 11 Ryan Haddad 2018-04-10 14:11:19 PDT

This change broke the CLoop build: https://build.webkit.org/builders/Apple%20High%20Sierra%20LLINT%20CLoop%20%28BuildAndTest%29/builds/5032

./dfg/DFGAbstractInterpreterClobberState.cpp:33:38: error: use of undeclared identifier 'JSC'

Comment 12 Filip Pizlo 2018-04-10 14:15:08 PDT

(In reply to Ryan Haddad from comment #11)
> This change broke the CLoop build:
> https://build.webkit.org/builders/
> Apple%20High%20Sierra%20LLINT%20CLoop%20%28BuildAndTest%29/builds/5032
> 
> ./dfg/DFGAbstractInterpreterClobberState.cpp:33:38: error: use of undeclared
> identifier 'JSC'

Fixing...

Comment 13 Filip Pizlo 2018-04-10 14:16:30 PDT

Fixed in r230494.