RESOLVED FIXED 184440
DFG AI and clobberize should agree with each other 
https://bugs.webkit.org/show_bug.cgi?id=184440
Summary DFG AI and clobberize should agree with each other
Filip Pizlo
Reported 2018-04-09 22:24:15 PDT
Patch forthcoming.
Attachments
work in progress (34.02 KB, patch)
2018-04-09 22:24 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (38.74 KB, patch)
2018-04-09 22:50 PDT, Filip Pizlo 		saam: review+
DetailsFormatted DiffDiff
patch for landing (45.85 KB, patch)
2018-04-10 10:59 PDT, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2018-04-09 22:24:43 PDT
Created attachment 337589 [details] work in progress
Filip Pizlo
Comment 2 2018-04-09 22:50:00 PDT
Created attachment 337592 [details] the patch
EWS Watchlist
Comment 3 2018-04-09 22:52:15 PDT
Attachment 337592 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:3077: Multi line control clauses should use braces. [whitespace/braces] [4] Total errors found: 1 in 14 files If any of these errors are false positives, please file a bug against check-webkit-style.
Radar WebKit Bug Importer
Comment 4 2018-04-09 23:12:20 PDT
<rdar://problem/39306180>
Saam Barati
Comment 5 2018-04-09 23:24:30 PDT
Comment on attachment 337592 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=337592&action=review r=me > Source/JavaScriptCore/dfg/DFGClobberize.h:979 > + read(Butterfly_publicLength); > + read(Butterfly_vectorLength); > + read(ArrayStorageProperties); > + write(ArrayStorageProperties); For setters, are they always !mayStoreToHole? > Source/JavaScriptCore/dfg/DFGClobberize.h:1331 > + case UntypedUse: > + read(World); > + write(Heap); > + return; Seems like this would be a good test to add since we don't have one. > Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:96 > + // Would have the last executed node clobbered the world had we not found a way to fold it? clobbering the world seems like the wrong comment to have here, since doing a transition doesn't necessarily entail clobbering the world, but would return true here. Maybe make the comment say something that allows for both clobbering the world and transitions?
Filip Pizlo
Comment 6 2018-04-09 23:27:30 PDT
(In reply to Saam Barati from comment #5) > Comment on attachment 337592 [details] > the patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=337592&action=review > > r=me > > > Source/JavaScriptCore/dfg/DFGClobberize.h:979 > > + read(Butterfly_publicLength); > > + read(Butterfly_vectorLength); > > + read(ArrayStorageProperties); > > + write(ArrayStorageProperties); > > For setters, are they always !mayStoreToHole? SlowPutArrayStorage means you may have accessors. So, storing to a hole means possibly calling an accessor. > > > Source/JavaScriptCore/dfg/DFGClobberize.h:1331 > > + case UntypedUse: > > + read(World); > > + write(Heap); > > + return; > > Seems like this would be a good test to add since we don't have one. This is already covered by a test thanks to the new assertion! > > > Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:96 > > + // Would have the last executed node clobbered the world had we not found a way to fold it? > > clobbering the world seems like the wrong comment to have here, since doing > a transition doesn't necessarily entail clobbering the world, but would > return true here. Maybe make the comment say something that allows for both > clobbering the world and transitions? I made it say "clobbered things". This returns true if the node clobbers anything that the AI knows about how to clobber, which currently just means structures.
Filip Pizlo
Comment 7 2018-04-10 08:26:39 PDT
I think that it would be best if I wrote a test case for all of the cases that I found even though the new assertion gives us such cases for free. I'll do that and then land.
Filip Pizlo
Comment 8 2018-04-10 10:59:52 PDT
Created attachment 337621 [details] patch for landing
EWS Watchlist
Comment 9 2018-04-10 11:06:35 PDT
Attachment 337621 [details] did not pass style-queue: ERROR: Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:3075: Multi line control clauses should use braces. [whitespace/braces] [4] Total errors found: 1 in 22 files If any of these errors are false positives, please file a bug against check-webkit-style.
Filip Pizlo
Comment 10 2018-04-10 12:46:34 PDT
Landed in https://trac.webkit.org/changeset/230488/webkit
Ryan Haddad
Comment 11 2018-04-10 14:11:19 PDT
This change broke the CLoop build: https://build.webkit.org/builders/Apple%20High%20Sierra%20LLINT%20CLoop%20%28BuildAndTest%29/builds/5032 ./dfg/DFGAbstractInterpreterClobberState.cpp:33:38: error: use of undeclared identifier 'JSC'
Filip Pizlo
Comment 12 2018-04-10 14:15:08 PDT
(In reply to Ryan Haddad from comment #11) > This change broke the CLoop build: > https://build.webkit.org/builders/ > Apple%20High%20Sierra%20LLINT%20CLoop%20%28BuildAndTest%29/builds/5032 > > ./dfg/DFGAbstractInterpreterClobberState.cpp:33:38: error: use of undeclared > identifier 'JSC' Fixing...
Filip Pizlo
Comment 13 2018-04-10 14:16:30 PDT
Fixed in r230494.
Note You need to log in before you can comment on or make changes to this bug.