RESOLVED FIXED 193094
DFG IntegerRangeOptimization phase exceeding loop limit shouldn't ASSERT 
https://bugs.webkit.org/show_bug.cgi?id=193094
Summary DFG IntegerRangeOptimization phase exceeding loop limit shouldn't ASSERT
Michael Saboff
Reported 2019-01-02 17:10:33 PST
The current value of 50 for giveUpThreshold in DFGIntegerRangeOptimizationPhase.cpp is somewhat arbitrary. It works for all our current tests, including benchmarks with real world code. One can construct test cases that will exceed the threshold. For example the code: const theNumber100 = 100; function foo() { for (var i = 0; i < 1000; ++i) { switch (i + 1000) { case 0: case 2: case 23: case 26: case 29: case 32: case 35: case 38: case 41: case 44: case 46: case 49: case 52: case 55: case 58: case 61: case theNumber100: break; } } } Due to the sequence of compare & branch byte code generated due to the const, this code takes 53 loop iterations to converge. Add a few more case statements and the loop count grows higher. B3 has optimizations to handle this kind of compare and branch code even without running the IntegerRangeOptimization phase.
Attachments
Patch (2.27 KB, patch)
2019-01-02 17:30 PST, Michael Saboff 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Michael Saboff
Comment 1 2019-01-02 17:11:09 PST
<rdar://problem/45838655>
Michael Saboff
Comment 2 2019-01-02 17:30:41 PST
Created attachment 358230 [details] Patch
Saam Barati
Comment 3 2019-01-02 19:17:29 PST
Comment on attachment 358230 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358230&action=review > Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp:1098 > // If you hit this assertion for a legitimate case, update the giveUpThreshold > // to the smallest values that converges. There is no more assertion.
Michael Saboff
Comment 4 2019-01-03 09:55:12 PST
Comment on attachment 358230 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=358230&action=review >> Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp:1098 >> // to the smallest values that converges. > > There is no more assertion. Fixed.
Michael Saboff
Comment 5 2019-01-03 09:58:34 PST
Committed r239595: <https://trac.webkit.org/changeset/239595>
Note You need to log in before you can comment on or make changes to this bug.