193094 – DFG IntegerRangeOptimization phase exceeding loop limit shouldn't ASSERT

Bug 193094 - DFG IntegerRangeOptimization phase exceeding loop limit shouldn't ASSERT

Summary: DFG IntegerRangeOptimization phase exceeding loop limit shouldn't ASSERT

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Michael Saboff

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2019-01-02 17:10 PST by Michael Saboff
Modified:	2022-02-27 23:29 PST (History)
CC List:	5 users (show)

See Also:

Attachments
Patch (2.27 KB, patch) 2019-01-02 17:30 PST, Michael Saboff	saam: review+	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Saboff 2019-01-02 17:10:33 PST

The current value of 50 for giveUpThreshold in DFGIntegerRangeOptimizationPhase.cpp is somewhat arbitrary.  It works for all our current tests, including benchmarks with real world code.  One can construct test cases that will exceed the threshold.  For example the code:

    const theNumber100 = 100;
    function foo() {
        for (var i = 0; i < 1000; ++i) {
            switch (i + 1000) {
            case 0:
            case 2:
            case 23:
            case 26:
            case 29:
            case 32:
            case 35:
            case 38:
            case 41:
            case 44:
            case 46:
            case 49:
            case 52:
            case 55:
            case 58:
            case 61:
            case theNumber100:
                break;
            }
        }
    }

Due to the sequence of compare & branch byte code generated due to the const, this code takes 53 loop iterations to converge.  Add a few more case statements and the loop count grows higher.  B3 has optimizations to handle this kind of compare and branch code even without running the IntegerRangeOptimization phase.

Comment 1 Michael Saboff 2019-01-02 17:11:09 PST

<rdar://problem/45838655>

Comment 2 Michael Saboff 2019-01-02 17:30:41 PST

Created attachment 358230 [details]
Patch

Comment 3 Saam Barati 2019-01-02 19:17:29 PST

Comment on attachment 358230 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=358230&action=review

> Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp:1098
>                  // If you hit this assertion for a legitimate case, update the giveUpThreshold
>                  // to the smallest values that converges.

There is no more assertion.

Comment 4 Michael Saboff 2019-01-03 09:55:12 PST

Comment on attachment 358230 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=358230&action=review

>> Source/JavaScriptCore/dfg/DFGIntegerRangeOptimizationPhase.cpp:1098
>>                  // to the smallest values that converges.
> 
> There is no more assertion.

Fixed.

Comment 5 Michael Saboff 2019-01-03 09:58:34 PST

Committed r239595: <https://trac.webkit.org/changeset/239595>