224403 – [JSC] B3 reduce-double-to-float should reduce only when constant double is canonical one to reduced float value

Bug 224403 - [JSC] B3 reduce-double-to-float should reduce only when constant double is canonical one to reduced float value

Summary: [JSC] B3 reduce-double-to-float should reduce only when constant double is ca...

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Yusuke Suzuki

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-04-10 00:17 PDT by Yusuke Suzuki
Modified:	2021-04-13 14:33 PDT (History)
CC List:	8 users (show)

See Also:

Attachments
Patch (11.03 KB, patch) 2021-04-10 00:19 PDT, Yusuke Suzuki	mark.lam: review+ ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yusuke Suzuki 2021-04-10 00:17:34 PDT

[JSC] B3 reduce-double-to-float should reduce only when constant double is canonical one to reduced float value

Comment 1 Yusuke Suzuki 2021-04-10 00:19:59 PDT

Created attachment 425678 [details]
Patch

Comment 2 Yusuke Suzuki 2021-04-10 00:20:02 PDT

<rdar://problem/76259599>

Comment 3 Mark Lam 2021-04-10 07:37:08 PDT

Comment on attachment 425678 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425678&action=review

r=me with suggestion.

> Source/JavaScriptCore/b3/B3ReduceStrength.cpp:1690
> +            // We cannot convert FloatToDouble(DoubleToFloat(value)) to value, because double-to-float will trancate some range of double values into one float.

/cannot convert/cannot convert some/

> Source/JavaScriptCore/b3/B3ReduceStrength.cpp:1696
>              if (Value* constant = m_value->child(0)->floatToDoubleConstant(m_proc)) {

Currently, both floatToDoubleConstant() and doubleToFloatConstant() do unconditional conversions.  Since their results are always expected to be null checked before use, I recommend either:
1. Make them only return a non-null result if the conversion is lossless, or
2. Add ASSERTs in them that the conversion is lossless.

Comment 4 Yusuke Suzuki 2021-04-10 11:53:49 PDT

Comment on attachment 425678 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=425678&action=review

>> Source/JavaScriptCore/b3/B3ReduceStrength.cpp:1690
>> +            // We cannot convert FloatToDouble(DoubleToFloat(value)) to value, because double-to-float will trancate some range of double values into one float.
> 
> /cannot convert/cannot convert some/

Changed.

>> Source/JavaScriptCore/b3/B3ReduceStrength.cpp:1696
>>              if (Value* constant = m_value->child(0)->floatToDoubleConstant(m_proc)) {
> 
> Currently, both floatToDoubleConstant() and doubleToFloatConstant() do unconditional conversions.  Since their results are always expected to be null checked before use, I recommend either:
> 1. Make them only return a non-null result if the conversion is lossless, or
> 2. Add ASSERTs in them that the conversion is lossless.

This place is OK to lose bits since `FloatToDouble(constant)` is explicitly offered as an instruction. So, if it loses the bits, that's the intent of the program.
The above conversion's problem was shat replacement removed the original semantics.

static_cast<double>(static_cast<float>(1.1)) != 1.1


But this conversion is not losing the semantics since the original program's intent.

Comment 5 Yusuke Suzuki 2021-04-10 12:00:15 PDT

Committed r275800 (236371@main): <https://commits.webkit.org/236371@main>

Comment 6 Mark Lam 2021-04-10 12:08:21 PDT

(In reply to Yusuke Suzuki from comment #4)
> >> Source/JavaScriptCore/b3/B3ReduceStrength.cpp:1696
> >>              if (Value* constant = m_value->child(0)->floatToDoubleConstant(m_proc)) {
> > 
> > Currently, both floatToDoubleConstant() and doubleToFloatConstant() do unconditional conversions.  Since their results are always expected to be null checked before use, I recommend either:
> > 1. Make them only return a non-null result if the conversion is lossless, or
> > 2. Add ASSERTs in them that the conversion is lossless.
> 
> This place is OK to lose bits since `FloatToDouble(constant)` is explicitly
> offered as an instruction. So, if it loses the bits, that's the intent of
> the program.
> The above conversion's problem was shat replacement removed the original
> semantics.
> 
> static_cast<double>(static_cast<float>(1.1)) != 1.1
> 
> 
> But this conversion is not losing the semantics since the original program's
> intent.

Good point.

Comment 7 Michael Catanzaro 2021-04-12 14:52:04 PDT

%llu assumes uint64_t is a long long unsigned int, but on Linux x86_64 it's long unsigned int. Solution is to use the PRIu64 format modifier:

[624/4867] Building CXX object Source/JavaScriptCore/CMak...vedSources/unified-sources/UnifiedSource-23a5fd0e-3.cpp.o
In file included from JavaScriptCore/DerivedSources/unified-sources/UnifiedSource-23a5fd0e-3.cpp:1:
../../Source/JavaScriptCore/b3/B3ConstDoubleValue.cpp: In member function ‘virtual void JSC::B3::ConstDoubleValue::dumpMeta(WTF::CommaPrinter&, WTF::PrintStream&) const’:
../../Source/JavaScriptCore/b3/B3ConstDoubleValue.cpp:197:24: warning: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 4 has type ‘long unsigned int’ [-Wformat=]
  197 |     out.printf("%le(%llu)", m_value, bitwise_cast<uint64_t>(m_value));
      |                     ~~~^             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      |                        |                                   |
      |                        long long unsigned int              long unsigned int
      |                     %lu

Comment 8 Yusuke Suzuki 2021-04-13 14:33:19 PDT

Fixed the warning in https://trac.webkit.org/changeset/275870/webkit