Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[JSC] CFA should clear abstract values first before reconstruction #14093

Merged
merged 1 commit into from
May 20, 2023
Merged

[JSC] CFA should clear abstract values first before reconstruction #14093

merged 1 commit into from
May 20, 2023

Commits on May 20, 2023

  1. [JSC] CFA should clear abstract values first before reconstruction 

    https://bugs.webkit.org/show_bug.cgi?id=257044
rdar://109576467

Reviewed by Yusuke Suzuki.

Graph::packNodeIndices updates DFG nodes' indexes after packing,
which is usually performed in LivenessAnalysis phase. Since node
index is used for associating its abstract value, we usually need
to perform CFA subsequently to reconstruct abstract values for DFG graph.

However, the current implementation for CFA to reconstruct abstract
values is to reset their content according the new speculation without
cleaning first. This will bring us a problem that for some DFG nodes
e.g., EnumeratorNextUpdateIndexAndMode which shouldn't have speculation
type but might be updated with new node indexes after Graph::packNodeIndices.
With those updated node indexes, those DFG nodes might associate to typed
abstract values which is wrong. In this case, even CFA is performed subsequently,
those abstract values are still typed.

This patch fixes this issue by:
1. Clear abstract values after packing graph in debug build.
2. Do perform CFA in AI validation.
3. Clear abstract value for EnumeratorNextUpdateIndexAndMode in AI.

* JSTests/stress/regress-109263765.js: Added.
(foo):
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp:
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp:
(JSC::DFG::AtTailAbstractState::createOrClearValueForNode):
(JSC::DFG::AtTailAbstractState::createValueForNode): Deleted.
* Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h:
* Source/JavaScriptCore/dfg/DFGCFAPhase.cpp:
(JSC::DFG::CFAPhase::run):
* Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h:
(JSC::DFG::InPlaceAbstractState::createOrClearValueForNode):
(JSC::DFG::InPlaceAbstractState::createValueForNode): Deleted.
* Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.cpp:
(JSC::DFG::performGraphPackingAndLivenessAnalysis):
(JSC::DFG::performLivenessAnalysis): Deleted.
* Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.h:
* Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp:
* Source/JavaScriptCore/dfg/DFGPlan.cpp:
(JSC::DFG::Plan::compileInThreadImpl):
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3):
(JSC::FTL::DFG::LowerDFGToB3::compileNode):

Canonical link: https://commits.webkit.org/264281@main
    @hyjorc1
    hyjorc1 committed May 20, 2023
    Configuration menu
    Copy the full SHA
    3af657f View commit details
    Browse the repository at this point in the history