Changeset 203034 in webkit


Ignore:
Timestamp:
Jul 9, 2016, 2:07:45 PM (9 years ago)
Author:
fpizlo@apple.com
Message:
REGRESSION(201900): validation failure for GetByOffset/PutByOffset in VALIDATE((node), node->child1().node() == node->child2().node()
node->child1()->result() == NodeResultStorage)

https://bugs.webkit.org/show_bug.cgi?id=159603

Reviewed by Keith Miller.

This removes an incorrect validation rule and replaces it with a FIXME about how to make this
aspect of IR easier to validate soundly.

It's not valid to assert that two children of a node are the same. It should always be valid
to take:

Foo(@x, @x)

and turn it into:

a: ValueRep(@x)
b: ValueRep(@x)
Foo(@a, @b)

or even something like:

y: Identity(@y)
Foo(@x, @y)

That's because it should be possible to rewire any data flow edge something that produces an
equivalent value.

The validation rule that this patch removes meant that such rewirings were invalid on
GetByOffset/PutByOffset. FixupPhase did such a rewiring sometimes.

  • dfg/DFGValidate.cpp:
  • tests/stress/get-by-offset-double.js: Added.
Location:
trunk/Source/JavaScriptCore
Files:
1 added
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r203033 r203034  
     12016-07-09  Filip Pizlo  <fpizlo@apple.com>
     2
     3        REGRESSION(201900): validation failure for GetByOffset/PutByOffset in VALIDATE((node), node->child1().node() == node->child2().node() || node->child1()->result() == NodeResultStorage)
     4        https://bugs.webkit.org/show_bug.cgi?id=159603
     5
     6        Reviewed by Keith Miller.
     7       
     8        This removes an incorrect validation rule and replaces it with a FIXME about how to make this
     9        aspect of IR easier to validate soundly.
     10       
     11        It's not valid to assert that two children of a node are the same. It should always be valid
     12        to take:
     13       
     14        Foo(@x, @x)
     15       
     16        and turn it into:
     17       
     18        a: ValueRep(@x)
     19        b: ValueRep(@x)
     20        Foo(@a, @b)
     21       
     22        or even something like:
     23       
     24        y: Identity(@y)
     25        Foo(@x, @y)
     26       
     27        That's because it should be possible to rewire any data flow edge something that produces an
     28        equivalent value.
     29       
     30        The validation rule that this patch removes meant that such rewirings were invalid on
     31        GetByOffset/PutByOffset. FixupPhase did such a rewiring sometimes.
     32
     33        * dfg/DFGValidate.cpp:
     34        * tests/stress/get-by-offset-double.js: Added.
     35
    1362016-07-09  Keith Miller  <keith_miller@apple.com>
    237

  • trunk/Source/JavaScriptCore/dfg/DFGValidate.cpp

    r201900 r203034  
    300300                case GetByOffset:
    301301                case PutByOffset:
    302                     VALIDATE((node), node->child1().node() == node->child2().node() || node->child1()->result() == NodeResultStorage);
     302                    // FIXME: We should be able to validate that GetByOffset and PutByOffset are
     303                    // using the same object for storage and base. I think this means finally
     304                    // splitting these nodes into two node types, one for inline and one for
     305                    // out-of-line. The out-of-line one will require that the first node is storage,
     306                    // while the inline one will not take a storage child at all.
     307                    // https://bugs.webkit.org/show_bug.cgi?id=159602
    303308                    break;
    304309                default:
Note: See TracChangeset for help on using the changeset viewer.