Changeset 267032 in webkit


Ignore:
Timestamp:
Sep 14, 2020 1:06:24 PM (4 years ago)
Author:
sbarati@apple.com
Message:

Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
https://bugs.webkit.org/show_bug.cgi?id=216485
<rdar://problem/68562804>

Reviewed by Keith Miller.

JSTests:

  • stress/ftl-should-not-assume-speculations-are-sensible.js: Added.

(foo):

Source/JavaScriptCore:

We had an assert inside lowCell that if a value was not part of the JSValue
hashmap of values, then the type must not conform to being a cell. However,
consider a program like this:

`
x = ArithAdd(i32, i32) <-- x is an i32 here
if (b) {

Check(Cell:@x)
ArrayifyToStructure(@x, thingy)

}
<-- HERE
`

@x will live in FTLLower's i32 hashmap, but because of the AI rule for
ArrayifyToStructure, it will also have SpecCell in its type. This is totally
valid, and asserting that this isn't possible is wrong. (Obviously the above
speculation is stupid, as we will always exit at the Check, but it's valid IR.)

This patch removes this assertion from lowCell, and removes similar assertions
from other low* functions.

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):

Location:
trunk
Files:
1 added
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/JSTests/ChangeLog

    r267029 r267032  
     12020-09-14  Saam Barati  <sbarati@apple.com>
     2
     3        Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
     4        https://bugs.webkit.org/show_bug.cgi?id=216485
     5        <rdar://problem/68562804>
     6
     7        Reviewed by Keith Miller.
     8
     9        * stress/ftl-should-not-assume-speculations-are-sensible.js: Added.
     10        (foo):
     11
    1122020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
    213

  • trunk/Source/JavaScriptCore/ChangeLog

    r267029 r267032  
     12020-09-14  Saam Barati  <sbarati@apple.com>
     2
     3        Remove bogus asserts in FTLLower that assume programs are compiled with sensible speculations
     4        https://bugs.webkit.org/show_bug.cgi?id=216485
     5        <rdar://problem/68562804>
     6
     7        Reviewed by Keith Miller.
     8
     9        We had an assert inside lowCell that if a value was not part of the JSValue
     10        hashmap of values, then the type must not conform to being a cell. However,
     11        consider a program like this:
     12       
     13        ```
     14        x = ArithAdd(i32, i32) <-- x is an i32 here
     15        if (b) {
     16            Check(Cell:@x)
     17            ArrayifyToStructure(@x, thingy)
     18        }
     19        <-- HERE
     20        ```
     21       
     22        @x will live in FTLLower's i32 hashmap, but because of the AI rule for
     23        ArrayifyToStructure, it will also have SpecCell in its type. This is totally
     24        valid, and asserting that this isn't possible is wrong. (Obviously the above
     25        speculation is stupid, as we will always exit at the Check, but it's valid IR.)
     26       
     27        This patch removes this assertion from lowCell, and removes similar assertions
     28        from other low* functions.
     29
     30        * ftl/FTLLowerDFGToB3.cpp:
     31        (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
     32        (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
     33        (JSC::FTL::DFG::LowerDFGToB3::lowCell):
     34        (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
     35        (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
     36
    1372020-09-14  Alexey Shvayka  <shvaikalesh@gmail.com>
    238

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r266969 r267032  
    1701617016        }
    1701717017
    17018         DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecInt32Only), provenType(edge));
    1701917018        if (mayHaveTypeCheck(edge.useKind()))
    1702017019            terminate(Uncountable);
     
    1705117050        }
    1705217051
    17053         DFG_ASSERT(m_graph, m_node, !provenType(edge), provenType(edge));
    1705417052        if (mayHaveTypeCheck(edge.useKind()))
    1705517053            terminate(Uncountable);
     
    1712317121        }
    1712417122       
    17125         DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecCellCheck), provenType(edge));
    1712617123        if (mayHaveTypeCheck(edge.useKind()))
    1712717124            terminate(Uncountable);
     
    1728417281        }
    1728517282
    17286         DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecBoolean), provenType(edge));
    1728717283        if (mayHaveTypeCheck(edge.useKind()))
    1728817284            terminate(Uncountable);
     
    1729717293        if (isValid(value))
    1729817294            return value.value();
    17299         DFG_ASSERT(m_graph, m_node, !provenType(edge), provenType(edge));
    1730017295        if (mayHaveTypeCheck(edge.useKind()))
    1730117296            terminate(Uncountable);
Note: See TracChangeset for help on using the changeset viewer.