Status: Assigned
Owner: little...@chromium.org
CC: ad...@chromium.org
Labels: Type-Bug Priority-Medium TurboFan
New issue 4388 by little...@chromium.org: TurboFan AST graph builder is
missing a phi in switch statements
https://code.google.com/p/v8/issues/detail?id=4388
TurboFan seems to be missing a phi node for the usage of x after case 1: in
the following code:
'use strict'; { switch (1) { case 0: let x; case 1: x = 2; case 2:
print(x) } }
This manifests because TF's hole check elimination gets tricked. The hole
check elimination checks if the value of the variable in the environment is
already known to be the hole, throwing an unconditional exception if not,
and compiling a check only if it's a phi. See line 3356 of
src/compiler/ast-graph-builder.cc :
} else if (mode == LET || mode == CONST) {
// Perform check for uninitialized let/const variables.
if (value->op() == the_hole->op()) {
value = BuildThrowReferenceError(variable, bailout_id);
} else if (value->opcode() == IrOpcode::kPhi) {
value = BuildHoleCheckThenThrow(value, variable, value,
bailout_id);
}
}
The code here looks correct to me--if the rest of V8 is correct, you can't
get the hole into a local by doing any complex operation, and the hole will
only be there literally, or through a phi (e.g., { let x; if (y) x = 4; x
}).
If I write "|| true" after kPhi in the above code, the hole check is
generated correctly. But I don't think it'd be sensible to add such a
change--clearly, the right phi needs to be generated. I'm not sure how
extensive a problem this is, whether it comes up in normal switch
statements or only in edge cases with TDZ issues.
A recent patch I wrote https://codereview.chromium.org/1309163003 desugars
switch into having a block around it, so now the curly brackets are not
necessary, but the bug was observable earlier as depicted above. Since the
bug was already observable (and the only difference is now, even if the
parent scope is the global scope, it still triggers), I don't think the
patch needs to be reverted.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
--
v8-dev mailing list
v8-dev@googlegroups.com
http://groups.google.com/group/v8-dev
---
You received this message because you are subscribed to the Google Groups "v8-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to v8-dev+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
