Branch: refs/heads/main Home: https://github.com/WebKit/WebKit Commit: 3af657fdb0401840e45d495b73ecf570f4c93401 https://github.com/WebKit/WebKit/commit/3af657fdb0401840e45d495b73ecf570f4c93401 Author: Yijia Huang <yijia_hu...@apple.com> Date: 2023-05-19 (Fri, 19 May 2023)
Changed paths: A JSTests/stress/regress-109263765.js M Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h M Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp M Source/JavaScriptCore/dfg/DFGCFAPhase.cpp M Source/JavaScriptCore/dfg/DFGFlowMap.h M Source/JavaScriptCore/dfg/DFGGraph.cpp M Source/JavaScriptCore/dfg/DFGGraph.h M Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h M Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.cpp M Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.h M Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp M Source/JavaScriptCore/dfg/DFGPlan.cpp M Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp Log Message: ----------- [JSC] CFA should clear abstract values first before reconstruction https://bugs.webkit.org/show_bug.cgi?id=257044 rdar://109576467 Reviewed by Yusuke Suzuki. Graph::packNodeIndices updates DFG nodes' indexes after packing, which is usually performed in LivenessAnalysis phase. Since node index is used for associating its abstract value, we usually need to perform CFA subsequently to reconstruct abstract values for DFG graph. However, the current implementation for CFA to reconstruct abstract values is to reset their content according the new speculation without cleaning first. This will bring us a problem that for some DFG nodes e.g., EnumeratorNextUpdateIndexAndMode which shouldn't have speculation type but might be updated with new node indexes after Graph::packNodeIndices. With those updated node indexes, those DFG nodes might associate to typed abstract values which is wrong. In this case, even CFA is performed subsequently, those abstract values are still typed. This patch fixes this issue by: 1. Clear abstract values after packing graph in debug build. 2. Do perform CFA in AI validation. 3. Clear abstract value for EnumeratorNextUpdateIndexAndMode in AI. * JSTests/stress/regress-109263765.js: Added. (foo): * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): * Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp: * Source/JavaScriptCore/dfg/DFGAtTailAbstractState.cpp: (JSC::DFG::AtTailAbstractState::createOrClearValueForNode): (JSC::DFG::AtTailAbstractState::createValueForNode): Deleted. * Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h: * Source/JavaScriptCore/dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::run): * Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::createOrClearValueForNode): (JSC::DFG::InPlaceAbstractState::createValueForNode): Deleted. * Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.cpp: (JSC::DFG::performGraphPackingAndLivenessAnalysis): (JSC::DFG::performLivenessAnalysis): Deleted. * Source/JavaScriptCore/dfg/DFGLivenessAnalysisPhase.h: * Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp: * Source/JavaScriptCore/dfg/DFGPlan.cpp: (JSC::DFG::Plan::compileInThreadImpl): * Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp: (JSC::FTL::DFG::LowerDFGToB3::LowerDFGToB3): (JSC::FTL::DFG::LowerDFGToB3::compileNode): Canonical link: https://commits.webkit.org/264281@main _______________________________________________ webkit-changes mailing list webkit-changes@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-changes