Closed Bug 789420 Opened 13 years ago Closed 13 years ago

IonMonkey: Incorrectly optimizing bitwise ops

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18

People

(Reporter: jandem, Assigned: jandem)

Details

(Whiteboard: [ion:p1:fx18])

Attachments

(1 file)

Patch
7.44 KB, patch
dvander
: review+
Details | Diff | Splinter Review
The 2 testcases below fail on revision d16c4404e8c4 with --ion-eager or --no-jm. (1) Folding 0 & x to 0 no longer calls the valueOf method (DCE eliminates the TruncateToInt32 instruction): function g(x, y) { return 0 & y; } var c = 0; function f() { for (var i=0; i<100; i++) { g(i, i); g(i, {valueOf: function() { c++; return 0.1; }}); } } f(); assertEq(c, 100); (2) Unused bitop + TruncateToInt32 is eliminated: function g(x, y) { 333 | y; } var c = 0; function f() { for (var i=0; i<100; i++) { g(i, i); g(i, {valueOf: function() { c++; return 0.1; }}); } } f(); assertEq(c, 100);
Attached patch PatchSplinter Review
Don't use int32 specialization if an operand may be an object.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #659193 - Flags: review?(dvander)
Attachment #659193 - Flags: review?(dvander) → review+
This bug is a little concerning because it feels like we're actually missing a guard or something. It's unusual that we'd have to check whether something is "maybe an object". Maybe the real problem is that TruncateToInt32 is implicitly guarding but it's not a guard. Or that it has no type policy so it never inserts an unbox or anything. (Maybe this is why CS doesn't do DCE.)
No longer blocks: IonFuzz
Whiteboard: [ion:p1:fx18]
(In reply to David Anderson [:dvander] from comment #2) > This bug is a little concerning because it feels like we're actually missing > a guard or something. It's unusual that we'd have to check whether something > is "maybe an object". "maybe an object" is just "definitely primitive", and imho that's not very different from the "definitely int32 or definitely double" etc checks we do elsewhere. > > Maybe the real problem is that TruncateToInt32 is implicitly guarding but > it's not a guard. Or that it has no type policy so it never inserts an unbox > or anything. Yeah I thought about this too. An advantage of my approach is that it doesn't require marking instructions as guard and it can handle objects without bailing out. I don't have a very strong opinion on this though, let me know what you prefer.
https://hg.mozilla.org/mozilla-central/rev/c1128d7e03ec
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: