IonMonkey: remove Phi nodes with only one operand




JavaScript Engine
5 years ago
5 years ago


(Reporter: h4writer, Unassigned)


Firefox Tracking Flags

(Not tracked)



(2 attachments)



5 years ago
When looking to pdfjs.js, I saw we can create a phi node with only 1 operand. I don't know yet when this happens, but this shouldn't happen! This disables some optimizations and can be replaced by that one operand...


5 years ago
Blocks: 872020

Comment 1

5 years ago
Created attachment 749594 [details]
Graph at UCEMidPoint for the DecodeStream_skip function

Comment 2

5 years ago
Created attachment 749595 [details]
Graph at UCE for the DecodeStream_skip function

Comment 3

5 years ago
When analyzing the ion.cfg spew file produced for pdfjs.js, it looks like the only pass producing these kind of instructions is Unreachable Code Elimination. They appear in the graphs produced for the scripts declared at lines 733, 2685, 2823, 14472, 16361, 16484, 17321, 26321, 26758, 27402, and 27687 of pdfjs.js.

The smallest case for pdfjs is the function DecodeStream_skip, at line 27402 (graphs for UCEMidPoint and UCE attached):
skip: function DecodeStream_skip(n) {
    if (!n)
        n = 1;
    this.pos += n;

Though phis with single operands are produced, they are eliminated right away, before UCE finishes. It looks like no other optimization is executed between their production and elimination, so they may not represent a problem. Have you seen any other situations where instructions like these can be produced? Another question: why do we have two spew passes for UCE?

Comment 4

5 years ago
Oh, the issue observed is during ionbuilder. So when we are building the graph from the bytecode.
I assume it is related to restartloop where a phi is introduced but after restarting it isn't needed anymore.

As for UCE the first spew shows purely the reachable code eliminated. The second spew shows the final state when everything is rectified. I.e. dominator tree is rerun, phi s are eliminated and alias analysis. So I wasn't referring to this issue that can occur during UCE midpoint. That's normal and rectified before UCE ends.

Comment 5

5 years ago
This is when we are going over the loop. The values are put in a phi, but the extra operands aren't added yet. (happens at the end of the loop)
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.