Closed Bug 910240 Opened 11 years ago Closed 11 years ago

IonMonkey: Assert popped values have the Folded flag if needed

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla26

People

(Reporter: jandem, Assigned: jandem)

Details

Attachments

(2 files, 1 obsolete file)

Part 1 - Add missing setFoldedUnchecked calls
2.83 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Part 2 - Assert the flag is set if needed
2.91 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
We've had a number of bugs like bug 909505 because IonBuilder is not setting the Folded flag when it has to.

With some debug-only checks, we can catch these immediately in IonBuilder. Doing this caught a number of similar bugs.
With these fixes, the next patch passes jit-tests --ion.
Attachment #796671 - Flags: review?(bhackett1024)
Comment on attachment 796671 [details] [diff] [review]
Part 1 - Add missing setFoldedUnchecked calls

Review of attachment 796671 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with the below changes to not setFoldedUnchecked() for false positives.

::: js/src/jit/IonBuilder.cpp
@@ +1273,5 @@
>          return pushConstant(NullValue());
>  
> +      case JSOP_VOID: {
> +        MDefinition *def = current->pop();
> +        def->setFoldedUnchecked();

I think you should be marking this as a false positive in the subsequent patch.  When JSOP_VOID executes in the interpreter, the value at the top of the stack is overwritten irrespective of its contents.  We should only be setting the folded flag in cases where the MIR graph does not reflect a value dependency which is actually present in the interpreter, aka setting the folded flag has its own cost in terms of potentially hurting regalloc.

@@ +3591,5 @@
>  IonBuilder::jsop_pos()
>  {
>      if (IsNumberType(current->peek(-1)->type())) {
>          // Already int32 or double.
> +        current->peek(-1)->setFoldedUnchecked();

This shouldn't be necessary, the MIR after the operation reflects the dependency on the top of the stack, since the value at the top of the stack is unchanged.

@@ +8716,5 @@
>  IonBuilder::jsop_toid()
>  {
>      // No-op if the index is an integer.
> +    if (current->peek(-1)->type() == MIRType_Int32) {
> +        current->peek(-1)->setFoldedUnchecked();

Same issue here as JSOP_POS.
Attachment #796671 - Flags: review?(bhackett1024) → review+
Agreed about JSOP_VOID, but I think there's a problem with JSOP_POS if you have just this statement:

+foo;

If foo is known-int32, and we bailout, the baseline JIT could instead execute JSOP_POS with an |undefined| operand, no? Not that it matters for correctness in this case, but I think it's a bit weird/undesirable, also for type information (+undefined is NaN).
Flags: needinfo?(bhackett1024)
(In reply to Jan de Mooij [:jandem] from comment #3)
> Agreed about JSOP_VOID, but I think there's a problem with JSOP_POS if you
> have just this statement:
> 
> +foo;
> 
> If foo is known-int32, and we bailout, the baseline JIT could instead
> execute JSOP_POS with an |undefined| operand, no? Not that it matters for
> correctness in this case, but I think it's a bit weird/undesirable, also for
> type information (+undefined is NaN).

Sure, but for the purposes of dead code analysis (which this is essentially a variant of) the goal is only to preserve the observable behavior of a piece of code, not its exact semantics; otherwise you couldn't do DCE at all.  A plain '+foo' statement on a number is dead code, and Ion is free to do what it wants here so long as observable behavior is preserved when OSR'ing to baseline, i.e. no exception or anything is thrown.
Flags: needinfo?(bhackett1024)

        Attachment #796671 -
        Attachment is obsolete: true

        Attachment #796733 -
        Flags: review+

    
    

    
  


  

        Attachment #796736 -
        Flags: review?(bhackett1024)

        Attachment #796736 -
        Flags: review?(bhackett1024) → review+

    
    

    
  
Can we rename it, this flag to its original meaning, which is to capture definitions in resume point to work against jit::EliminateDeadResumePointOperands which eagerly remove stuff which is used during bailouts.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/39a5b258b5c1
https://hg.mozilla.org/mozilla-central/rev/67417f81cb92
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla26

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: