| Summary: | DFG::PutStackSinkingPhase inserts PutStack with wrong value that from ssaCalculator.reachingDefAtHead | ||||||
|---|---|---|---|---|---|---|---|
| Product: | WebKit | Reporter: | YuHao Hu <q602706150> | ||||
| Component: | JavaScriptCore | Assignee: | David Degazio <d_degazio> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | Normal | CC: | webkit-bug-importer | ||||
| Priority: | P2 | Keywords: | InRadar | ||||
| Version: | WebKit Local Build | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Attachments: |
|
||||||
Pull request: https://github.com/WebKit/WebKit/pull/15613 Committed 265866@main (8495ff2f3399): <https://commits.webkit.org/265866@main> Reviewed commits have been landed. Closing PR #15613 and removing active labels. |
Created attachment 466374 [details] poc with wrong result run with: ./WebKitBuild/Debug/bin/jsc --useConcurrentJIT=0 --jitPolicyScale=0.001 test.js `opt` function's IR after PutStack sinking: ``` #0 D@22 : JSConstant(3333) #6 D@68 : Phi(...) D@190: MovHint(D@68,arg1) D@162: PutStack(D@22, arg1) <-- inserted by PutStackSinkingPhase, which is wrong D@126: ArithAdd(CheckOverflow) <-- osr exit here D@131: Return(D@68) ``` expected output: 1111 actual output: 3333 I think it's because `ssaCalculator.reachingDefAtHead` found the value `3333` from the dominator #0, but not the missing phi(probably around D@68), leading to a misjudgment of the variable reference. When analyzing the `then branch` of the first if statement, `a` is marked as `DeadFlush`, and the `functor` argument of `ssaCalculator.computePhis` (in DFGPutStackSinkingPhase.cpp) returns nullptr. The nullptr prevents subsequent ssa calculation, so the `phi` on the last block is not created.