Bug 113656

Summary: fourthTier: FTL JIT should supply TBAA meta-data to LLVM
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: andersca, barraclough, ggaren, mark.lam, mhahnenberg, msaboff, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 112840    
Attachments:
Description Flags
work in progress
none
the patch oliver: review+

Description Filip Pizlo 2013-03-31 01:02:27 PDT
We should get this right early, so that we don't have a bad time trying to put it in later.
Comment 1 Filip Pizlo 2013-03-31 01:03:35 PDT
Created attachment 195889 [details]
work in progress
Comment 2 Filip Pizlo 2013-03-31 11:37:39 PDT
Created attachment 195900 [details]
the patch
Comment 3 Oliver Hunt 2013-03-31 12:43:24 PDT
Comment on attachment 195900 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=195900&action=review

> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:117
> +        

static const char* negSplit = "_neg_";

> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:118
> +        size_t stringLength = m_heapNameLength + (negative ? 5 : 1) + numHexlets;

negative ? sizeof(negSplit) : 1

> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:124
> +            memcpy(characters + m_heapNameLength, "_neg_", 5);

memcpy(characters + m_heapNameLength, negSplit, sizeof(negSplit))

feel free to choose a better name than negsplit though :D

> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:130
> +            characters[stringLength - i - 1] = ("0123456789ABCDEF")[accumulator & 0xF];

Slightly concerned about this leaking address space layout info, but this would be trivial to fix if it were a problem, and i'm not sure if it is a problem without some bug already being present.
Comment 4 Filip Pizlo 2013-03-31 12:48:47 PDT
(In reply to comment #3)
> (From update of attachment 195900 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=195900&action=review
> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:117
> > +        
> 
> static const char* negSplit = "_neg_";

Will do this and all of those other things.  Can't think of a better name than negSplit so I'll use that.

> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:118
> > +        size_t stringLength = m_heapNameLength + (negative ? 5 : 1) + numHexlets;
> 
> negative ? sizeof(negSplit) : 1
> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:124
> > +            memcpy(characters + m_heapNameLength, "_neg_", 5);
> 
> memcpy(characters + m_heapNameLength, negSplit, sizeof(negSplit))
> 
> feel free to choose a better name than negsplit though :D
> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:130
> > +            characters[stringLength - i - 1] = ("0123456789ABCDEF")[accumulator & 0xF];
> 
> Slightly concerned about this leaking address space layout info, but this would be trivial to fix if it were a problem, and i'm not sure if it is a problem without some bug already being present.

Interesting point.  My thinking is that pointers to globals can already be accessed through other means.  I think of this nasty code as being, from an information flow standpoint, just like saying:

class MyAwesomeClass {
     MyAwesomeClass(void* foo) : m_foo(foo) { }
    void* m_foo;
}

new MyAwesomeClass(addressOfGlobal(blah))

We do analogous equivalents to MyAwesomeClass all over the place in the compiler already.  DFG::Node is an example of an awesome class that has a pointer to globals for GetGlobalVar and PutGlobalVar...
Comment 5 Filip Pizlo 2013-03-31 16:27:19 PDT
Landed in http://trac.webkit.org/changeset/147292
Comment 6 Sam Weinig 2013-03-31 19:53:08 PDT
Comment on attachment 195900 [details]
the patch

View in context: https://bugs.webkit.org/attachment.cgi?id=195900&action=review

> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:113
> +        // The crazy way of testing of index >= 2 ** power
> +        // (where I use ** to denote pow()).
> +        if ((index >> 1) >> (power - 1))

This seems like it would prefer to be in a helper function.

>> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:130
>> +            characters[stringLength - i - 1] = ("0123456789ABCDEF")[accumulator & 0xF];
> 
> Slightly concerned about this leaking address space layout info, but this would be trivial to fix if it were a problem, and i'm not sure if it is a problem without some bug already being present.

There is toASCIIHexValue that you could use here.

> Source/JavaScriptCore/ftl/FTLAbstractHeap.h:29
> +#include <wtf/Platform.h>

You shouldn't have to include this.

> Source/JavaScriptCore/ftl/FTLAbstractHeap.h:169
> +    struct MyHashTraits : WTF::GenericHashTraits<ptrdiff_t> {

This is not the best name in the world.

> Source/JavaScriptCore/ftl/FTLAbstractHeap.h:216
> +private:
> +    
> +    // The trick here is that the indexed heap is "indexed" by a pointer-width

Extra newline.

> Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:95
> +    unsigned m_tbaaKind;
> +    
> +};

Extra newline.
Comment 7 Filip Pizlo 2013-03-31 21:21:49 PDT
(In reply to comment #6)
> (From update of attachment 195900 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=195900&action=review
> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:113
> > +        // The crazy way of testing of index >= 2 ** power
> > +        // (where I use ** to denote pow()).
> > +        if ((index >> 1) >> (power - 1))
> 
> This seems like it would prefer to be in a helper function.

Well, sort of; this relies on power never being 0.  I'll add WTF::isGreaterThanNonZeroPowerOfTwo().

> 
> >> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:130
> >> +            characters[stringLength - i - 1] = ("0123456789ABCDEF")[accumulator & 0xF];
> > 
> > Slightly concerned about this leaking address space layout info, but this would be trivial to fix if it were a problem, and i'm not sure if it is a problem without some bug already being present.
> 
> There is toASCIIHexValue that you could use here.

Will do.

> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:29
> > +#include <wtf/Platform.h>
> 
> You shouldn't have to include this.

OK.  Stay tuned for a big patch to remove those.  This is a pattern we used in the DFG.

> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:169
> > +    struct MyHashTraits : WTF::GenericHashTraits<ptrdiff_t> {
> 
> This is not the best name in the world.

Will rename to WithoutZeroOrOneHashTraits.

> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:216
> > +private:
> > +    
> > +    // The trick here is that the indexed heap is "indexed" by a pointer-width
> 
> Extra newline.

OK.

> 
> > Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:95
> > +    unsigned m_tbaaKind;
> > +    
> > +};
> 
> Extra newline.

OK.
Comment 8 Filip Pizlo 2013-03-31 21:32:31 PDT
(In reply to comment #7)
> (In reply to comment #6)
> > (From update of attachment 195900 [details] [details])
> > View in context: https://bugs.webkit.org/attachment.cgi?id=195900&action=review
> > 
> > > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:113
> > > +        // The crazy way of testing of index >= 2 ** power
> > > +        // (where I use ** to denote pow()).
> > > +        if ((index >> 1) >> (power - 1))
> > 
> > This seems like it would prefer to be in a helper function.
> 
> Well, sort of; this relies on power never being 0.  I'll add WTF::isGreaterThanNonZeroPowerOfTwo().
> 
> > 
> > >> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:130
> > >> +            characters[stringLength - i - 1] = ("0123456789ABCDEF")[accumulator & 0xF];
> > > 
> > > Slightly concerned about this leaking address space layout info, but this would be trivial to fix if it were a problem, and i'm not sure if it is a problem without some bug already being present.
> > 
> > There is toASCIIHexValue that you could use here.
> 
> Will do.
> 
> > 
> > > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:29
> > > +#include <wtf/Platform.h>
> > 
> > You shouldn't have to include this.
> 
> OK.  Stay tuned for a big patch to remove those.  This is a pattern we used in the DFG.
> 
> > 
> > > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:169
> > > +    struct MyHashTraits : WTF::GenericHashTraits<ptrdiff_t> {
> > 
> > This is not the best name in the world.
> 
> Will rename to WithoutZeroOrOneHashTraits.
> 
> > 
> > > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:216
> > > +private:
> > > +    
> > > +    // The trick here is that the indexed heap is "indexed" by a pointer-width
> > 
> > Extra newline.
> 
> OK.
> 
> > 
> > > Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:95
> > > +    unsigned m_tbaaKind;
> > > +    
> > > +};
> > 
> > Extra newline.
> 
> OK.

Landed everything except the #include <wtf/Platform.h> thingy in http://trac.webkit.org/changeset/147299
Comment 9 Filip Pizlo 2013-03-31 21:33:45 PDT
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > (From update of attachment 195900 [details] [details] [details])
> > > View in context: https://bugs.webkit.org/attachment.cgi?id=195900&action=review
> > > 
> > > > Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:113
> > > > +        // The crazy way of testing of index >= 2 ** power
> > > > +        // (where I use ** to denote pow()).
> > > > +        if ((index >> 1) >> (power - 1))
> > > 
> > > This seems like it would prefer to be in a helper function.
> > 
> > Well, sort of; this relies on power never being 0.  I'll add WTF::isGreaterThanNonZeroPowerOfTwo().
> > 
> > > 
> > > >> Source/JavaScriptCore/ftl/FTLAbstractHeap.cpp:130
> > > >> +            characters[stringLength - i - 1] = ("0123456789ABCDEF")[accumulator & 0xF];
> > > > 
> > > > Slightly concerned about this leaking address space layout info, but this would be trivial to fix if it were a problem, and i'm not sure if it is a problem without some bug already being present.
> > > 
> > > There is toASCIIHexValue that you could use here.
> > 
> > Will do.
> > 
> > > 
> > > > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:29
> > > > +#include <wtf/Platform.h>
> > > 
> > > You shouldn't have to include this.
> > 
> > OK.  Stay tuned for a big patch to remove those.  This is a pattern we used in the DFG.
> > 
> > > 
> > > > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:169
> > > > +    struct MyHashTraits : WTF::GenericHashTraits<ptrdiff_t> {
> > > 
> > > This is not the best name in the world.
> > 
> > Will rename to WithoutZeroOrOneHashTraits.
> > 
> > > 
> > > > Source/JavaScriptCore/ftl/FTLAbstractHeap.h:216
> > > > +private:
> > > > +    
> > > > +    // The trick here is that the indexed heap is "indexed" by a pointer-width
> > > 
> > > Extra newline.
> > 
> > OK.
> > 
> > > 
> > > > Source/JavaScriptCore/ftl/FTLAbstractHeapRepository.h:95
> > > > +    unsigned m_tbaaKind;
> > > > +    
> > > > +};
> > > 
> > > Extra newline.
> > 
> > OK.
> 
> Landed everything except the #include <wtf/Platform.h> thingy in http://trac.webkit.org/changeset/147299

And really landed in http://trac.webkit.org/changeset/147300