Bug 133660

Summary:

[ftlopt] Call and Construct DFG nodes aren't always safe to execute

Product:

WebKit

Reporter:

Matthew Mirman <mmirman>

Component:

JavaScriptCore

Assignee:

Matthew Mirman <mmirman>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

fpizlo, ggaren, mmirman, ossy

Priority:

Version:

528+ (Nightly build)

Hardware:

All

OS:

All

Attachments:

Description	Flags
Split Call and Construct DFG nodes into NativeCall and NativeConstruct	fpizlo: review+
Split Call and Construct DFG nodes into NativeCall and NativeConstruct	fpizlo: review-, fpizlo: commit-queue-
Split Call and Construct DFG nodes into NativeCall and NativeConstruct	fpizlo: review+

Matthew Mirman

Reported 2014-06-09 15:15:52 PDT

Also needs native calling without patchpoints when not inlining in the ftl.

Attachments
Split Call and Construct DFG nodes into NativeCall and NativeConstruct (19.58 KB, patch) 2014-06-09 15:22 PDT, Matthew Mirman	fpizlo: review+	Details Formatted Diff Diff
Split Call and Construct DFG nodes into NativeCall and NativeConstruct (19.71 KB, patch) 2014-06-11 11:49 PDT, Matthew Mirman	fpizlo: review- fpizlo: commit-queue-	Details Formatted Diff Diff
Split Call and Construct DFG nodes into NativeCall and NativeConstruct (19.90 KB, patch) 2014-06-11 15:45 PDT, Matthew Mirman	fpizlo: review+	Details Formatted Diff Diff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.

Matthew Mirman

Comment 1 2014-06-09 15:22:29 PDT

Created attachment 232738 [details] Split Call and Construct DFG nodes into NativeCall and NativeConstruct Ran webkit tests without new or relevant failures. Should also increase the speed a bit by removing patch-points for calls which are speculated to be native by the DFG.

Filip Pizlo

Comment 2 2014-06-09 21:27:35 PDT

Nice! I will land this shortly...

Filip Pizlo

Comment 3 2014-06-10 18:20:09 PDT

Sorry it's taking so long to land - I got some test failures, but I think they were spurious, so I'm rerunning...

Filip Pizlo

Comment 4 2014-06-10 18:52:42 PDT

Landed in http://trac.webkit.org/changeset/169786

Filip Pizlo

Comment 5 2014-06-10 21:30:21 PDT

Lol, this broke 32-bit. I'll roll it out.

Filip Pizlo

Comment 6 2014-06-10 21:32:04 PDT

Rolled out in http://trac.webkit.org/changeset/169793

Filip Pizlo

Comment 7 2014-06-10 21:32:32 PDT

Comment on attachment 232738 [details] Split Call and Construct DFG nodes into NativeCall and NativeConstruct This is obsolete - this patch was landed but then rolled out because it broke internal run-javascriptcore-tests --32-bit.

Csaba Osztrogonác

Comment 8 2014-06-10 23:57:59 PDT

and it made layout tests crash too on public Apple Mac bots: - http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/6543 - http://build.webkit.org/builders/Apple%20Mavericks%20Debug%20WK1%20%28Tests%29/builds/5806

Filip Pizlo

Comment 9 2014-06-11 00:01:35 PDT

(In reply to comment #8) > and it made layout tests crash too on public Apple Mac bots: > - http://build.webkit.org/builders/Apple%20Mavericks%20Release%20WK1%20%28Tests%29/builds/6543 > - http://build.webkit.org/builders/Apple%20Mavericks%20Debug%20WK1%20%28Tests%29/builds/5806 That would be amazing since this was landed on a branch.

Csaba Osztrogonác

Comment 10 2014-06-11 00:03:56 PDT

(In reply to comment #9) > That would be amazing since this was landed on a branch. Good point. :) Sorry, I commented wrong bug report.

Matthew Mirman

Comment 11 2014-06-11 11:49:54 PDT

Created attachment 232879 [details] Split Call and Construct DFG nodes into NativeCall and NativeConstruct Passed jsc tests on 32 bit and 64 bit. Should be applied after https://bug-133718-attachments.webkit.org/attachment.cgi?id=232878

Filip Pizlo

Comment 12 2014-06-11 13:00:43 PDT

Comment on attachment 232879 [details] Split Call and Construct DFG nodes into NativeCall and NativeConstruct View in context: https://bugs.webkit.org/attachment.cgi?id=232879&action=review > Source/JavaScriptCore/dfg/DFGSafeToExecute.h:261 > + return false; // TODO: add a check for already checked. Can you file a bugzilla bug for this and reference it here? > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:644 > - if (node->op() != Call) > - ASSERT(node->op() == Construct); > + bool isCall = node->op() == Call || node->op() == NativeCall; > + if (!isCall) > + ASSERT(node->op() == Construct || node->op() == NativeConstruct); Why does this check for NativeCall/NativeConstruct? The DFG backend shouldn't see them. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:4131 > + case NativeCall: > + case NativeConstruct: Seems like these cases should be RELEASE_ASSERT_NOT_REACHED(). > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:631 > - if (node->op() != Call) > - RELEASE_ASSERT(node->op() == Construct); > + > + bool isCall = node->op() == Call || node->op() == NativeCall; > + if (!isCall) > + RELEASE_ASSERT(node->op() == Construct || node->op() == NativeConstruct); Why does this check for NativeCall/NativeConstruct? The DFG backend shouldn't see them. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:4163 > + case NativeCall: > + case NativeConstruct: Seems like these cases should be RELEASE_ASSERT_NOT_REACHED().

Matthew Mirman

Comment 13 2014-06-11 15:45:45 PDT

Created attachment 232917 [details] Split Call and Construct DFG nodes into NativeCall and NativeConstruct

Filip Pizlo

Comment 14 2014-06-11 16:42:04 PDT

Comment on attachment 232917 [details] Split Call and Construct DFG nodes into NativeCall and NativeConstruct Running tests on this now, will land shortly...

Filip Pizlo

Comment 15 2014-06-11 17:25:44 PDT

Landed in http://trac.webkit.org/changeset/169864

Note You need to log in before you can comment on or make changes to this bug.