Bug 153379

Summary: We should OSR exit with Int52Overflow when we fail to make an Int52 where we expect one.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: benjamin, fpizlo, ggaren, keith_miller, msaboff, saam
Priority: P2    
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 153019    
Attachments:
Description Flags
proposed patch.
fpizlo: review+
x86_64 benchmark result. none

Mark Lam
Reported 2016-01-22 15:16:28 PST
In DFG::Graph::addShouldSpeculateMachineInt(), we check !hasExitSite(add, Int52Overflow) when determining whether it's ok to speculate that an operand is of type Int52 or not. However, the Int52Rep code that converts a double to Int52 will OSR exit with exit kind BadType instead. This renders the hasExitSite() check in addShouldSpeculateMachineInt() useless. This patch fixes this by changing Int52Rep to OSR exit with exit kind Int52Overflow instead when it fails to convert a double to an Int52.
Attachments
proposed patch. (8.16 KB, patch)
2016-01-22 15:21 PST, Mark Lam 		fpizlo: review+
DetailsFormatted DiffDiff
x86_64 benchmark result. (65.31 KB, text/plain)
2016-01-22 15:23 PST, Mark Lam 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Mark Lam
Comment 1 2016-01-22 15:21:10 PST
Created attachment 269617 [details] proposed patch.
Mark Lam
Comment 2 2016-01-22 15:23:33 PST
Created attachment 269619 [details] x86_64 benchmark result. Perf is neutral so far with this patch. None of the "definitely"s are consistently repeatable on retries. Though perf is neutral in ToT, this will fix a bug that causes a perf regression in LongSpider crypto-aes when the patch for https://bugs.webkit.org/show_bug.cgi?id=153019 lands.
Filip Pizlo
Comment 3 2016-01-22 15:27:26 PST
Comment on attachment 269617 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=269617&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:2217 > - DFG_TYPE_CHECK( > + DFG_TYPE_CHECK_WITH_EXIT_KIND(Int52Overflow, > JSValueRegs(), node->child1(), SpecInt52AsDouble, > m_jit.branch64( > JITCompiler::Equal, resultGPR, Yuck! But I get it.
Mark Lam
Comment 4 2016-01-22 15:30:56 PST
Thanks for the review. Landed in r195488: <http://trac.webkit.org/r195488>.
Note You need to log in before you can comment on or make changes to this bug.