Bug 154844

Summary: [DFG] Drop comparison based on speculative types and constants
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: JavaScriptCoreAssignee: Yusuke Suzuki <ysuzuki>
Status: NEW    
Severity: Normal    
Priority: P2    
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 153738    
Attachments:
Description Flags
Patch
none
Patch none

Yusuke Suzuki
Reported 2016-02-29 20:04:27 PST
For example, if (Int32Speculated < 0x1FFFFFFFFFFFFF) return Int32Speculated; return 0x1FFFFFFFFFFFFF; Since 0x1FFFFFFFFFFFFF is out of range of Int32, if the Int32Speculated is ensured that is Int32 (by edge filtering), this condition should be dropped. And it should be considered as follows in DFG. return Int32Speculated; This case actually happens in @toLength builtin function. We cap length values with 0x1FFFFFFFFFFFFF. Currently, since 0x1FFFFFFFFFFFFF is double represented value, the result of @toLength is speculated as double. It leads using double for iteration condition in Array.prototype.{forEach...}
Attachments
Patch (21.90 KB, patch)
2016-03-18 01:46 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (23.50 KB, patch)
2016-04-14 21:59 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2016-03-18 01:46:24 PDT
Created attachment 274395 [details] Patch WIP: super super initial conceptual one. This fixes speculation of the returned value of @toLength (this was polluted due to branch). The patch is not cleaned up / generalized yet. But octane TypeScript bench shows stable 1.2% ~ improvements. And array-prototype-xxx regress tests show slight improvements. But array-prototype-reduceRight shows 42% improvement.
Yusuke Suzuki
Comment 2 2016-03-18 01:53:00 PDT
Of course, this patch still lacks a lot of careful treatments for doubles. (NaN, Infinity etc.).
Yusuke Suzuki
Comment 3 2016-03-18 02:14:24 PDT
Ideally, we would like to perform this folding in constant folding phase. But it's too late because Double polluted results are already propagated at that time.
Yusuke Suzuki
Comment 4 2016-04-14 21:59:30 PDT
Created attachment 276459 [details] Patch WIP, it shows 5-7% (And 67% for array-prototype-reduceRight) perf win for array-prototype-xxx
Note You need to log in before you can comment on or make changes to this bug.