Bug 170961

Summary: r211670 broke double to int conversion.
Product: WebKit Reporter: Mark Lam <mark.lam>
Component: JavaScriptCoreAssignee: Mark Lam <mark.lam>
Status: RESOLVED FIXED    
Severity: Normal CC: buildbot, fpizlo, jfbastien, keith_miller, msaboff, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
proposed patch.
ysuzuki: review+, buildbot: commit-queue-
Archive of layout-test-results from ews112 for mac-elcapitan
none
patch for landing.
none
Patch mark.lam: review+

Mark Lam
Reported 2017-04-18 12:12:45 PDT
This is because operationToInt32SensibleSlow() assumes that left shifts of greater than 31 bits on an 31-bit value will produce a 0. However, the spec says that "if the value of the right operand is negative or is greater or equal to the number of bits in the promoted left operand, the behavior is undefined." See http://en.cppreference.com/w/cpp/language/operator_arithmetic#Bitwise_shift_operators. This patch fixes this by restoring the check to prevent a shift of greater than 31 bits. It also consolidates the optimization in operationToInt32SensibleSlow() back into toInt32() so that we don't have 2 copies of the same code with only a slight variation.
Attachments
proposed patch. (12.82 KB, patch)
2017-04-18 13:09 PDT, Mark Lam 		ysuzuki: review+
buildbot: commit-queue-
DetailsFormatted DiffDiff
Archive of layout-test-results from ews112 for mac-elcapitan (1.92 MB, application/zip)
2017-04-18 15:00 PDT, Build Bot 		no flags
Details
patch for landing. (14.23 KB, patch)
2017-04-18 15:06 PDT, Mark Lam 		no flags
DetailsFormatted DiffDiff
Patch (8.01 KB, patch)
2017-04-19 01:32 PDT, Yusuke Suzuki 		mark.lam: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2017-04-18 12:13:41 PDT
<rdar://problem/31687696>
Yusuke Suzuki
Comment 2 2017-04-18 12:28:07 PDT
(In reply to Mark Lam from comment #0) > This is because operationToInt32SensibleSlow() assumes that left shifts of > greater than 31 bits on an 31-bit value will produce a 0. However, the spec > says that "if the value of the right operand is negative or is greater or > equal to the number of bits in the promoted left operand, the behavior is > undefined." See > http://en.cppreference.com/w/cpp/language/ > operator_arithmetic#Bitwise_shift_operators. Oops! Right. > > This patch fixes this by restoring the check to prevent a shift of greater > than 31 bits. Yup, I think adding the following check, if (exp > 83) return 0; will solve. > It also consolidates the optimization in operationToInt32SensibleSlow() back > into toInt32() so that we don't have 2 copies of the same code with only a > slight variation. Hm, my concern is that there is no way to emit cvttss2si_rr like thing in an architecture independent way (like, emitting this semantics operation in ARM64).
Mark Lam
Comment 3 2017-04-18 13:09:13 PDT
Created attachment 307406 [details] proposed patch.
Yusuke Suzuki
Comment 4 2017-04-18 13:39:21 PDT
Comment on attachment 307406 [details] proposed patch. View in context: https://bugs.webkit.org/attachment.cgi?id=307406&action=review r=me if it does not regress DoubleAsInt32. > Source/JavaScriptCore/runtime/MathCommon.h:93 > + if (static_cast<uint32_t>(exp) > 83u) Nice!
Build Bot
Comment 5 2017-04-18 15:00:22 PDT
Comment on attachment 307406 [details] proposed patch. Attachment 307406 [details] did not pass mac-debug-ews (mac): Output: http://webkit-queues.webkit.org/results/3559103 New failing tests: http/tests/inspector/network/resource-sizes-network.html
Build Bot
Comment 6 2017-04-18 15:00:23 PDT
Created attachment 307421 [details] Archive of layout-test-results from ews112 for mac-elcapitan The attached test failures were seen while running run-webkit-tests on the mac-debug-ews. Bot: ews112 Port: mac-elcapitan Platform: Mac OS X 10.11.6
Mark Lam
Comment 7 2017-04-18 15:06:06 PDT
Created attachment 307423 [details] patch for landing. I added a microbenchmark to test that the r211670 progression is not negated. It is not i.e. this patch does not appear to regress performance. Will land shortly.
Mark Lam
Comment 8 2017-04-18 15:34:43 PDT
Thanks for the review. Landed in r215482: <http://trac.webkit.org/r215482>.
Yusuke Suzuki
Comment 9 2017-04-19 00:31:08 PDT
(In reply to Mark Lam from comment #8) > Thanks for the review. Landed in r215482: <http://trac.webkit.org/r215482>. Hmmm, it seems that it causes 5% regression in pbkdf2. https://arewefastyet.com/#machine=29&view=single&suite=kraken&subtest=crypto-pbkdf2 I've just checked out r215482, and compared it with the r215482 + this patch's change version. Benchmark report for Kraken on sakura-trick. VMs tested: "baseline" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/int32sensible/Release/bin/jsc "patched" at /home/yusukesuzuki/dev/WebKit/WebKitBuild/int32sensible2/Release/bin/jsc Collected 30 samples per benchmark/VM, with 30 VM invocations per benchmark. Emitted a call to gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in milliseconds. baseline patched stanford-crypto-pbkdf2 147.383+-4.238 ! 161.362+-5.761 ! definitely 1.0948x slower <arithmetic> 147.383+-4.238 ! 161.362+-5.761 ! definitely 1.0948x slower So, I suggest sharing the implementation by using the template. I'll upload the patch.
Yusuke Suzuki
Comment 10 2017-04-19 01:32:17 PDT
Reopening to attach new patch.
Yusuke Suzuki
Comment 11 2017-04-19 01:32:18 PDT
Created attachment 307472 [details] Patch
Mark Lam
Comment 12 2017-04-19 07:44:31 PDT
Comment on attachment 307472 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307472&action=review r=me with fixes. > Source/JavaScriptCore/ChangeLog:11 > + and fixes kraken pbkdf2 regression. Can you add "on linux" after "regression" to clarify where this can be observed? > Source/JavaScriptCore/runtime/MathCommon.h:36 > +int32_t JIT_OPERATION operationToInt32SensibleSlow(double) WTF_INTERNAL; You need to revert the DFG and FTL code back to using operationToInt32SensibleSlow() too. > Source/JavaScriptCore/runtime/MathCommon.h:156 > + return bits < 0 ? -static_cast<int32_t>(result) : static_cast<int32_t>(result); Let's make bits uint64_t and only cast it to int64_t here instead for the sign check. This will reduce the amount of casting in this function. It also makes it consistent that we do all our bit manipulation on unsigned bits, and only re-apply the sign at the end.
Yusuke Suzuki
Comment 13 2017-04-19 09:08:01 PDT
Comment on attachment 307472 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=307472&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:11 >> + and fixes kraken pbkdf2 regression. > > Can you add "on linux" after "regression" to clarify where this can be observed? Fixed. >> Source/JavaScriptCore/runtime/MathCommon.h:36 >> +int32_t JIT_OPERATION operationToInt32SensibleSlow(double) WTF_INTERNAL; > > You need to revert the DFG and FTL code back to using operationToInt32SensibleSlow() too. Oops, right. I moved modified version of MathCommon.[h,cpp] from the old revision and forgot to bring the changes in FTL and DFG. >> Source/JavaScriptCore/runtime/MathCommon.h:156 >> + return bits < 0 ? -static_cast<int32_t>(result) : static_cast<int32_t>(result); > > Let's make bits uint64_t and only cast it to int64_t here instead for the sign check. This will reduce the amount of casting in this function. It also makes it consistent that we do all our bit manipulation on unsigned bits, and only re-apply the sign at the end. OK, fixed.
Yusuke Suzuki
Comment 14 2017-04-19 09:50:14 PDT
Committed r215516: <http://trac.webkit.org/changeset/215516>
Yusuke Suzuki
Comment 15 2017-04-19 15:01:55 PDT
OK, perf is recovered. https://arewefastyet.com/#machine=29&view=single&suite=kraken&subtest=crypto-pbkdf2
Note You need to log in before you can comment on or make changes to this bug.