Bug 178934

Summary: [DFG][FTL] Introduce StringSlice
Product: WebKit Reporter: Yusuke Suzuki <ysuzuki>
Component: New BugsAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: fpizlo, ggaren, jfbastien, keith_miller, mark.lam, msaboff, ryanhaddad, saam, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch saam: review+

Yusuke Suzuki
Reported 2017-10-27 05:15:37 PDT
[DFG][FTL] Introduce StringSlice
Attachments
Patch (37.52 KB, patch)
2017-10-27 05:24 PDT, Yusuke Suzuki 		saam: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2017-10-27 05:24:28 PDT
Created attachment 325150 [details] Patch
Saam Barati
Comment 2 2017-10-27 10:12:30 PDT
Comment on attachment 325150 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=325150&action=review > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2919 > + if (argumentCountIncludingThis != 2) Nit: even though they’re equivalent in this context, I think > 2 is more intuitive > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4309 > + // end would be nullptr. would => can > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4320 > + LValue startIndex = m_out.select(m_out.greaterThanOrEqual(start, m_out.int32Zero), These two boundary selections are equivalent if parameterized on start/end. Might be worth making a lambda
Saam Barati
Comment 3 2017-10-27 10:48:16 PDT
Comment on attachment 325150 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=325150&action=review > Source/JavaScriptCore/ChangeLog:13 > + 1. Empty string generation is accelerated. It is fully executed inlinely. inlinely =>inline
Yusuke Suzuki
Comment 4 2017-11-01 06:23:03 PDT
Comment on attachment 325150 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=325150&action=review Thanks! >> Source/JavaScriptCore/ChangeLog:13 >> + 1. Empty string generation is accelerated. It is fully executed inlinely. > > inlinely =>inline Fixed. >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2919 >> + if (argumentCountIncludingThis != 2) > > Nit: even though they’re equivalent in this context, I think > 2 is more intuitive Changed. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4309 >> + // end would be nullptr. > > would => can Fixed. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:4320 >> + LValue startIndex = m_out.select(m_out.greaterThanOrEqual(start, m_out.int32Zero), > > These two boundary selections are equivalent if parameterized on start/end. Might be worth making a lambda Yeah, nice. Fixed.
Yusuke Suzuki
Comment 5 2017-11-01 06:25:39 PDT
Committed r224276: <https://trac.webkit.org/changeset/224276>
Ryan Haddad
Comment 6 2017-11-01 11:46:46 PDT
This change introduced an assertion failure with LayoutTest inspector/formatting/formatting-javascript.html: https://build.webkit.org/results/Apple%20El%20Capitan%20Debug%20WK1%20(Tests)/r224277%20(4602)/results.html ASSERTION FAILED: graph.m_plan.weakReferences.contains(cell) ./ftl/FTLOutput.h(112) : LValue JSC::FTL::Output::weakPointer(DFG::Graph &, JSC::JSCell *) 1 0x10f31c9f0 WTFCrash 2 0x10e9abd12 JSC::FTL::Output::weakPointer(JSC::DFG::Graph&, JSC::JSCell*) 3 0x10e9288e9 JSC::FTL::(anonymous namespace)::LowerDFGToB3::compileStringSlice() 4 0x10e8ece68 JSC::FTL::(anonymous namespace)::LowerDFGToB3::compileNode(unsigned int) 5 0x10e8e7bf0 JSC::FTL::(anonymous namespace)::LowerDFGToB3::compileBlock(JSC::DFG::BasicBlock*) 6 0x10e8e3a56 JSC::FTL::(anonymous namespace)::LowerDFGToB3::lower() 7 0x10e8e274e JSC::FTL::lowerDFGToB3(JSC::FTL::State&) 8 0x10e728b37 JSC::DFG::Plan::compileInThreadImpl() 9 0x10e72367d JSC::DFG::Plan::compileInThread(JSC::DFG::ThreadData*) 10 0x10e8b755e JSC::DFG::Worklist::ThreadBody::work() 11 0x10f32a3fe WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const 12 0x10f32a0dc WTF::Function<void ()>::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0>::call() 13 0x10f35a8fe WTF::Function<void ()>::operator()() const 14 0x10f3a96ea WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) 15 0x10f3af0d5 WTF::wtfThreadEntryPoint(void*) 16 0x7fff8536b99d _pthread_body 17 0x7fff8536b91a _pthread_body 18 0x7fff85369351 thread_start The same assertion is also seen with 121 tests on the Debug JSC bot: https://build.webkit.org/builders/Apple%20El%20Capitan%20Debug%20JSC%20%28Tests%29/builds/1479
Yusuke Suzuki
Comment 7 2017-11-01 11:55:14 PDT
Committed r224285: <https://trac.webkit.org/changeset/224285>
Saam Barati
Comment 8 2017-11-01 13:01:31 PDT
(In reply to Yusuke Suzuki from comment #7) > Committed r224285: <https://trac.webkit.org/changeset/224285> Maybe it’s worth making FTLOutput’s weakPointer private and just friend lower’s weakPointer? Or maybe we can use naming to help prevent this mistake in the future in a case where it actually matters.
Yusuke Suzuki
Comment 9 2017-11-08 06:11:37 PST
(In reply to Saam Barati from comment #8) > (In reply to Yusuke Suzuki from comment #7) > > Committed r224285: <https://trac.webkit.org/changeset/224285> > > Maybe it’s worth making FTLOutput’s weakPointer private and just friend > lower’s weakPointer? Or maybe we can use naming to help prevent this mistake > in the future in a case where it actually matters. It sound nice. I'll open a bug for that.
Radar WebKit Bug Importer
Comment 10 2017-11-15 12:36:31 PST
<rdar://problem/35567861>
Note You need to log in before you can comment on or make changes to this bug.