Bug 198229

Summary: JITOperations getByVal should mark negative array indices as out-of-bounds
Product: WebKit Reporter: Tadeu Zagallo <tzagallo>
Component: JavaScriptCoreAssignee: Tadeu Zagallo <tzagallo>
Status: RESOLVED FIXED    
Severity: Normal CC: commit-queue, ews-watchlist, fpizlo, keith_miller, mark.lam, msaboff, rmorisset, saam, webkit-bug-importer, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch for landing none

Description Tadeu Zagallo 2019-05-24 13:39:37 PDT 
...
Comment 1 Tadeu Zagallo 2019-05-24 13:59:44 PDT 
Created attachment 370586 [details]
Patch
Comment 2 Saam Barati 2019-05-24 15:35:51 PDT 
Comment on attachment 370586 [details]
Patch

Nice. r=me
Comment 3 Saam Barati 2019-05-24 15:36:22 PDT 
Comment on attachment 370586 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=370586&action=review

> Source/JavaScriptCore/ChangeLog:10
> +        but baseline doesn't mark it as out-of-bounds, since it only considers positive indices. This
> +        leads to discarding DFG code, recompiling it and exiting at the same bytecode.

Can you quote where in JS2 you found this w/ the expected speedup?
Comment 4 Tadeu Zagallo 2019-05-25 00:55:56 PDT 
Created attachment 370630 [details]
Patch for landing
Comment 5 Tadeu Zagallo 2019-05-25 01:01:05 PDT 
I think I might have messed up the measurements, let me double-check it before landing.
Comment 6 WebKit Commit Bot 2019-05-25 02:25:31 PDT 
Comment on attachment 370630 [details]
Patch for landing

Clearing flags on attachment: 370630

Committed r245769: <https://trac.webkit.org/changeset/245769>
Comment 7 WebKit Commit Bot 2019-05-25 02:25:33 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2019-05-25 02:26:18 PDT 
<rdar://problem/51134153>
Comment 9 Saam Barati 2019-05-25 07:50:47 PDT 
(In reply to Tadeu Zagallo from comment #5)
> I think I might have messed up the measurements, let me double-check it
> before landing.

I was interested in how much faster the individual test gets. IIRC, on IRC, you said something like 5%-10%. I wouldn’t expect 5% on an individual test to show up as a measurable overall progression. When I make changes like this, I like to quote the impact on both the individual JS2 test and on the microbenchmark
Comment 10 Tadeu Zagallo 2019-05-25 09:28:06 PDT 
(In reply to Saam Barati from comment #9)
> (In reply to Tadeu Zagallo from comment #5)
> > I think I might have messed up the measurements, let me double-check it
> > before landing.
> 
> I was interested in how much faster the individual test gets. IIRC, on IRC,
> you said something like 5%-10%. I wouldn’t expect 5% on an individual test
> to show up as a measurable overall progression. When I make changes like
> this, I like to quote the impact on both the individual JS2 test and on the
> microbenchmark

Oops, my bad, will keep that in mind going forward. FWIW, it looks like a ~10% progression in prepack-wtb (which I'm a bit skeptical of, since the function wasn't that hot) and the microbenchmark is ~4% faster, but is within the noise (maybe it wasn't a great microbenchmark after all...)
Comment 11 Yusuke Suzuki 2019-05-25 20:47:49 PDT 
Nice! Seems that on iOS devices it gets 1-3% improvement in JetStream2/uglify-js-wtb