Bug 20356

Summary: Dynamic function/type specialisation
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED WORKSFORME    
Severity: Normal CC: barraclough, ggaren, mjs, oliver, sam, zwarich
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Attachments:
Description Flags
initial specialisation patch
none
quality test case none

Oliver Hunt
Reported 2008-08-11 21:50:36 PDT
Dynamically specialising code for hot builtin functions should be a win.
Attachments
initial specialisation patch (101.71 KB, patch)
2008-08-11 21:56 PDT, Oliver Hunt 		no flags
DetailsFormatted DiffDiff
quality test case (2.18 KB, text/plain)
2008-08-12 01:34 PDT, Oliver Hunt 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Oliver Hunt
Comment 1 2008-08-11 21:56:16 PDT
Created attachment 22741 [details] initial specialisation patch Here's an initial version of this patch. Current problems: * I'm fairly sure it's not gc-safe (it stores the JSFunction* for functions it specialises in the opcode stream, which could be gc'd, then that address could be reallocated with a different object which could in certain circumstances result in badness) * It's not 64bit safe -- it stores the JSFunction* in a single operand in te intstruction stream. * Some of the code is heonously ugly, especially the bits where functions specialise themselves.
Oliver Hunt
Comment 2 2008-08-11 22:27:21 PDT
This code will trigger a failure in commandline jsc: g=Math.sqrt; function f(){return g(4);}; Math.sqrt=null; f(); f(); f(); gc(); for (var i = 0; i < 10000; i++) { g=new Function("", "return 3;"); if (f() == 2) { throw "Failed"; } }
Oliver Hunt
Comment 3 2008-08-12 01:34:44 PDT
Created attachment 22743 [details] quality test case
Gavin Barraclough
Comment 4 2012-03-07 00:06:41 PST
We do lots of function & type specialization now; this bug is archaic.
Note You need to log in before you can comment on or make changes to this bug.