Bug 226817

Summary: [JSC] Fix incorrect register reuse in 32bit after r278568
Product: WebKit Reporter: Xan Lopez <xan.lopez>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: angelos, ews-watchlist, keith_miller, mark.lam, msaboff, saam, ticaiolima, tzagallo, webkit-bug-importer, xan.lopez
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Fix incorrect register reuse none

Description Xan Lopez 2021-06-09 07:21:51 PDT 
The JSVALUE32_64 branch potentially needs both the tag and payload registers for both left/right nodes, so we cannot reuse any of them for the result since the first thing the code does is set it zero. Just remove the Reuse construction. This was causing extremely long test runs on 32bit.
Comment 1 Xan Lopez 2021-06-09 07:23:45 PDT 
Created attachment 430963 [details]
Fix incorrect register reuse

v1
Comment 2 Angelos Oikonomopoulos 2021-06-09 07:27:59 PDT 
*** Bug 226815 has been marked as a duplicate of this bug. ***
Comment 3 Caio Lima 2021-06-09 07:45:26 PDT 
Comment on attachment 430963 [details]
Fix incorrect register reuse

View in context: https://bugs.webkit.org/attachment.cgi?id=430963&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:7388
> +    GPRTemporary result(this);

Could we try to still reuse it, but then move 0 after `notEqual.link(&m_jit);` on line 7404? I think this would allow us to reuse left and right payload/tag there.
Comment 4 Caio Lima 2021-06-09 07:47:41 PDT 
Comment on attachment 430963 [details]
Fix incorrect register reuse

View in context: https://bugs.webkit.org/attachment.cgi?id=430963&action=review

r=me

>> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:7388
>> +    GPRTemporary result(this);
> 
> Could we try to still reuse it, but then move 0 after `notEqual.link(&m_jit);` on line 7404? I think this would allow us to reuse left and right payload/tag there.

Never mind, this would require another jump for Equals case. Not reusing the tag sounds a better compromise then generating multiple branchs
Comment 5 Caio Lima 2021-06-09 07:51:48 PDT 
Comment on attachment 430963 [details]
Fix incorrect register reuse

32-bits queue is quite long, committing this to make it process patches
Comment 6 Caio Lima 2021-06-09 08:03:15 PDT 
Comment on attachment 430963 [details]
Fix incorrect register reuse

I retract this change. I think it wont work because we need to set `false` to result when left.tagGPR(), right.tagGPR() are different.
Comment 7 Caio Lima 2021-06-09 08:12:55 PDT 
(In reply to Caio Lima from comment #6)
> Comment on attachment 430963 [details]
> Fix incorrect register reuse
> 
> I retract this change. I think it wont work because we need to set `false`
> to result when left.tagGPR(), right.tagGPR() are different.

The patch already does that, since it doesn’t change previous behavior. So, my previous comment is wrong. I’ll r+/cq+ again after local run shows it passes all tests.
Comment 8 Caio Lima 2021-06-09 08:13:16 PDT 
Comment on attachment 430963 [details]
Fix incorrect register reuse

r=me
Comment 9 EWS 2021-06-09 09:31:32 PDT 
Committed r278662 (238644@main): <https://commits.webkit.org/238644@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 430963 [details].
Comment 10 Radar WebKit Bug Importer 2021-06-09 09:32:39 PDT 
<rdar://problem/79081335>