Bug 229229

Summary:

[JSC] Polymorphic PutByVal

Product:

WebKit

Reporter:

Yusuke Suzuki <ysuzuki>

Component:

New Bugs

Assignee:

Yusuke Suzuki <ysuzuki>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ews-watchlist, keith_miller, mark.lam, msaboff, pvollan, saam, tzagallo, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Attachments:

Description	Flags
Patch	none
Patch	none
Patch	none
Patch	none
Patch	ews-feeder: commit-queue-
Patch	none
Patch	none
Patch	none
Patch	none
Patch	ews-feeder: commit-queue-
Patch	ews-feeder: commit-queue-
Patch	none
Patch	none
Patch	none
Patch	none
Patch	none
Patch	ews-feeder: commit-queue-
Patch	none
Patch	none
Patch	ews-feeder: commit-queue-
Patch	none
Patch	ews-feeder: commit-queue-
Patch	ews-feeder: commit-queue-
Patch	none
Patch	none
Patch	saam: review+, ews-feeder: commit-queue-
Patch	none

Yusuke Suzuki

Reported 2021-08-17 23:31:57 PDT

[JSC] Polymorphic PutByVal

Attachments
Patch (262.39 KB, patch) 2021-08-17 23:32 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (267.53 KB, patch) 2021-08-18 12:26 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (267.56 KB, patch) 2021-08-18 15:15 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (268.23 KB, patch) 2021-08-18 16:33 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (268.31 KB, patch) 2021-08-18 19:27 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (268.35 KB, patch) 2021-08-18 19:31 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (283.69 KB, patch) 2021-08-18 22:54 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (283.68 KB, patch) 2021-08-19 01:48 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (279.48 KB, patch) 2021-08-20 18:15 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (289.33 KB, patch) 2021-08-21 04:59 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (289.35 KB, patch) 2021-08-21 05:09 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (289.23 KB, patch) 2021-08-21 05:15 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (289.84 KB, patch) 2021-08-23 00:14 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (289.24 KB, patch) 2021-08-23 01:04 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (296.05 KB, patch) 2021-08-23 01:33 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (300.63 KB, patch) 2021-08-23 02:57 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (300.67 KB, patch) 2021-08-23 03:09 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (300.67 KB, patch) 2021-08-23 03:19 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (323.63 KB, patch) 2021-08-23 20:02 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (323.95 KB, patch) 2021-08-24 09:18 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (324.20 KB, patch) 2021-08-24 09:40 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (323.56 KB, patch) 2021-08-24 15:00 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (323.61 KB, patch) 2021-08-24 15:13 PDT, Yusuke Suzuki	ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (323.43 KB, patch) 2021-08-24 15:25 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (338.20 KB, patch) 2021-08-25 14:05 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Patch (338.20 KB, patch) 2021-08-25 14:47 PDT, Yusuke Suzuki	saam: review+ ews-feeder: commit-queue-	Details Formatted Diff Diff
Patch (338.45 KB, patch) 2021-08-25 21:26 PDT, Yusuke Suzuki	no flags	Details Formatted Diff Diff
Show Obsolete (25) View All Add attachment proposed patch, testcase, etc.

Yusuke Suzuki

Comment 1 2021-08-17 23:32:33 PDT

Created attachment 435749 [details] Patch

Yusuke Suzuki

Comment 2 2021-08-18 12:26:32 PDT

Created attachment 435789 [details] Patch

Yusuke Suzuki

Comment 3 2021-08-18 15:15:38 PDT

Created attachment 435804 [details] Patch

Yusuke Suzuki

Comment 4 2021-08-18 16:33:38 PDT

Created attachment 435816 [details] Patch

Yusuke Suzuki

Comment 5 2021-08-18 19:27:50 PDT

Created attachment 435827 [details] Patch

Yusuke Suzuki

Comment 6 2021-08-18 19:31:38 PDT

Created attachment 435828 [details] Patch

Yusuke Suzuki

Comment 7 2021-08-18 22:54:42 PDT

Created attachment 435846 [details] Patch

Yusuke Suzuki

Comment 8 2021-08-19 01:48:42 PDT

Created attachment 435856 [details] Patch

Yusuke Suzuki

Comment 9 2021-08-20 18:15:41 PDT

Created attachment 436051 [details] Patch

Yusuke Suzuki

Comment 10 2021-08-21 04:59:46 PDT

Created attachment 436069 [details] Patch

Yusuke Suzuki

Comment 11 2021-08-21 05:09:49 PDT

Created attachment 436070 [details] Patch

Yusuke Suzuki

Comment 12 2021-08-21 05:15:48 PDT

Created attachment 436071 [details] Patch

Yusuke Suzuki

Comment 13 2021-08-23 00:14:02 PDT

Created attachment 436154 [details] Patch

Yusuke Suzuki

Comment 14 2021-08-23 01:04:17 PDT

Created attachment 436158 [details] Patch

Yusuke Suzuki

Comment 15 2021-08-23 01:33:02 PDT

Created attachment 436163 [details] Patch

Yusuke Suzuki

Comment 16 2021-08-23 02:57:55 PDT

Created attachment 436174 [details] Patch

Yusuke Suzuki

Comment 17 2021-08-23 03:09:42 PDT

Created attachment 436176 [details] Patch

Yusuke Suzuki

Comment 18 2021-08-23 03:19:12 PDT

Created attachment 436177 [details] Patch

Yusuke Suzuki

Comment 19 2021-08-23 20:02:26 PDT

Created attachment 436260 [details] Patch

Yusuke Suzuki

Comment 20 2021-08-24 09:18:20 PDT

Created attachment 436294 [details] Patch

Yusuke Suzuki

Comment 21 2021-08-24 09:40:59 PDT

Created attachment 436296 [details] Patch

Yusuke Suzuki

Comment 22 2021-08-24 15:00:51 PDT

Created attachment 436337 [details] Patch

Yusuke Suzuki

Comment 23 2021-08-24 15:13:39 PDT

Created attachment 436338 [details] Patch

Yusuke Suzuki

Comment 24 2021-08-24 15:25:01 PDT

Created attachment 436341 [details] Patch

Radar WebKit Bug Importer

Comment 25 2021-08-24 23:32:19 PDT

<rdar://problem/82327133>

Yusuke Suzuki

Comment 26 2021-08-25 14:05:33 PDT

Created attachment 436423 [details] Patch

Yusuke Suzuki

Comment 27 2021-08-25 14:47:44 PDT

Created attachment 436429 [details] Patch

Saam Barati

Comment 28 2021-08-25 19:45:15 PDT

Comment on attachment 436429 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436429&action=review Nice. r=me with a few comments. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1068 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) assert it's invalidGPR? > Source/JavaScriptCore/bytecode/AccessCase.cpp:1170 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); assert it's invalidGPR? > Source/JavaScriptCore/bytecode/AccessCase.cpp:1257 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); assert it's invalidGPR? > Source/JavaScriptCore/bytecode/AccessCase.cpp:1492 > + failAndIgnore.append(jit.branchIfNaN(state.scratchFPR)); Why ignore? Shouldn't this be a case to repatch, since we're not storing int32? Or maybe we expect this particular array to get transitioned into something more general, so we can kind of ignore the likelihood of this? I guess I'm just worried about the case where we see a lot of non numbers in practice? Like, say we started off with profiling a single number case, but then we ended up with many things that are never numbers, we'll never end up repatching. Not sure what the right approach is, but it's worth considering if we should do something else here. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1505 > + failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); ditto regarding repatching vs not repatching. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1573 > + state.failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); ditto about repatching or ignoring. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1582 > + state.failAndIgnore.append(jit.branchIfNotNumber(valueRegs.payloadGPR())); ditto > Source/JavaScriptCore/bytecode/AccessCase.cpp:1594 > + state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR)); we fail and repatch here, but ignore the case for normal arrays when we go OOB past vector length. Is that intentional? > Source/JavaScriptCore/bytecode/AccessCase.cpp:2434 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); Assert invalidGPR? > Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp:145 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); assert is invalidGPR? > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6475 > + tryCompileAsPutByOffset = true; let's rename this to "compiledAsPutPrivateNameById" > Source/JavaScriptCore/jit/Repatch.cpp:899 > + GCSafeConcurrentJSLocker locker(codeBlock->m_lock, globalObject->vm().heap); small nit: Maybe grab lock below the if and switches, since some cases return?

Yusuke Suzuki

Comment 29 2021-08-25 21:26:37 PDT

Created attachment 436464 [details] Patch Patch for landing

Yusuke Suzuki

Comment 30 2021-08-25 22:58:38 PDT

Comment on attachment 436429 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436429&action=review >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1068 >> + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > > assert it's invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1170 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > assert it's invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1257 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > assert it's invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1492 >> + failAndIgnore.append(jit.branchIfNaN(state.scratchFPR)); > > Why ignore? Shouldn't this be a case to repatch, since we're not storing int32? Or maybe we expect this particular array to get transitioned into something more general, so we can kind of ignore the likelihood of this? > > I guess I'm just worried about the case where we see a lot of non numbers in practice? Like, say we started off with profiling a single number case, but then we ended up with many things that are never numbers, we'll never end up repatching. Not sure what the right approach is, but it's worth considering if we should do something else here. Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1505 >> + failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); > > ditto regarding repatching vs not repatching. Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1573 >> + state.failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); > > ditto about repatching or ignoring. Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1582 >> + state.failAndIgnore.append(jit.branchIfNotNumber(valueRegs.payloadGPR())); > > ditto Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1594 >> + state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR)); > > we fail and repatch here, but ignore the case for normal arrays when we go OOB past vector length. Is that intentional? Discussed with Saam at Slack. We will continue using failAndRepatch since OOB TypedArray access case should soon get the slow path. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:2434 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > Assert invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp:145 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > assert is invalidGPR? Changed. >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6475 >> + tryCompileAsPutByOffset = true; > > let's rename this to "compiledAsPutPrivateNameById" Changed. >> Source/JavaScriptCore/jit/Repatch.cpp:899 >> + GCSafeConcurrentJSLocker locker(codeBlock->m_lock, globalObject->vm().heap); > > small nit: Maybe grab lock below the if and switches, since some cases return? Fixed!

Yusuke Suzuki

Comment 31 2021-08-26 00:39:11 PDT

Committed r281615 (240971@main): <https://commits.webkit.org/240971@main>

Yusuke Suzuki

Comment 32 2021-08-26 22:48:27 PDT

*** Bug 203866 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.