Bug 70777

Summary: Object-or-other branch speculation may corrupt the state for OSR if the child of the branch is an integer
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal    
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 70246    
Attachments:
Description Flags
the patch oliver: review+

Description Filip Pizlo 2011-10-24 16:45:24 PDT 
The "other" part of the speculation (i.e. null-or-undefined) masks on ~8 (null-or-undefined bit).  But it does so in place.  Hence, if the operand to the branch was 8 then the branch will take the wrong path in the old JIT.
Comment 1 Filip Pizlo 2011-10-24 16:47:15 PDT 
Created attachment 112274 [details]
the patch
Comment 2 Filip Pizlo 2011-10-24 16:58:22 PDT 
Richards really benefits from the branch optimizations and seems to take a hit.  But it's neutral overall.


Benchmark report for SunSpider, V8, and Kraken.

VMs tested:
"TipOfTree" at /Volumes/Data/pizlo/OpenSource/WebKitBuild/Release/jsc
"FixBranch" at /Volumes/Data/pizlo/secondary/OpenSource/WebKitBuild/Release/jsc

Collected 12 samples per benchmark/VM, with 4 VM invocations per benchmark. Used 1 benchmark iteration per VM
invocation for warm-up. Used the jsc-specific preciseTime() function to get microsecond-level timing. Reporting
benchmark execution times with 95% confidence intervals in milliseconds.

                                            TipOfTree               FixBranch                                    
SunSpider:
   3d-cube                                7.9384+-0.0494          7.9363+-0.0518       
   3d-morph                               8.6980+-0.1233          8.5521+-0.1579         might be 1.0171x faster
   3d-raytrace                            8.1432+-0.0727    ?     8.1729+-0.0985       ?
   access-binary-trees                    1.6920+-0.0055          1.6919+-0.0060       
   access-fannkuch                        7.8000+-0.0285    ^     7.7445+-0.0225       ^ definitely 1.0072x faster
   access-nbody                           4.5306+-0.0134          4.5245+-0.0027       
   access-nsieve                          3.1673+-0.0173    !     3.1966+-0.0087       ! definitely 1.0093x slower
   bitops-3bit-bits-in-byte               1.3210+-0.0104          1.3144+-0.0109       
   bitops-bits-in-byte                    5.2722+-0.0163          5.2615+-0.0244       
   bitops-bitwise-and                     3.4714+-0.0460          3.4662+-0.0625       
   bitops-nsieve-bits                     5.6673+-0.0371          5.6670+-0.0352       
   controlflow-recursive                  2.3539+-0.0264          2.3293+-0.0046         might be 1.0106x faster
   crypto-aes                             7.6246+-0.0861          7.5438+-0.0482         might be 1.0107x faster
   crypto-md5                             2.8773+-0.0218          2.8677+-0.0164       
   crypto-sha1                            2.6731+-0.0174    ^     2.6423+-0.0127       ^ definitely 1.0116x faster
   date-format-tofte                     10.6837+-0.1644         10.6143+-0.1171       
   date-format-xparb                      9.8756+-0.1156    ?    10.0095+-0.1667       ? might be 1.0136x slower
   math-cordic                            7.7185+-0.2471    ?     7.8374+-0.2802       ? might be 1.0154x slower
   math-partial-sums                     10.6491+-0.0487         10.5895+-0.0367       
   math-spectral-norm                     2.8719+-0.0050    ?     2.8867+-0.0143       ?
   regexp-dna                            13.3035+-0.1700         13.2140+-0.1360       
   string-base64                          4.4205+-0.0191          4.4179+-0.0159       
   string-fasta                           7.1307+-0.0658          7.1307+-0.0638       
   string-tagcloud                       13.3751+-0.1564         13.2063+-0.1645         might be 1.0128x faster
   string-unpack-code                    22.7722+-0.2173    ?    22.7769+-0.2030       ?
   string-validate-input                  5.6223+-0.0528    !     5.7518+-0.0505       ! definitely 1.0230x slower

   <arithmetic> *                         6.9867+-0.0240          6.9748+-0.0161       
   <geometric>                            5.6510+-0.0154          5.6437+-0.0107       
   <harmonic>                             4.4720+-0.0112          4.4646+-0.0103       

                                            TipOfTree               FixBranch                                    
V8:
   crypto                                81.3570+-0.2335    ?    81.3984+-0.1635       ?
   deltablue                            194.6537+-0.7664    ?   195.6561+-1.0668       ?
   earley-boyer                         110.5192+-0.3554    !   112.0030+-0.6601       ! definitely 1.0134x slower
   raytrace                              69.5256+-0.6573         68.9732+-0.4084       
   regexp                               124.7805+-0.6029        124.2504+-0.3944       
   richards                             143.3091+-0.2937    !   146.3927+-0.5736       ! definitely 1.0215x slower
   splay                                125.7630+-0.4251        125.5294+-0.5213       

   <arithmetic>                         121.4154+-0.2404    !   122.0290+-0.2727       ! definitely 1.0051x slower
   <geometric> *                        115.4650+-0.2748    ?   115.8978+-0.2501       ?
   <harmonic>                           109.7065+-0.3320    ?   109.9405+-0.2387       ?

                                            TipOfTree               FixBranch                                    
Kraken:
   ai-astar                             834.8711+-0.5610        825.2549+-11.2776        might be 1.0117x faster
   audio-beat-detection                 211.5345+-1.7424    !   215.8835+-1.7716       ! definitely 1.0206x slower
   audio-dft                            260.0991+-2.9561        259.1979+-2.6525       
   audio-fft                            135.5689+-0.5056    ^   133.2889+-0.8830       ^ definitely 1.0171x faster
   audio-oscillator                     291.1467+-1.0564        290.8358+-1.0879       
   imaging-darkroom                     448.5026+-1.8551    ?   455.2396+-12.4493      ? might be 1.0150x slower
   imaging-desaturate                   237.8334+-0.1012    !   245.1353+-0.0802       ! definitely 1.0307x slower
   imaging-gaussian-blur                620.8662+-0.1434    ?   620.9534+-0.1802       ?
   json-parse-financial                  70.5284+-0.3330    ^    69.3177+-0.2861       ^ definitely 1.0175x faster
   json-stringify-tinderbox              79.6113+-0.3721         78.9564+-0.5766       
   stanford-crypto-aes                  151.4079+-1.4399    ?   152.7339+-1.7077       ?
   stanford-crypto-ccm                  114.7261+-0.5102    ?   115.1364+-0.6121       ?
   stanford-crypto-pbkdf2               236.8052+-1.6053    ?   240.0376+-2.1284       ? might be 1.0137x slower
   stanford-crypto-sha256-iterative      85.7031+-0.5468    ?    85.8561+-0.2754       ?

   <arithmetic> *                       269.9432+-0.3567    ?   270.5591+-0.4353       ?
   <geometric>                          205.3784+-0.3440    ?   205.8707+-0.4115       ?
   <harmonic>                           161.6929+-0.2977        161.5167+-0.2929       

                                            TipOfTree               FixBranch                                    
All benchmarks:
   <arithmetic>                         102.3567+-0.1265    ?   102.6250+-0.1473       ?
   <geometric>                           25.8277+-0.0535    ?    25.8422+-0.0311       ?
   <harmonic>                             7.8802+-0.0196          7.8675+-0.0176       

                                            TipOfTree               FixBranch                                    
Geomean of preferred means:
   <scaled-result>                       60.1631+-0.1213    ?    60.2499+-0.0815       ?
Comment 3 Filip Pizlo 2011-10-24 16:59:31 PDT 
Landed in http://trac.webkit.org/changeset/98299