NEW 118203
DFG should support ret_object_or_this 
https://bugs.webkit.org/show_bug.cgi?id=118203
Summary DFG should support ret_object_or_this
Mark Hahnenberg
Reported 2013-06-28 13:43:50 PDT
It's sad that we can't optimize away the result of the create_this bytecode in constructors that create their own objects and return them instead of just modifying "this". We should add support for the constructor_ret to the DFG so that it can do this for us.
Attachments
Patch (19.56 KB, patch)
2013-08-05 17:09 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (19.56 KB, patch)
2013-08-05 17:33 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (20.90 KB, patch)
2013-08-06 12:29 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (21.37 KB, patch)
2013-08-06 16:09 PDT, Mark Hahnenberg 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (3) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2013-08-05 17:09:12 PDT
Created attachment 208157 [details] Patch
Mark Hahnenberg
Comment 2 2013-08-05 17:33:19 PDT
Created attachment 208160 [details] Patch
Filip Pizlo
Comment 3 2013-08-05 20:36:44 PDT
Comment on attachment 208160 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208160&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:941 > + m_state.setFoundConstants(true); This looks borked. Why aren't you setting the result of the node? > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2823 > case op_ret: It looks like this would work better with a helper function, rather than having a bunch of opcode checks. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3263 > + cellResult(thisGPR, node); Yeah if a node returns a value, as this one clearly does, you need to have the abstract interpreter indicate what it returns. Right now you're leaving the result clear which is definitely wrong.
Mark Hahnenberg
Comment 4 2013-08-06 12:29:32 PDT
Created attachment 208210 [details] Patch
Filip Pizlo
Comment 5 2013-08-06 15:12:51 PDT
Comment on attachment 208210 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208210&action=review > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:941 > + if (isObjectSpeculation(forNode(node->child1()).m_type)) > + m_state.setFoundConstants(true); This should say: if (isObjectBlah...) { forNode(node) = forNode(node->child1()); setFoundConstants break; } Reason: if constant folding turns this into a node that does X, then this should do exactly X. Here X = Identity, right?
Mark Hahnenberg
Comment 6 2013-08-06 15:20:00 PDT
(In reply to comment #5) > (From update of attachment 208210 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=208210&action=review > > > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:941 > > + if (isObjectSpeculation(forNode(node->child1()).m_type)) > > + m_state.setFoundConstants(true); > > This should say: > > if (isObjectBlah...) { > forNode(node) = forNode(node->child1()); > setFoundConstants > break; > } > > Reason: if constant folding turns this into a node that does X, then this should do exactly X. Here X = Identity, right? Along the same lines, if we haven't proven that node->child1() is SpecObject then we should filter the result of the current node on SpecObject (e.g. filter(forNode(node), SpecObject)) rather than just unconditionally setting the type, correct?
Filip Pizlo
Comment 7 2013-08-06 15:34:31 PDT
(In reply to comment #6) > (In reply to comment #5) > > (From update of attachment 208210 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=208210&action=review > > > > > Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:941 > > > + if (isObjectSpeculation(forNode(node->child1()).m_type)) > > > + m_state.setFoundConstants(true); > > > > This should say: > > > > if (isObjectBlah...) { > > forNode(node) = forNode(node->child1()); > > setFoundConstants > > break; > > } > > > > Reason: if constant folding turns this into a node that does X, then this should do exactly X. Here X = Identity, right? > > Along the same lines, if we haven't proven that node->child1() is SpecObject then we should filter the result of the current node on SpecObject (e.g. filter(forNode(node), SpecObject)) rather than just unconditionally setting the type, correct? Why would you filter the *result*? Filtering is what you do to your children. As far as I can tell you just know that the node returns one of its two children, whichever one happens to be an object. The easiest way to convey that is to say that it returns SpecObject, as you do now. Except of course when you're converting it to Identity.
Filip Pizlo
Comment 8 2013-08-06 15:34:47 PDT
Comment on attachment 208210 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=208210&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp:3258 > + m_jit.move(op1PayloadGPR, thisGPR); Are you mutating an operand GPR? Isn't that wrong?
Mark Hahnenberg
Comment 9 2013-08-06 16:09:26 PDT
Created attachment 208222 [details] Patch
Geoffrey Garen
Comment 10 2013-08-06 20:06:41 PDT
I wonder if we should change the bytecode to make get_object_or_this separate from ret.
Filip Pizlo
Comment 11 2013-08-06 22:54:04 PDT
(In reply to comment #10) > I wonder if we should change the bytecode to make get_object_or_this separate from ret. Could be useful. Though, at this point, it probably wouldn't simplify the DFG. Are there some other simplifications you're thinking of?
Filip Pizlo
Comment 12 2013-08-06 22:54:54 PDT
(In reply to comment #11) > (In reply to comment #10) > > I wonder if we should change the bytecode to make get_object_or_this separate from ret. > > Could be useful. Though, at this point, it probably wouldn't simplify the DFG. Are there some other simplifications you're thinking of? Hmmm, actually, what would be most natural is if the "is object" check was expressible in bytecode. Then ret_object_or_this could just be a branch around some returns.
Geoffrey Garen
Comment 13 2013-08-07 09:08:23 PDT
> Hmmm, actually, what would be most natural is if the "is object" check was expressible in bytecode. Then ret_object_or_this could just be a branch around some returns. Yeah, I like that.
Note You need to log in before you can comment on or make changes to this bug.