RESOLVED FIXED 129563
DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e. boolean, undefined, or null) 
https://bugs.webkit.org/show_bug.cgi?id=129563
Summary DFG and FTL should specialize for and support CompareStrictEq over Misc (i.e....
Filip Pizlo
Reported 2014-03-01 16:40:12 PST
Patch forthcoming.
Attachments
work in progress (18.43 KB, patch)
2014-03-01 16:41 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (27.60 KB, patch)
2014-03-01 20:09 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (33.19 KB, patch)
2014-03-01 20:38 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (33.47 KB, patch)
2014-03-02 08:21 PST, Filip Pizlo 		no flags
DetailsFormatted DiffDiff
the patch (33.40 KB, patch)
2014-03-02 08:24 PST, Filip Pizlo 		ggaren: review+
DetailsFormatted DiffDiff
Show Obsolete (4) View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2014-03-01 16:41:46 PST
Created attachment 225574 [details] work in progress
Filip Pizlo
Comment 2 2014-03-01 20:09:33 PST
Created attachment 225584 [details] the patch
Filip Pizlo
Comment 3 2014-03-01 20:38:32 PST
Created attachment 225586 [details] the patch
Filip Pizlo
Comment 4 2014-03-02 08:21:18 PST
Created attachment 225595 [details] the patch
Filip Pizlo
Comment 5 2014-03-02 08:24:04 PST
Created attachment 225596 [details] the patch
Geoffrey Garen
Comment 6 2014-03-03 10:51:49 PST
Comment on attachment 225596 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=225596&action=review > Source/JavaScriptCore/bytecode/SpeculatedType.cpp:403 > +SpeculatedType leastUpperBoundOfStrictlyEquivalentSpeculations(SpeculatedType type) > +{ > + if (type & SpecInteger) > + type |= SpecInteger; > + if (type & SpecString) > + type |= SpecString; > + return type; > +} Maybe it's just Monday morning, but this function looks like a no-op. You test the input type for SpecInteger, and then set SpecInteger if and only if it's already set. Sam for SpecString. Can this be right? > Source/JavaScriptCore/bytecode/SpeculatedType.h:79 > +static const SpeculatedType SpecMisc = 0x30000000; // It's definitely either a boolean, Null, or Undefined. Looks like the convention here is to capitalize "Boolean".
Filip Pizlo
Comment 7 2014-03-03 11:01:50 PST
Comment on attachment 225596 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=225596&action=review >> Source/JavaScriptCore/bytecode/SpeculatedType.cpp:403 >> +} > > Maybe it's just Monday morning, but this function looks like a no-op. You test the input type for SpecInteger, and then set SpecInteger if and only if it's already set. Sam for SpecString. Can this be right? It's right. SpecInteger is a bitmask of SpecInt32, SpecInt52, and SpecInt52AsDouble. So, consider that 'type' may be just SpecInt32 (which is 0x00800000). This function will turn it into SpecInt32 | SpecInt52 | SpecInt52AsDouble, which is 0x03800000. Similarly for SpecString. SpecString is a combo of SpecStringIdent and SpecStringVar. >> Source/JavaScriptCore/bytecode/SpeculatedType.h:79 >> +static const SpeculatedType SpecMisc = 0x30000000; // It's definitely either a boolean, Null, or Undefined. > > Looks like the convention here is to capitalize "Boolean". Will fix.
Geoffrey Garen
Comment 8 2014-03-03 13:00:16 PST
Comment on attachment 225596 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=225596&action=review r=me > Source/JavaScriptCore/bytecode/SpeculatedType.cpp:405 > +bool speculationsCouldBeEqual(SpeculatedType a, SpeculatedType b) I think "valuesCouldBeEqual" would be clearer here. The input is speculations, but the question we're asking is about the run-time values. > Source/JavaScriptCore/bytecode/SpeculatedType.cpp:421 > + // If either side could be an object or not, then we could go down some weird > + // effectful path. I think the effect you're talking about is that we'll do a value or string conversion on the object. Let's say that: "...then the equality comparison could call a toString or valueOf conversion, which could return anything".
Filip Pizlo
Comment 9 2014-03-04 16:58:36 PST
Landed in http://trac.webkit.org/changeset/165085
Alexey Proskuryakov
Comment 10 2014-03-04 22:11:17 PST
imported/w3c/html-templates/template-element/template-content.html started to crash with an assertion failure after this change: Filip, are you available to take a look soon? ASSERTION FAILED: needsTypeCheck(edge, typesPassedThrough) /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(204) : void JSC::DFG::SpeculativeJIT::typeCheck(JSC::JSValueSource, JSC::DFG::Edge, SpeculatedType, MacroAssembler::Jump) 1 0x10b43b9b0 WTFCrash 2 0x10af93de8 JSC::DFG::SpeculativeJIT::typeCheck(JSC::JSValueSource, JSC::DFG::Edge, unsigned int, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump) 3 0x10afab144 JSC::DFG::SpeculativeJIT::speculateMisc(JSC::DFG::Edge, JSC::JSValueRegs) 4 0x10afd99ae JSC::DFG::SpeculativeJIT::compileMiscStrictEq(JSC::DFG::Node*) 5 0x10afa682a JSC::DFG::SpeculativeJIT::compileStrictEq(JSC::DFG::Node*) 6 0x10afe3acf JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) 7 0x10af99a74 JSC::DFG::SpeculativeJIT::compileCurrentBlock() 8 0x10af9a3dd JSC::DFG::SpeculativeJIT::compile() 9 0x10af2cfe4 JSC::DFG::JITCompiler::compileBody()
WebKit Commit Bot
Comment 11 2014-03-04 23:16:25 PST
Re-opened since this is blocked by bug 129729
Filip Pizlo
Comment 12 2014-03-04 23:25:30 PST
(In reply to comment #10) > imported/w3c/html-templates/template-element/template-content.html started to crash with an assertion failure after this change: > > Filip, are you available to take a look soon? > > ASSERTION FAILED: needsTypeCheck(edge, typesPassedThrough) > /Volumes/Data/slave/mavericks-debug/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(204) : void JSC::DFG::SpeculativeJIT::typeCheck(JSC::JSValueSource, JSC::DFG::Edge, SpeculatedType, MacroAssembler::Jump) > 1 0x10b43b9b0 WTFCrash > 2 0x10af93de8 JSC::DFG::SpeculativeJIT::typeCheck(JSC::JSValueSource, JSC::DFG::Edge, unsigned int, JSC::AbstractMacroAssembler<JSC::X86Assembler>::Jump) > 3 0x10afab144 JSC::DFG::SpeculativeJIT::speculateMisc(JSC::DFG::Edge, JSC::JSValueRegs) > 4 0x10afd99ae JSC::DFG::SpeculativeJIT::compileMiscStrictEq(JSC::DFG::Node*) > 5 0x10afa682a JSC::DFG::SpeculativeJIT::compileStrictEq(JSC::DFG::Node*) > 6 0x10afe3acf JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node*) > 7 0x10af99a74 JSC::DFG::SpeculativeJIT::compileCurrentBlock() > 8 0x10af9a3dd JSC::DFG::SpeculativeJIT::compile() > 9 0x10af2cfe4 JSC::DFG::JITCompiler::compileBody() Ugh, this was a stupid typo - speculateMisc() should have said DFG_TYPE_CHECK instead of typeCheck. That's what the assertion is noticing. I will reland with the fix shortly.
Filip Pizlo
Comment 13 2014-03-04 23:35:41 PST
Relanded in http://trac.webkit.org/changeset/165099
Note You need to log in before you can comment on or make changes to this bug.