151746 – Polymorphic operand types for DFG and FTL mul.

Bug 151746 - Polymorphic operand types for DFG and FTL mul.

Summary: Polymorphic operand types for DFG and FTL mul.

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Local Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Mark Lam

URL:
Keywords:	InRadar

Duplicates (1):	151748 (view as bug list)
Depends on:
Blocks:

Reported:	2015-12-02 09:03 PST by Mark Lam
Modified:	2015-12-02 21:54 PST (History)
CC List:	8 users (show)

See Also:

Attachments
proposed patch. (29.98 KB, patch) 2015-12-02 17:18 PST, Mark Lam	no flags	Details \| Formatted Diff \| Diff
x86_64 benchmark result. (65.28 KB, text/plain) 2015-12-02 17:21 PST, Mark Lam	no flags	Details
x86 benchmark result. (64.13 KB, text/plain) 2015-12-02 17:21 PST, Mark Lam	no flags	Details
x86_64 benchmark result without FTL. (64.80 KB, text/plain) 2015-12-02 17:22 PST, Mark Lam	no flags	Details
patch 2: fixed a value in the test, and a bit more clean up in the DFG mul code. (30.56 KB, patch) 2015-12-02 20:51 PST, Mark Lam	no flags	Details \| Formatted Diff \| Diff
patch 3: a bit more code clean up in the FTL code. (30.55 KB, patch) 2015-12-02 21:02 PST, Mark Lam	no flags	Details \| Formatted Diff \| Diff
patch 4: update one more test value in op_mul.js. (30.77 KB, patch) 2015-12-02 21:16 PST, Mark Lam	fpizlo: review+	Details \| Formatted Diff \| Diff
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mark Lam 2015-12-02 09:03:09 PST

Patch coming.

Comment 1 Radar WebKit Bug Importer 2015-12-02 09:04:57 PST

<rdar://problem/23725093>

Comment 2 Mark Lam 2015-12-02 12:53:10 PST

*** Bug 151748 has been marked as a duplicate of this bug. ***

Comment 3 Mark Lam 2015-12-02 17:18:32 PST

Created attachment 266484 [details]
proposed patch.

Comment 4 WebKit Commit Bot 2015-12-02 17:19:56 PST

Attachment 266484 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]
Total errors found: 2 in 21 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 5 Mark Lam 2015-12-02 17:21:25 PST

Created attachment 266485 [details]
x86_64 benchmark result.

Comment 6 Mark Lam 2015-12-02 17:21:48 PST

Created attachment 266486 [details]
x86 benchmark result.

Comment 7 Mark Lam 2015-12-02 17:22:12 PST

Created attachment 266487 [details]
x86_64 benchmark result without FTL.

Comment 8 Mark Lam 2015-12-02 17:23:30 PST

Benchmark results are neutral.  The newly added ftp-object-mul.js test shows the benefit of being able to stay in the DFG and FTL compiled function instead of OSR exiting back to the baseline JIT.

This patch has passed the layout tests and JSC tests.

Comment 9 Mark Lam 2015-12-02 20:51:36 PST

Created attachment 266507 [details]
patch 2: fixed a value in the test, and a bit more clean up in the DFG mul code.

Comment 10 WebKit Commit Bot 2015-12-02 20:54:22 PST

Attachment 266507 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]
Total errors found: 2 in 22 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 11 Mark Lam 2015-12-02 21:02:24 PST

Created attachment 266508 [details]
patch 3: a bit more code clean up in the FTL code.

Comment 12 WebKit Commit Bot 2015-12-02 21:05:06 PST

Attachment 266508 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]
Total errors found: 2 in 22 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 13 Mark Lam 2015-12-02 21:16:26 PST

Created attachment 266510 [details]
patch 4: update one more test value in op_mul.js.

Comment 14 WebKit Commit Bot 2015-12-02 21:18:30 PST

Attachment 266510 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/ftl/FTLInlineCacheDescriptorInlines.h:40:  Comma should be at the beginning of the line in a member initialization list.  [whitespace/init] [4]
Total errors found: 2 in 22 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 15 Filip Pizlo 2015-12-02 21:26:16 PST

Comment on attachment 266510 [details]
patch 4: update one more test value in op_mul.js.

View in context: https://bugs.webkit.org/attachment.cgi?id=266510&action=review

> Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:346
> +                    changed |= mergePrediction(SpecInt32 | SpecBytecodeDouble);

Do you have a bug for improving this?  I think that this can easily create performance pathologies, since it will cause all downstream math operations on this value to coerce it to double.

Comment 16 Filip Pizlo 2015-12-02 21:27:51 PST

Comment on attachment 266510 [details]
patch 4: update one more test value in op_mul.js.

View in context: https://bugs.webkit.org/attachment.cgi?id=266510&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3449
> +        auto& leftChild = node->child1();

I think it's more clear to say Edge instead of auto.

Comment 17 Mark Lam 2015-12-02 21:54:28 PST

Thanks for the review.

> > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3449
> > +        auto& leftChild = node->child1();
> 
> I think it's more clear to say Edge instead of auto.

I've changed all auto& of type Edge& in my patch to explicitly say Edge& instead.

> > Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp:346
> > +                    changed |= mergePrediction(SpecInt32 | SpecBytecodeDouble);
> 
> Do you have a bug for improving this?  I think that this can easily create
> performance pathologies, since it will cause all downstream math operations
> on this value to coerce it to double.

I just filed https://bugs.webkit.org/show_bug.cgi?id=151793 to track this.  My thinking on this is that this coercion is supposed to only happen if we encounter polymorphic types, which is supposedly rare.  Hence, the impact of this coercion should be similarly rare.  But we can investigate this some more later.  So far, the benchmarks don't seem to be affected by it (as expected).

Landed in r192993: <http://trac.webkit.org/r192993>.