Created attachment 320892 [details]
Patch

This patch is WIP: it compiles but does not goes through tests cleanly yet.

Attachment 320892 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:9:  Line contains tab character.  [whitespace/tab] [5]
ERROR: Source/JavaScriptCore/ChangeLog:10:  Line contains tab character.  [whitespace/tab] [5]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6282:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
Total errors found: 3 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 320892 [details]
Patch

Attachment 320892 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/4557755

Number of test failures exceeded the failure limit.

Created attachment 320897 [details]
Archive of layout-test-results from ews103 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 320892 [details]
Patch

Attachment 320892 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4557737

Number of test failures exceeded the failure limit.

Created attachment 320898 [details]
Archive of layout-test-results from ews113 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews113  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 320892 [details]
Patch

Attachment 320892 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4557763

Number of test failures exceeded the failure limit.

Created attachment 320899 [details]
Archive of layout-test-results from ews106 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews106  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment on attachment 320892 [details]
Patch

Attachment 320892 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/4557797

Number of test failures exceeded the failure limit.

Created attachment 320900 [details]
Archive of layout-test-results from ews125 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews125  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.5

Created attachment 321090 [details]
Patch

WIP, still crashes, and does not SetLocal arguments

Created attachment 321539 [details]
WIP

Comment on attachment 321539 [details]
WIP

Attachment 321539 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4627359

Number of test failures exceeded the failure limit.

Created attachment 321543 [details]
Archive of layout-test-results from ews114 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 321539 [details]
WIP

Attachment 321539 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4627484

Number of test failures exceeded the failure limit.

Created attachment 321544 [details]
Archive of layout-test-results from ews105 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews105  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment on attachment 321539 [details]
WIP

Attachment 321539 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/4627548

Number of test failures exceeded the failure limit.

Created attachment 321546 [details]
Archive of layout-test-results from ews103 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 321539 [details]
WIP

Attachment 321539 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/4627420

Number of test failures exceeded the failure limit.

Created attachment 321547 [details]
Archive of layout-test-results from ews121 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews121  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6

Comment on attachment 321539 [details]
WIP

View in context: https://bugs.webkit.org/attachment.cgi?id=321539&action=review

> Source/JavaScriptCore/ChangeLog:15
> +            This makes it a lot easier to make sure that they are in the "right" inlineStackEntry, i.e. the one corresponding to the function that their successor comes from.

I'm not sure I follow this comment. What's "right" here? What's "successor"?

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1652
> +    // If the current block is not empty, we must split it so that recursive tail calls in the inlinee have somewhere to jump to.

I don't think you mean empty here given assert below. Perhaps you just mean if the block only has code for the op_call?

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1661
> +    if (m_currentIndex != m_currentBlock->bytecodeBegin) {
> +        ASSERT(!m_currentBlock->isEmpty());
> +        Node* jumpNode = addToGraph(Jump);
> +        Ref<BasicBlock> block = adoptRef(*new BasicBlock(m_currentIndex, m_numArguments, m_numLocals, m_currentBlock->executionCount));
> +        jumpNode->targetBlock() = block.ptr();
> +        m_inlineStackTop->m_blockLinkingTargets.append(block.ptr());
> +        m_currentBlock = block.ptr();
> +        m_graph.appendBlock(WTFMove(block));
> +    }

This split needs to happen after we process the setLocalQueue we may have appended to above. Otherwise, if we split, we'll generate invalid IR. I think a simple tail call that needs arity fixup will trigger this.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6352
> +            Ref<BasicBlock> block = adoptRef(*new BasicBlock(m_currentIndex, m_numArguments, m_numLocals, 1)); // TODO: why 1 ?

Maybe we just start all blocks at 1? I know we change this value in the StaticExecutionCountEstimationPhase

Created attachment 321675 [details]
Still WIP, still buggy

Created attachment 321678 [details]
WIP, stil trying to split the entry block, still buggy

Created attachment 321681 [details]
WIP, optimisation commented out to test refactoring, and block splitting

Attachment 321681 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1311:  Should have a space between // and comment  [whitespace/comments] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1312:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4136:  WTF_CONCAT is incorrectly named. Don't use underscores in your identifier names.  [readability/naming/underscores] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4138:  Should be indented on a separate line, with the colon or comma first on that line.  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4144:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
Total errors found: 5 in 4 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 321681 [details]
WIP, optimisation commented out to test refactoring, and block splitting

Attachment 321681 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/4649225

Number of test failures exceeded the failure limit.

Created attachment 321685 [details]
Archive of layout-test-results from ews100 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews100  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 321681 [details]
WIP, optimisation commented out to test refactoring, and block splitting

Attachment 321681 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4649246

Number of test failures exceeded the failure limit.

Created attachment 321686 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment on attachment 321681 [details]
WIP, optimisation commented out to test refactoring, and block splitting

Attachment 321681 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4649236

Number of test failures exceeded the failure limit.

Created attachment 321687 [details]
Archive of layout-test-results from ews112 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 321681 [details]
WIP, optimisation commented out to test refactoring, and block splitting

Attachment 321681 [details] did not pass ios-sim-ews (ios-simulator-wk2):
Output: http://webkit-queues.webkit.org/results/4649342

Number of test failures exceeded the failure limit.

Created attachment 321689 [details]
Archive of layout-test-results from ews126 for ios-simulator-wk2

The attached test failures were seen while running run-webkit-tests on the ios-sim-ews.
Bot: ews126  Port: ios-simulator-wk2  Platform: Mac OS X 10.12.6

Created attachment 321826 [details]
WIP, frustrating heisenbug

Comment on attachment 321826 [details]
WIP, frustrating heisenbug

View in context: https://bugs.webkit.org/attachment.cgi?id=321826&action=review

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:83
> +#define VERBOSE_LOG(...) do { \
> +if (Options::verboseDFGByteCodeParsing()) \
> +    dataLog(__VA_ARGS__); \
> +} while (0)

Nit: You could make this 

#define VERBOSE_LOG(...) dataLogIf(Options::verboseDFGByteCodeParsing(), __VA_ARGS__);

Comment on attachment 321826 [details]
WIP, frustrating heisenbug

View in context: https://bugs.webkit.org/attachment.cgi?id=321826&action=review

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1278
> +        for (int i = 0; i < stackEntry->m_codeBlock->m_numVars; ++i)
> +            set(virtualRegisterForLocal(i), undefined, ImmediateNakedSet); // TODO: check that it is still reasonable to do this "ImmediateNakedSet" stuff here.

This is wrong. You need setDirect here and you need to map the virtual register manually

Created attachment 321960 [details]
WIP, some more bugs

Created attachment 321974 [details]
Patch

Created attachment 322070 [details]
WIP, fix another bug

Created attachment 322183 [details]
WIP, more refactoring, probably still buggy

Attachment 322183 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/ChangeLog:29:  Line contains tab character.  [whitespace/tab] [5]
ERROR: Source/JavaScriptCore/ChangeLog:30:  Line contains tab character.  [whitespace/tab] [5]
ERROR: Source/JavaScriptCore/ChangeLog:31:  Line contains tab character.  [whitespace/tab] [5]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1342:  Should have a space between // and comment  [whitespace/comments] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1343:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4166:  WTF_CONCAT is incorrectly named. Don't use underscores in your identifier names.  [readability/naming/underscores] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4168:  Should be indented on a separate line, with the colon or comma first on that line.  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4173:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6285:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
Total errors found: 9 in 4 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 322183 [details]
WIP, more refactoring, probably still buggy

Attachment 322183 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/4697967

New failing tests:
stress/v8-deltablue-strict.js.ftl-eager
v8-v6/v8-deltablue.js.ftl-eager-no-cjit
stress/v8-richards-strict.js.ftl-no-cjit-validate-sampling-profiler
wasm.yaml/wasm/function-tests/stack-overflow.js.default-wasm
stress/spread-calling.js.ftl-no-cjit-no-put-stack-validate
microbenchmarks/delta-blue-try-catch.js.ftl-eager-no-cjit
stress/spread-calling.js.ftl-no-cjit-validate-sampling-profiler
v8-v6/v8-deltablue.js.default
stress/v8-deltablue-strict.js.ftl-no-cjit-b3o1
v8-v6/v8-richards.js.default
microbenchmarks/delta-blue-try-catch.js.ftl-no-cjit-validate-sampling-profiler
stress/v8-deltablue-strict.js.ftl-eager-no-cjit-b3o1
stress/v8-deltablue-strict.js.ftl-no-cjit-validate-sampling-profiler
stress/spread-non-array.js.ftl-eager
stress/v8-richards-strict.js.ftl-no-cjit-no-put-stack-validate
stress/arrowfunction-lexical-bind-arguments-strict.js.ftl-eager-no-cjit-b3o1
v8-v6/v8-deltablue.js.ftl-no-cjit-no-put-stack-validate
stress/const-tdz.js.ftl-eager-no-cjit-b3o1
microbenchmarks/delta-blue-try-catch.js.ftl-eager-no-cjit-b3o1
microbenchmarks/getter-richards.js.default
basic-tests.yaml/stress-test.js.ftl-eager-no-cjit
stress/arrowfunction-lexical-bind-arguments-strict.js.ftl-eager-no-cjit
v8-v6/v8-deltablue.js.ftl-eager
stress/arrowfunction-lexical-bind-arguments-non-strict-2.js.ftl-eager-no-cjit
stress/spread-calling.js.default
stress/v8-richards-strict.js.default
stress/arguments-elimination-varargs-too-many-args-arg-count.js.ftl-eager-no-cjit-b3o1
v8-v6/v8-richards.js.ftl-no-cjit-validate-sampling-profiler
v8-v6/v8-richards.js.ftl-eager
stress/array-copywithin.js.ftl-eager-no-cjit
v8-v6/v8-richards.js.ftl-no-cjit-no-put-stack-validate
stress/v8-deltablue-strict.js.default
cdjs-tests.yaml/main.js.default
v8-v6/v8-deltablue.js.ftl-no-cjit-validate-sampling-profiler
wasm.yaml/wasm/function-tests/memory-access-past-4gib.js.wasm-no-cjit-yes-tls-context
microbenchmarks/deltablue-for-of.js.ftl-eager
microbenchmarks/delta-blue-try-catch.js.ftl-no-cjit-no-put-stack-validate
wasm.yaml/wasm/js-api/export-arity.js.wasm-no-cjit-yes-tls-context
stress/spread-non-array.js.ftl-no-cjit-no-put-stack-validate
stress/arguments-elimination-varargs-too-many-args-arg-count.js.ftl-eager-no-cjit
microbenchmarks/deltablue-for-of.js.ftl-eager-no-cjit
microbenchmarks/fake-iterators-that-throw-when-finished.js.ftl-eager
microbenchmarks/deltablue-for-of.js.ftl-eager-no-cjit-b3o1
stress/const-tdz.js.ftl-eager-no-cjit
stress/arrowfunction-lexical-bind-arguments-non-strict-2.js.ftl-eager-no-cjit-b3o1
stress/v8-deltablue-strict.js.ftl-no-cjit-no-put-stack-validate
microbenchmarks/delta-blue-try-catch.js.ftl-eager
stress/spread-non-array.js.default
basic-tests.yaml/stress-test.js.default
wasm.yaml/wasm/fuzz/export-function.js.wasm-slow-memory
basic-tests.yaml/stress-test.js.ftl-no-cjit
microbenchmarks/fake-iterators-that-throw-when-finished.js.ftl-no-cjit-validate-sampling-profiler
stress/spread-non-array.js.ftl-no-cjit-b3o1
v8-v6/v8-deltablue.js.ftl-eager-no-cjit-b3o1
cdjs-tests.yaml/main.js.ftl-no-cjit
wasm.yaml/wasm/function-tests/stack-overflow.js.wasm-no-cjit-yes-tls-context
microbenchmarks/delta-blue-try-catch.js.ftl-no-cjit-b3o1
v8-v6/v8-deltablue.js.ftl-no-cjit-b3o1
microbenchmarks/fake-iterators-that-throw-when-finished.js.ftl-no-cjit-b3o1
wasm.yaml/wasm/function-tests/stack-overflow.js.wasm-no-call-ic
microbenchmarks/fake-iterators-that-throw-when-finished.js.default
jsc-layout-tests.yaml/js/script-tests/arrowfunction-lexical-bind-arguments-non-strict.js.layout-ftl-eager-no-cjit
stress/lexical-let-tdz.js.ftl-eager-no-cjit
stress/lexical-let-tdz.js.ftl-eager-no-cjit-b3o1
stress/spread-non-array.js.ftl-no-cjit-validate-sampling-profiler
v8-v6/v8-richards.js.ftl-no-cjit-b3o1
stress/spread-calling.js.ftl-no-cjit-b3o1
microbenchmarks/delta-blue-try-catch.js.default
wasm.yaml/wasm/js-api/export-arity.js.default-wasm
wasm.yaml/wasm/function-tests/stack-overflow.js.wasm-slow-memory
stress/v8-richards-strict.js.ftl-no-cjit-b3o1
wasm.yaml/wasm/fuzz/memory.js.wasm-eager-jettison
wasm.yaml/wasm/function-tests/stack-overflow.js.wasm-eager-jettison
stress/const-loop-semantics.js.ftl-eager-no-cjit-b3o1
microbenchmarks/fake-iterators-that-throw-when-finished.js.ftl-no-cjit-no-put-stack-validate
jsc-layout-tests.yaml/js/script-tests/arrowfunction-lexical-bind-arguments-strict.js.layout-ftl-eager-no-cjit
stress/v8-deltablue-strict.js.ftl-eager-no-cjit
stress/spread-non-array.js.ftl-eager-no-cjit-b3o1
wasm.yaml/wasm/js-api/export-arity.js.wasm-slow-memory

Comment on attachment 322183 [details]
WIP, more refactoring, probably still buggy

Attachment 322183 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/4698039

Number of test failures exceeded the failure limit.

Created attachment 322185 [details]
Archive of layout-test-results from ews104 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews104  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6

Comment on attachment 322183 [details]
WIP, more refactoring, probably still buggy

Attachment 322183 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4698098

New failing tests:
imported/w3c/web-platform-tests/dom/ranges/Range-mutations-dataChange.html
imported/w3c/web-platform-tests/encoding/textdecoder-fatal-single-byte.html
imported/w3c/web-platform-tests/dom/ranges/Range-intersectsNode.html
imported/w3c/web-platform-tests/html/syntax/parsing/named-character-references.html
imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/test_failures.https.html
imported/w3c/web-platform-tests/encoding/textdecoder-labels.html
imported/w3c/web-platform-tests/encoding/api-invalid-label.html
workers/wasm-long-compile.html
imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-10.htm

Created attachment 322186 [details]
Archive of layout-test-results from ews112 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews112  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 322183 [details]
WIP, more refactoring, probably still buggy

Attachment 322183 [details] did not pass mac-ews (mac):
Output: http://webkit-queues.webkit.org/results/4698189

New failing tests:
imported/w3c/web-platform-tests/dom/ranges/Range-mutations-dataChange.html
imported/w3c/web-platform-tests/dom/ranges/Range-intersectsNode.html
imported/w3c/web-platform-tests/encoding/textdecoder-fatal-single-byte.html
imported/w3c/web-platform-tests/dom/ranges/Range-isPointInRange.html
imported/w3c/web-platform-tests/encoding/textdecoder-labels.html
imported/w3c/web-platform-tests/dom/ranges/Range-mutations.html
imported/w3c/web-platform-tests/html/dom/reflection-grouping.html
imported/w3c/web-platform-tests/html/dom/reflection-misc.html
imported/w3c/web-platform-tests/dom/ranges/Range-compareBoundaryPoints.html
imported/w3c/web-platform-tests/dom/ranges/Range-comparePoint.html
imported/w3c/web-platform-tests/WebCryptoAPI/derive_bits_keys/test_hkdf.https.html
imported/w3c/web-platform-tests/html/dom/reflection-metadata.html
imported/w3c/web-platform-tests/html/dom/reflection-sections.html
imported/w3c/web-platform-tests/WebCryptoAPI/generateKey/test_failures.https.html
imported/w3c/web-platform-tests/encoding/api-invalid-label.html
imported/w3c/web-platform-tests/html/dom/reflection-forms.html
imported/w3c/web-platform-tests/html/dom/reflection-text.html
imported/w3c/web-platform-tests/dom/ranges/Range-set.html
imported/w3c/web-platform-tests/html/dom/reflection-obsolete.html
imported/w3c/web-platform-tests/html/dom/reflection-tabular.html
imported/w3c/web-platform-tests/html/syntax/parsing/named-character-references.html
imported/w3c/web-platform-tests/html/dom/reflection-embedded.html
workers/wasm-long-compile.html
imported/w3c/web-platform-tests/html/the-xhtml-syntax/parsing-xhtml-documents/xhtml-mathml-dtd-entity-10.htm

Created attachment 322187 [details]
Archive of layout-test-results from ews103 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-ews.
Bot: ews103  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Created attachment 322455 [details]
Fix stupid bug in handleInlining, everything optimizing tail calls is commented  out, it should hopefully pass ews tests this time

Attachment 322455 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1342:  Should have a space between // and comment  [whitespace/comments] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1343:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4177:  WTF_CONCAT is incorrectly named. Don't use underscores in your identifier names.  [readability/naming/underscores] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4179:  Should be indented on a separate line, with the colon or comma first on that line.  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4184:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6265:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
Total errors found: 6 in 6 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Created attachment 322511 [details]
Known buggy, submitting to EWS to find more failing tests

Attachment 322511 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1342:  Should have a space between // and comment  [whitespace/comments] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1343:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4177:  WTF_CONCAT is incorrectly named. Don't use underscores in your identifier names.  [readability/naming/underscores] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4179:  Should be indented on a separate line, with the colon or comma first on that line.  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4184:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6264:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
Total errors found: 6 in 6 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 322511 [details]
Known buggy, submitting to EWS to find more failing tests

Attachment 322511 [details] did not pass jsc-ews (mac):
Output: http://webkit-queues.webkit.org/results/4739483

New failing tests:
stress/arguments-elimination-varargs-too-many-args-arg-count.js.ftl-eager-no-cjit-b3o1
stress/arguments-elimination-varargs-too-many-args-arg-count.js.ftl-eager-no-cjit

Created attachment 322545 [details]
Commented out the buggy splitting of entry block

Attachment 322545 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1313:  Multi line control clauses should use braces.  [whitespace/braces] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1343:  Should have a space between // and comment  [whitespace/comments] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1344:  Weird number of spaces at line-start.  Are you using a 4-space indent?  [whitespace/indent] [3]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4178:  WTF_CONCAT is incorrectly named. Don't use underscores in your identifier names.  [readability/naming/underscores] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4180:  Should be indented on a separate line, with the colon or comma first on that line.  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4185:  Wrong number of spaces before statement. (expected: 12)  [whitespace/indent] [4]
ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6267:  Wrong number of spaces before statement. (expected: 8)  [whitespace/indent] [4]
Total errors found: 7 in 6 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 322545 [details]
Commented out the buggy splitting of entry block

View in context: https://bugs.webkit.org/attachment.cgi?id=322545&action=review

Seems reasonable but there are some things you should clean up.

> Source/JavaScriptCore/ChangeLog:17
> +        - m_linkingTargets is a dictionnary from bytecode indices to BasicBlock*

typo: dictionnary -> dictionary.

> Source/JavaScriptCore/ChangeLog:21
> +        terminal that need to be taken off m_unlinkedBlocks.

typo: needs

> Source/JavaScriptCore/ChangeLog:28
> +        - The 7 and 8 arguments of handleCall were inlined in its 3 arguments version for readability
> +        - The 9 argument version was cleaned up and simplified

I feel like something is wrong when a function has more than 6 arguments... :(

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1236
> +    BasicBlock* blockPtr = block.ptr();

Nit: you could probably drop this line.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1273
> +    Node* callTarget = get(VirtualRegister(pc[2].u.operand));
> +    int argumentCountIncludingThis = pc[3].u.operand;
> +    int registerOffset = -pc[4].u.operand;

It would be great if you gave these names in the BytecodeList.json and used them here.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1325
> +bool ByteCodeParser::handleRecursiveTailCall(Node* callTargetNode, VirtualRegister thisArgument, CallLinkStatus callLinkStatus)
> +{
> +    // We currently only do this optimisation in the simple, non-polymorphic case.
> +    if (callLinkStatus.couldTakeSlowPath() || callLinkStatus.size() != 1)
> +        return false;
> +
> +    auto targetExecutable = callLinkStatus[0].executable();
> +    InlineStackEntry* stackEntry = m_inlineStackTop;
> +    do {
> +        if (targetExecutable != stackEntry->executable())
> +            continue;
> +
> +        VERBOSE_LOG("   We found a recursive tail, optimizing it to a jump to block ", *stackEntry->m_callsiteBlockHead, ".\n");
> +        // TODO: set the arguments to the right value
> +        // TODO: shadow chicken log
> +
> +        // We must also add some check that the profiling information was correct and the target of this call is what we thought
> +        emitFunctionChecks(callLinkStatus[0], callTargetNode, thisArgument);
> +
> +        VERBOSE_LOG("   Repeating the work of op_enter as we are jumping to right after it. \n");
> +        Node* undefined = addToGraph(JSConstant, OpInfo(m_constantUndefined));
> +        // Initialize all locals to undefined.
> +        for (int i = 0; i < stackEntry->m_codeBlock->m_numVars; ++i)
> +            setDirect(stackEntry->remapOperand(virtualRegisterForLocal(i)), undefined, ImmediateSetWithFlush);
> +            // TODO: check that ImmediateSetWithFlush is the right pick here.
> +
> +        Node* jumpNode = addToGraph(Jump);
> +        jumpNode->targetBlock() = stackEntry->m_callsiteBlockHead;
> +        m_currentBlock->didLink();
> +        flushForTerminal();
> +        return true;
> +    } while ((stackEntry = stackEntry->m_caller));
> +
> +    // The tail call was not recursive
> +    return false;

This function isn't used, can you remove it for now?

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1344
> +        //if (op == TailCall && handleRecursiveTailCall(callTarget, thisArgument, callLinkStatus))
> +          //  return Terminal;

Please remove commented code.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2052
> +            // TODO: we should be able to get rid of this somehow.

Make this a FIXME and link a bugzilla.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2080
> +            // TODO: we can avoid this indirection in the case of normal inlined call by passing the continuation block all the way into inlineStackEntry->m_continuationBlock in inlineCall.

ditto.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4252
> +            // to be true. TODO: change this.

Ditto.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:5276
> +            if (m_inlineStackTop->m_returnValue.isValid()) // TODO: understand what happens if it is not.

Ditto.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:5284
> +                // TODO: should there be a special case for when we are returning from the first block? I do not see why, but there was one.

Ditto.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6257
> +    BasicBlock* callsiteBlockHead, // TODO: remove from constructor, since it is set in parseBlock, when dealing with op_enter

Ditto.

> > Source/JavaScriptCore/ChangeLog:28
> > +        - The 7 and 8 arguments of handleCall were inlined in its 3 arguments version for readability
> > +        - The 9 argument version was cleaned up and simplified
> 
> I feel like something is wrong when a function has more than 6 arguments...
> :(

I totally agree, but I saw no easy way to solve this problem, and my refactoring was already pretty big.

> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1236
> > +    BasicBlock* blockPtr = block.ptr();
> 
> Nit: you could probably drop this line.

I am not sure it would remain correct to refer to block.ptr() after I WTFMove(block).

> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1273
> > +    Node* callTarget = get(VirtualRegister(pc[2].u.operand));
> > +    int argumentCountIncludingThis = pc[3].u.operand;
> > +    int registerOffset = -pc[4].u.operand;
> 
> It would be great if you gave these names in the BytecodeList.json and used
> them here.

Is there a way to do so that correctly negate the registerOffset, and correctly "get"s the callTarget? If not, I am not sure what to call those before the operands are processed.

Comment on attachment 322545 [details]
Commented out the buggy splitting of entry block

View in context: https://bugs.webkit.org/attachment.cgi?id=322545&action=review

Robin, is the goal of this review to get feedback on the tail loop stuff, or to first check in the refactoring? If the latter, then let's open a new bug with a title for the refactoring.

>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2052
>> +            // TODO: we should be able to get rid of this somehow.
> 
> Make this a FIXME and link a bugzilla.

What's your conclusion here? I don't vote for a bugzilla unless we know how we'll get rid of this.

>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:2080
>> +            // TODO: we can avoid this indirection in the case of normal inlined call by passing the continuation block all the way into inlineStackEntry->m_continuationBlock in inlineCall.
> 
> ditto.

Seems like this might be worth just doing.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4292
> +            if (false) {
> +            VERBOSE_LOG("Splitting the entry block for potential recursive tail calls.\n");
> +            Node* jumpNode = addToGraph(Jump);
> +            BasicBlock* newBlock = allocateUntargetableBlock();
> +            jumpNode->targetBlock() = newBlock;
> +            m_currentBlock->didLink();
> +            m_currentBlock = newBlock;
> +            }

What happens when you run this code?

>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:5276
>> +            if (m_inlineStackTop->m_returnValue.isValid()) // TODO: understand what happens if it is not.
> 
> Ditto.

Going against Keith's ditto here: please don't file a bug on you not fully understanding of the code. I'm like 95% sure this has to do w/ setters, but regardless of that, you just figure out why this happens, and remove the TODO

>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:5284
>> +                // TODO: should there be a special case for when we are returning from the first block? I do not see why, but there was one.
> 
> Ditto.

Ditto here. This seems like something you need to figure out before landing

>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6257
>> +    BasicBlock* callsiteBlockHead, // TODO: remove from constructor, since it is set in parseBlock, when dealing with op_enter
> 
> Ditto.

Ditto here. This is something you should either do or remove your TODO

I moved the refactoring part of the patch to https://bugs.webkit.org/show_bug.cgi?id=177922 so that it can be reviewed more easily.

Created attachment 323457 [details]
Patch

Created attachment 323474 [details]
Fixed, this passes all the stress tests, but I want some more testing before asking for review

Attachment 323474 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:215:  The parameter name "stackEntry" adds no information, so it should be removed.  [readability/parameter_name] [5]
Total errors found: 1 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Benchmark report for Octane on MacBook-Pro-5 (MacBookPro14,3).

VMs tested:
"Baseline" at /Users/rmorisset/Webkit2/OpenSource/WebKitBuild/Baseline/Release/jsc
"TailCall" at /Users/rmorisset/Webkit2/OpenSource/WebKitBuild/TailCall3/Release/jsc

Collected 6 samples per benchmark/VM, with 6 VM invocations per benchmark. Emitted a call to gc()
between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the
jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution
times with 95% confidence intervals in milliseconds.

                            Baseline                  TailCall                                     

encrypt                 0.12516+-0.00200    ?     0.12576+-0.00276       ?
decrypt                 2.20316+-0.02487          2.19586+-0.00988       
deltablue      x2       0.11811+-0.00486          0.11528+-0.00436         might be 1.0245x faster
earley                  0.23454+-0.00292    ?     0.23467+-0.00234       ?
boyer                   4.09504+-0.03587          4.08283+-0.04547       
navier-stokes  x2       4.55212+-0.04389          4.54719+-0.02290       
raytrace       x2       0.63796+-0.01012    !     2.19885+-0.00639       ! definitely 3.4467x slower
richards       x2       0.07406+-0.00089          0.07396+-0.00030       
splay          x2       0.29583+-0.00294          0.29561+-0.00234       
regexp         x2      14.64647+-0.37289    !    15.44706+-0.18671       ! definitely 1.0547x slower
pdfjs          x2      36.56302+-0.18624    ?    36.80115+-0.34733       ?
mandreel       x2      35.58116+-0.36891    ?    35.85318+-0.47004       ?
gbemu          x2      27.57263+-0.34381    ?    27.62819+-0.47350       ?
closure                 0.42556+-0.00235    ?     0.42734+-0.00604       ?
jquery                  5.60274+-0.02243    ?     5.62641+-0.11612       ?
box2d          x2       7.08661+-0.03697    ?     7.10947+-0.09351       ?
zlib           x2     290.65739+-1.10185    ?   291.59003+-3.20236       ?
typescript     x2     582.97498+-17.32713   ?   588.47603+-9.79813       ?

<geometric>             4.34865+-0.01869    !     4.74215+-0.01957       ! definitely 1.0905x slower

So clearly something is very wrong with this patch. Sunspider showed no performance change.

After running a few tests, it is clear that this regression is entirely caused by the splitting of op_enter blocks: in particular it reproduces even if handleRecursiveTailCall is replaced by return false.

Some more things about this performance regression:
- It only shows on Octane/raytrace: neither sun spider, kraken or microbenchmarks have any significant regression (maybe a 1% regression on Kraken, to investigate later)
- It is caused purely by the splitting of entry blocks, not by the actual optimisation
- It persists even when not doing the splitting for functions at the leaves of the call graph (through testing for the emptiness of callLinkInfoMap).
- It persists even when running DFGCFGSimplificationPhase right after the byte code parser (to eliminate unnecessary jumps)
- It does not appear to be located in a single JS function: when attempting to bisect with JSC_bytecodeRangeToDFGCompile, the difference with the baseline progressively shrinks instead of having a cliff somewhere.

Created attachment 323558 [details]
Fixed a horrible design bug, and the performance regression

Benchmark report for Octane on MacBook-Pro-5 (MacBookPro14,3).

VMs tested:
"Baseline" at /Users/rmorisset/Webkit2/OpenSource/WebKitBuild/Baseline/Release/jsc
"Tail" at /Users/rmorisset/Webkit2/OpenSource/WebKitBuild/TailCall3/Release/jsc

Collected 8 samples per benchmark/VM, with 8 VM invocations per benchmark. Emitted a call to gc()
between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the
jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark execution
times with 95% confidence intervals in milliseconds.

                            Baseline                    Tail                                       

encrypt                 0.13207+-0.00161    ?     0.13261+-0.00127       ?
decrypt                 2.34831+-0.04530          2.33041+-0.01246       
deltablue      x2       0.12342+-0.00190    ?     0.12351+-0.00322       ?
earley                  0.24859+-0.00332          0.24785+-0.00275       
boyer                   4.31797+-0.07807          4.28364+-0.03930       
navier-stokes  x2       4.87890+-0.06596          4.84418+-0.05741       
raytrace       x2       0.68536+-0.00741          0.68159+-0.00531       
richards       x2       0.07856+-0.00083    ?     0.07917+-0.00139       ?
splay          x2       0.31365+-0.00953          0.30422+-0.00139         might be 1.0310x faster
regexp         x2      15.52398+-0.16968         15.51919+-0.29346       
pdfjs          x2      39.02238+-0.21603    ?    39.06900+-0.24751       ?
mandreel       x2      38.14925+-0.39561         38.03272+-0.60931       
gbemu          x2      29.17857+-0.55032    ?    29.73977+-1.43515       ? might be 1.0192x slower
closure                 0.45147+-0.00498    ?     0.45274+-0.01029       ?
jquery                  6.08769+-0.12487          6.01421+-0.07787         might be 1.0122x faster
box2d          x2       7.77007+-0.22361          7.56490+-0.05053         might be 1.0271x faster
zlib           x2     306.73149+-3.07770    ?   307.86919+-2.63745       ?
typescript     x2     606.15997+-7.28700        599.21710+-6.84371         might be 1.0116x faster

<geometric>             4.62426+-0.02182          4.60428+-0.01928         might be 1.0043x faster

---------------------

Benchmark report for Kraken on MacBook-Pro-5 (MacBookPro14,3).

VMs tested:
"Baseline" at /Users/rmorisset/Webkit2/OpenSource/WebKitBuild/Baseline/Release/jsc
"Tail" at /Users/rmorisset/Webkit2/OpenSource/WebKitBuild/TailCall3/Release/jsc

Collected 8 samples per benchmark/VM, with 8 VM invocations per benchmark. Emitted a call to gc() between sample
measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used the jsc-specific preciseTime()
function to get microsecond-level timing. Reporting benchmark execution times with 95% confidence intervals in
milliseconds.

                                           Baseline                    Tail                                       

ai-astar                                71.707+-3.284      ?      74.090+-3.158         ? might be 1.0332x slower
audio-beat-detection                    34.792+-0.521      ?      36.688+-3.837         ? might be 1.0545x slower
audio-dft                               85.256+-3.956      ?      86.756+-2.058         ? might be 1.0176x slower
audio-fft                               24.700+-1.414      ?      24.726+-1.062         ?
audio-oscillator                        48.445+-1.414      ?      51.629+-4.553         ? might be 1.0657x slower
imaging-darkroom                        52.437+-1.327      ?      52.996+-1.902         ? might be 1.0107x slower
imaging-desaturate                      45.185+-2.413             44.590+-1.823           might be 1.0134x faster
imaging-gaussian-blur                   57.064+-3.813      ?      58.884+-5.177         ? might be 1.0319x slower
json-parse-financial                    31.760+-2.089             31.531+-1.447         
json-stringify-tinderbox                19.834+-0.519      ?      20.088+-0.547         ? might be 1.0128x slower
stanford-crypto-aes                     34.609+-1.645      ?      35.127+-1.028         ? might be 1.0150x slower
stanford-crypto-ccm                     31.612+-2.898             30.550+-2.354           might be 1.0348x faster
stanford-crypto-pbkdf2                  58.973+-1.840             57.927+-1.497           might be 1.0180x faster
stanford-crypto-sha256-iterative        18.413+-0.292      ?      18.814+-0.720         ? might be 1.0218x slower

<arithmetic>                            43.913+-0.329      ?      44.600+-0.709         ? might be 1.0156x slower

So the regression on raytrace is solved, but there might be a 1.5% slowdown on Kraken.

Attachment 323558 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:215:  The parameter name "stackEntry" adds no information, so it should be removed.  [readability/parameter_name] [5]
ERROR: Source/JavaScriptCore/ChangeLog:12:  Line contains tab character.  [whitespace/tab] [5]
ERROR: Source/JavaScriptCore/ChangeLog:13:  Line contains tab character.  [whitespace/tab] [5]
Total errors found: 3 in 3 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment on attachment 323558 [details]
Fixed a horrible design bug, and the performance regression

View in context: https://bugs.webkit.org/attachment.cgi?id=323558&action=review

> Source/JavaScriptCore/bytecode/PreciseJumpTargets.cpp:68
> +        // We need to insert a jump after op_enter, so recursive tail calls have somewhere to jump to.
> +        // But we only want to pay that price for functions that have at least one tail call.
> +        CallLinkInfoMap map;
> +        codeBlock->getCallLinkInfoMap(map);
> +        for (auto info : map.values()) {
> +            if (info->callMode() == CallMode::Tail) {
> +                out.append(bytecodeOffset + opcodeLengths[op_enter]);
> +                break;
> +            }
> +        }
> +    }

You should just set a bit if a CodeBlock has an op_tail_call in it. You can probably do it in bytecode generator via UnlinkedCodeBlock.

Comment on attachment 323558 [details]
Fixed a horrible design bug, and the performance regression

View in context: https://bugs.webkit.org/attachment.cgi?id=323558&action=review

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1433
> +        if (auto callFrame = stackEntry->m_inlineCallFrame) {

nit: I prefer a type here, or at least, auto* instead of auto.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1436
> +            if (argumentCountIncludingThis != (int) callFrame->argumentCountIncludingThis)

Style: WebKit style uses static_cast instead of C-style casts.

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1465
> +        // We want to emit the SetLocals with a code origin that points to the place we are jumping to.

Nit: "with a code origin" => "with an exit origin"
since the semantic origin won't be there.

Created attachment 323710 [details]
Moved the splitting of op_enter to UnlinkedCodeBlocks, and correctly recognize when it has happened

Attachment 323710 [details] did not pass style-queue:


ERROR: Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:215:  The parameter name "stackEntry" adds no information, so it should be removed.  [readability/parameter_name] [5]
Total errors found: 1 in 7 files


If any of these errors are false positives, please file a bug against check-webkit-style.

We now see an improvement of TailBench9000 but it is rather disappointing:
- n-body-run.js roughly went from 1.05s to 0.95s
- merge-sort-run.js roughly went from 1.40s to 1.10s

I have not yet ran other benchmarks on this last version of the code.

It appears that the optimization currently hurts tier-up from DFG to FTL, I am investigating how to fix it.

Comment on attachment 323710 [details]
Moved the splitting of op_enter to UnlinkedCodeBlocks, and correctly recognize when it has happened

Attachment 323710 [details] did not pass mac-debug-ews (mac):
Output: http://webkit-queues.webkit.org/results/4852670

New failing tests:
http/tests/loading/basic-auth-resend-wrong-credentials.html

Created attachment 323785 [details]
Archive of layout-test-results from ews114 for mac-elcapitan

The attached test failures were seen while running run-webkit-tests on the mac-debug-ews.
Bot: ews114  Port: mac-elcapitan  Platform: Mac OS X 10.11.6

Comment on attachment 323710 [details]
Moved the splitting of op_enter to UnlinkedCodeBlocks, and correctly recognize when it has happened

My experiments with inserting LoopHint have not improved performance so far, so I would like to get this patch landed as is, and make it a separate bug.

The build-bot failure looks very much like a flaky test to me, I don't see how my patch could break layout. Is there a simple way to convince the buildbot to try again? Or should I just resubmit the patch?

(In reply to Robin Morisset from comment #78)
Is there a simple way to convince the
> buildbot to try again? Or should I just resubmit the patch?

I think you just need to re-upload the change unfortunately.

Comment on attachment 323710 [details]
Moved the splitting of op_enter to UnlinkedCodeBlocks, and correctly recognize when it has happened

View in context: https://bugs.webkit.org/attachment.cgi?id=323710&action=review

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1418
> +    // We currently only do this optimisation in the simple, non-polymorphic case.

Maybe add a FIXME with a bugzilla link here since you told me you wanted to do this and you thought it'd be pretty easy?

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1429
> +        BasicBlock** entryBlockPtr = tryBinarySearch<BasicBlock*, unsigned>(stackEntry->m_blockLinkingTargets, stackEntry->m_blockLinkingTargets.size(), OPCODE_LENGTH(op_enter), getBytecodeBeginForBlock);

m_blockLInkingTargets is sorted?

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1480
> +        // It would be unsound to jump over a non-tail call: the "tail" call is not really a tail call in that case.

Please add tests for this since you didn't find any when running the tests with the earlier broken patch. It'd be good to verify your earlier broken version would fail such a test.

Created attachment 324116 [details]
Patch

(In reply to Saam Barati from comment #80)
> Comment on attachment 323710 [details]
> Moved the splitting of op_enter to UnlinkedCodeBlocks, and correctly
> recognize when it has happened
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=323710&action=review
> 
> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1418
> > +    // We currently only do this optimisation in the simple, non-polymorphic case.
> 
> Maybe add a FIXME with a bugzilla link here since you told me you wanted to
> do this and you thought it'd be pretty easy?

Done

> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1429
> > +        BasicBlock** entryBlockPtr = tryBinarySearch<BasicBlock*, unsigned>(stackEntry->m_blockLinkingTargets, stackEntry->m_blockLinkingTargets.size(), OPCODE_LENGTH(op_enter), getBytecodeBeginForBlock);
> 
> m_blockLInkingTargets is sorted?

Yes. It was already mentioned in a comment; I added some ASSERTs to allocateTargetableBlock and makeBlockTargetable.

> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1480
> > +        // It would be unsound to jump over a non-tail call: the "tail" call is not really a tail call in that case.
> 
> Please add tests for this since you didn't find any when running the tests
> with the earlier broken patch. It'd be good to verify your earlier broken
> version would fail such a test.

I added some test, but the buggy code currently appears to be passing the test somehow, I am investigating.

Created attachment 324120 [details]
Patch

Mystery solved: there was yet another bug (!) that was causing this entire code path not to be exercised by the tests for either the buggy or the "fixed" version of the code.

In short, because each code block has a superset of the jump targets, a function with no control-flow was deemed to have no jump targets, even if it had a tail call, inhibiting the splitting of the basic block that includes op_enter.

After fixing this bug, we can now correctly detect the other bugs from previous versions of this patch with the test. I also added another test as I realized that one code path was still not tested. The tests now (hopefully) correctly find wrong code generation; but I do not see how to test that the transformation occurred when it should.

Comment on attachment 324120 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=324120&action=review

r=me with a few comments.

> Source/JavaScriptCore/bytecode/CodeBlock.h:928
> +    bool hasTailCalls() const {return m_unlinkedCode->hasTailCalls();}

style nit: this should be written as:
{ return m_unlinkedCode->hasTailCalls(); }
for the spacing to follow webkit style

> Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1321
> +    // We must add the end of op_enter as a potential jump target, because the bytecode parser may decide to split its basic block
> +    // to have somewhere to jump to if there is a recursive tail-call that points to this function.
> +    m_codeBlock->addJumpTarget(instructions().size());
> +    // This disables peephole optimizations when an instruction is a jump target
> +    m_lastOpcodeID = op_end;

Is it worth just emitting a label since that will do this work for us? Or should we keep this as is?

> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1469
> +        // We jump right after it and not before it, because of some invariant saying that an OSR entry point cannot have predecessors in the IR.

This is not an accurate comment. The invariant is that a root in the CFG cannot have a predecessor. An OSR entrypoint *can* have predecessors. For example, loops are often OSR entry points. FWIW, we could totally jump to op_enter, we'd just need to split before op_enter, not after. This may be awkward. I'm totally OK with how you've implemented it.

(In reply to Saam Barati from comment #85)
> Comment on attachment 324120 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=324120&action=review
> 
> r=me with a few comments.
> 
> > Source/JavaScriptCore/bytecode/CodeBlock.h:928
> > +    bool hasTailCalls() const {return m_unlinkedCode->hasTailCalls();}
> 
> style nit: this should be written as:
> { return m_unlinkedCode->hasTailCalls(); }
> for the spacing to follow webkit style


Done

> > Source/JavaScriptCore/bytecompiler/BytecodeGenerator.cpp:1321
> > +    // We must add the end of op_enter as a potential jump target, because the bytecode parser may decide to split its basic block
> > +    // to have somewhere to jump to if there is a recursive tail-call that points to this function.
> > +    m_codeBlock->addJumpTarget(instructions().size());
> > +    // This disables peephole optimizations when an instruction is a jump target
> > +    m_lastOpcodeID = op_end;
> 
> Is it worth just emitting a label since that will do this work for us? Or
> should we keep this as is?

That was my first idea. The problem is that we would then have a Ref<Label> with nowhere to put it. It is not a serious problem, it just felt wrong to allocate data that we would never even read back before freeing it. I can change it back if you prefer.

> > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1469
> > +        // We jump right after it and not before it, because of some invariant saying that an OSR entry point cannot have predecessors in the IR.
> 
> This is not an accurate comment. The invariant is that a root in the CFG
> cannot have a predecessor. An OSR entrypoint *can* have predecessors. For
> example, loops are often OSR entry points. FWIW, we could totally jump to
> op_enter, we'd just need to split before op_enter, not after. This may be
> awkward. I'm totally OK with how you've implemented it.

Thanks for the comment, will fix.

Created attachment 324216 [details]
Patch

This should finally be finished.
Diff with the previous version of the patch:
- Applied both of Saam's comments
- Added more tests, and slight refactoring of the tests.
- Added one RELEASE_ASSERT instead of silently failing if for whatever reason the op_enter block is not split when we are expecting it to be.

Comment on attachment 324216 [details]
Patch

Clearing flags on attachment: 324216

Committed r223691: <https://trac.webkit.org/changeset/223691>

All reviewed patches have been landed.  Closing bug.

Regression in bug #178543

Re-opened since this is blocked by bug 178834

This patch broke Speedometer 2's React-Redux-TodoMVC test case.
To reproduce,

1. Go to http://browserbench.org/Speedometer2.0/InteractiveRunner.html
2. Click on "Unselect all"
3. Select "React-Redux-TodoMVC"
4. Click on "Run"

Open Web Inspector and observe that there is an exception being thrown.

You have to close the inspector & reload the page before running it again since the bug doesn't reproduce when Web Inspector is open.

Thanks for the bug report, I am looking into it.

Here is what I have found about it so far:
- The bug appears deep within React code, taken from http://browserbench.org/Speedometer2.0/resources/todomvc/architecture-examples/react-redux/dist/index.html (sadly partially minified).
- The bug is that "this" is apparently undefined in "this.moveChild", in _updateChildren in that file.
- _updateChildren appears many times in the stack trace, but it does not appear to make any tail call so it should not be optimized.
- The bug disappear if we refuse to make jumps to inlined functions, or if we refuse to make jumps across levels of the inline stack stack. So it is a case where we are creating a jump from one inlined function to another (higher in the call stack).
- The bug does not disappear if I disable the optimization when the number of arguments is different from the number of parameters of the relevant code block (for inlined frames).
- It reproduces fine with JSC_useConcurrentJIT=0
- Removing the repetition of op_enter does not make the bug disappear change.
- Removing the setting of extra parameters to undefined also does not make the bug disappear or change.

*** Bug 178592 has been marked as a duplicate of this bug. ***

Created attachment 325457 [details]
WIP, for sharing with Saam

Created attachment 326343 [details]
Patch for landing

Because of how tricky it was to write a minimized regression test, and speedometer provides some protection against regression, I decided to reland this patch with the fix described in https://bugs.webkit.org/show_bug.cgi and no extra test.

I marked it r=sbarati as we discussed this together.

*** Bug 178834 has been marked as a duplicate of this bug. ***

Comment on attachment 326343 [details]
Patch for landing

Clearing flags on attachment: 326343

Committed r224592: <https://trac.webkit.org/changeset/224592>

All reviewed patches have been landed.  Closing bug.

Collected 10 samples per benchmark/VM, with 10 VM invocations per benchmark. Emitted a call to
gc() between sample measurements. Used 1 benchmark iteration per VM invocation for warm-up. Used
the jsc-specific preciseTime() function to get microsecond-level timing. Reporting benchmark
execution times with 95% confidence intervals in milliseconds.

                         Baseline                  TailCall

n-body              837.5192+-2.5306     ^    742.2701+-2.1430        ^ definitely 1.1283x faster
merge-sort          597.9785+-5.6828     ^    521.2900+-3.2286        ^ definitely 1.1471x faster
bf-interpreter      478.1371+-4.7080     ^    334.9072+-1.8962        ^ definitely 1.4277x faster

<geometric>         620.9622+-3.5729     ^    506.0356+-1.2795        ^ definitely 1.2271x faster

No visible change on other benchmarks that I've tested.

<rdar://problem/35556442>