Bug 181134 - [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
Summary: [DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int3...
Status: REOPENED
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on: 181322
Blocks: 181164 181292
  Show dependency treegraph
 
Reported: 2017-12-22 14:00 PST by Yusuke Suzuki
Modified: 2018-01-09 15:58 PST (History)
10 users (show)

See Also:

Attachments
Patch (37.53 KB, patch)
2017-12-22 14:06 PST, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Patch (41.07 KB, patch)
2017-12-22 14:45 PST, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Patch (41.25 KB, patch)
2017-12-22 14:53 PST, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Archive of layout-test-results from ews107 for mac-elcapitan-wk2 (2.63 MB, application/zip)
2017-12-22 16:15 PST, EWS Watchlist 		no flags Details
Patch (41.23 KB, patch)
2017-12-26 10:59 PST, Yusuke Suzuki 		no flags Details | Formatted Diff | Diff
Patch (41.58 KB, patch)
2017-12-26 11:13 PST, Yusuke Suzuki 		mark.lam: review+
Details | Formatted Diff | Diff
Partial test results (428.10 KB, application/x-xz)
2018-01-04 13:30 PST, Guillaume Emont 		no flags Details
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Yusuke Suzuki 2017-12-22 14:00:04 PST 
[DFG] Unify ToNumber implementation in 32bit and 64bit by changing 32bit Int32Tag and LowestTag
Comment 1 Yusuke Suzuki 2017-12-22 14:06:02 PST 
Created attachment 330143 [details]
Patch
Comment 2 Yusuke Suzuki 2017-12-22 14:45:12 PST 
Created attachment 330145 [details]
Patch
Comment 3 Yusuke Suzuki 2017-12-22 14:53:51 PST 
Created attachment 330147 [details]
Patch
Comment 4 EWS Watchlist 2017-12-22 16:15:36 PST 
Comment on attachment 330147 [details]
Patch

Attachment 330147 [details] did not pass mac-wk2-ews (mac-wk2):
Output: http://webkit-queues.webkit.org/results/5806635

New failing tests:
imported/w3c/web-platform-tests/service-workers/service-worker/register-same-scope-different-script-url.https.html
Comment 5 EWS Watchlist 2017-12-22 16:15:37 PST 
Created attachment 330153 [details]
Archive of layout-test-results from ews107 for mac-elcapitan-wk2

The attached test failures were seen while running run-webkit-tests on the mac-wk2-ews.
Bot: ews107  Port: mac-elcapitan-wk2  Platform: Mac OS X 10.11.6
Comment 6 Yusuke Suzuki 2017-12-26 10:59:23 PST 
Created attachment 330201 [details]
Patch
Comment 7 Yusuke Suzuki 2017-12-26 11:13:40 PST 
Created attachment 330202 [details]
Patch
Comment 8 Guillaume Emont 2017-12-26 15:36:33 PST 
If it can wait until then, I'd be happy to try the patch on mips next week. If not, the test bot will after landing ;).
Comment 9 Zan Dobersek 2017-12-27 22:57:47 PST 
Doesn't regress anything on ARMv7, I suppose it shouldn't on MIPS either.
Comment 10 Yusuke Suzuki 2018-01-04 08:05:20 PST 
(In reply to Zan Dobersek from comment #9)
> Doesn't regress anything on ARMv7, I suppose it shouldn't on MIPS either.

Great!
Comment 11 Guillaume Emont 2018-01-04 08:46:00 PST 
I just launched the tests on mips with this patch, I'll report back in about 7 hours.
Comment 12 Mark Lam 2018-01-04 10:59:12 PST 
Comment on attachment 330202 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=330202&action=review

r=me with fixes.

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2647
> -            JITCompiler::Jump isNumber = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag + 1));
> +            JITCompiler::Jump isDouble = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag));

Nice.  Looks like you fixed a bug here.  The old code should have compared against LowestTag instead of LowestTag + 1.

> Source/JavaScriptCore/jit/AssemblyHelpers.h:788
>      // Note that the tempGPR is not used in 64-bit mode.

Please remove this obsolete comment.

> Source/JavaScriptCore/jit/AssemblyHelpers.h:808
>      // Note that the tempGPR is not used in 64-bit mode.

Please remove this obsolete comment.

> Source/JavaScriptCore/llint/LowLevelInterpreter32_64.asm:1499
>  .opPutByIdTypeCheckNumber:
> -    bib t2, LowestTag + 1, .opPutByIdDoneCheckingTypes
> +    bibeq t2, LowestTag, .opPutByIdDoneCheckingTypes

Nice. Looks like you fixed a bug here.

I think the 2 checks that precedes this check can be eliminated i.e. replace:

    # We are either Int32 or Number.
    bieq t1, PutByIdSecondaryTypeNumber, .opPutByIdTypeCheckNumber

    bieq t2, Int32Tag, .opPutByIdDoneCheckingTypes
    jmp .opPutByIdSlow

.opPutByIdTypeCheckNumber:
   bibeq t2, LowestTag, .opPutByIdDoneCheckingTypes

... with:
   bibeq t2, LowestTag, .opPutByIdDoneCheckingTypes

Please take a second look if that is true.
Comment 13 Guillaume Emont 2018-01-04 13:25:14 PST 
Tests are still running on MIPS, but I seem to get a lot of assertion failures.
For instance (reproduced by hand for clarity):

# .vm/JavaScriptCore.framework/Resources/jsc .tests/ChakraCore.yaml/ChakraCore/t
est/JSON/syntaxError.js 
ASSERTION FAILED: size == this->size()
../../Source/JavaScriptCore/heap/IsoSubspace.cpp(65) : void* JSC::IsoSubspace::allocateNonVirtual(size_t, JSC::GCDeferralContext*, JSC::AllocationFailureMode)
Bus error
Comment 14 Guillaume Emont 2018-01-04 13:30:08 PST 
Created attachment 330484 [details]
Partial test results

I am attaching the partial results of the ongoing test run with the patch, which include thousands of bus errors, which I think might all be assertion errors.
Comment 15 Yusuke Suzuki 2018-01-04 19:46:12 PST 
(In reply to Guillaume Emont from comment #14)
> Created attachment 330484 [details]
> Partial test results
> 
> I am attaching the partial results of the ongoing test run with the patch,
> which include thousands of bus errors, which I think might all be assertion
> errors.

Hmm, I think this is not directly related to this patch.
I've just built x86 32bit debug build on my Mac and I cannot reproduce it.
I'll land this patch and watch the results in the bot.

Could you try the debug build without this patch?
I guess this assertion is introduced before this patch.
Comment 16 Yusuke Suzuki 2018-01-04 20:15:56 PST 
Committed r226434: <https://trac.webkit.org/changeset/226434>
Comment 17 Radar WebKit Bug Importer 2018-01-04 20:16:36 PST 
<rdar://problem/36312629>
Comment 18 Guillaume Emont 2018-01-04 22:02:49 PST 
oops, indeed, get the same issue without the patch, will need to figure out what it is.
Comment 19 WebKit Commit Bot 2018-01-05 00:23:48 PST 
Re-opened since this is blocked by bug 181322
Comment 20 Guillaume Emont 2018-01-09 09:44:54 PST 
What are the test failures on 32-bit?
Comment 21 Guillaume Emont 2018-01-09 15:58:04 PST 
(In reply to Guillaume Emont from comment #20)
> What are the test failures on 32-bit?

I just ran the tests on mips with the patch, and I got 0 test failure.