NEW 181310
Don't unconditionally lower op_inc to ArithAdd in the BytecodeParser 
https://bugs.webkit.org/show_bug.cgi?id=181310
Summary Don't unconditionally lower op_inc to ArithAdd in the BytecodeParser
Saam Barati
Reported 2018-01-04 15:11:05 PST
Otherwise we'll have an OSR exit loop when the input isn't of some specific set of types. For example, if the input is a string, it'll OSR exit in a loop.
Attachments
patch (2.99 KB, patch)
2018-01-04 15:51 PST, Saam Barati 		saam: review-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Saam Barati
Comment 1 2018-01-04 15:51:49 PST
Created attachment 330499 [details] patch
Filip Pizlo
Comment 2 2018-01-04 15:53:17 PST
Comment on attachment 330499 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=330499&action=review > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4574 > - set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne))))); > + if (op->hasNumberResult()) > + set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne))))); > + else > + set(srcDstVirtualRegister, makeSafe(addToGraph(ValueAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne))))); Why not unconditionally lower to ValueAdd and let prediction/fixup figure it out?
JF Bastien
Comment 3 2018-01-04 15:53:44 PST
Comment on attachment 330499 [details] patch r=me
Saam Barati
Comment 4 2018-01-04 15:56:59 PST
Comment on attachment 330499 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=330499&action=review >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4574 >> + set(srcDstVirtualRegister, makeSafe(addToGraph(ValueAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne))))); > > Why not unconditionally lower to ValueAdd and let prediction/fixup figure it out? That's what I originally thought as well. I decided to just follow what op_add does though. I think we should either change both or keep this as is.
Saam Barati
Comment 5 2018-01-04 16:14:51 PST
Comment on attachment 330499 [details] patch View in context: https://bugs.webkit.org/attachment.cgi?id=330499&action=review >>> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:4574 >>> + if (op->hasNumberResult()) >>> + set(srcDstVirtualRegister, makeSafe(addToGraph(ArithAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne))))); >>> + else >>> + set(srcDstVirtualRegister, makeSafe(addToGraph(ValueAdd, op, addToGraph(JSConstant, OpInfo(m_constantOne))))); >> >> Why not unconditionally lower to ValueAdd and let prediction/fixup figure it out? > > That's what I originally thought as well. I decided to just follow what op_add does though. I think we should either change both or keep this as is. Oh wow, I think my code is horribly wrong. This will make: let x = "foo"; x++; have x === "foo1" at the end! Obviously I need something else here.
Saam Barati
Comment 6 2018-01-04 16:40:59 PST
This isn't super high priority. I'll get back to it at some point.
Note You need to log in before you can comment on or make changes to this bug.