Bug 198229 - JITOperations getByVal should mark negative array indices as out-of-bounds
Summary: JITOperations getByVal should mark negative array indices as out-of-bounds
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Tadeu Zagallo
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2019-05-24 13:39 PDT by Tadeu Zagallo
Modified: 2019-05-25 20:47 PDT (History)
10 users (show)

See Also:

Attachments
Patch (4.11 KB, patch)
2019-05-24 13:59 PDT, Tadeu Zagallo 		no flags Details | Formatted Diff | Diff
Patch for landing (4.43 KB, patch)
2019-05-25 00:55 PDT, Tadeu Zagallo 		no flags Details | Formatted Diff | Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Tadeu Zagallo 2019-05-24 13:39:37 PDT 
...
Comment 1 Tadeu Zagallo 2019-05-24 13:59:44 PDT 
Created attachment 370586 [details]
Patch
Comment 2 Saam Barati 2019-05-24 15:35:51 PDT 
Comment on attachment 370586 [details]
Patch

Nice. r=me
Comment 3 Saam Barati 2019-05-24 15:36:22 PDT 
Comment on attachment 370586 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=370586&action=review

> Source/JavaScriptCore/ChangeLog:10
> +        but baseline doesn't mark it as out-of-bounds, since it only considers positive indices. This
> +        leads to discarding DFG code, recompiling it and exiting at the same bytecode.

Can you quote where in JS2 you found this w/ the expected speedup?
Comment 4 Tadeu Zagallo 2019-05-25 00:55:56 PDT 
Created attachment 370630 [details]
Patch for landing
Comment 5 Tadeu Zagallo 2019-05-25 01:01:05 PDT 
I think I might have messed up the measurements, let me double-check it before landing.
Comment 6 WebKit Commit Bot 2019-05-25 02:25:31 PDT 
Comment on attachment 370630 [details]
Patch for landing

Clearing flags on attachment: 370630

Committed r245769: <https://trac.webkit.org/changeset/245769>
Comment 7 WebKit Commit Bot 2019-05-25 02:25:33 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 8 Radar WebKit Bug Importer 2019-05-25 02:26:18 PDT 
<rdar://problem/51134153>
Comment 9 Saam Barati 2019-05-25 07:50:47 PDT 
(In reply to Tadeu Zagallo from comment #5)
> I think I might have messed up the measurements, let me double-check it
> before landing.

I was interested in how much faster the individual test gets. IIRC, on IRC, you said something like 5%-10%. I wouldn’t expect 5% on an individual test to show up as a measurable overall progression. When I make changes like this, I like to quote the impact on both the individual JS2 test and on the microbenchmark
Comment 10 Tadeu Zagallo 2019-05-25 09:28:06 PDT 
(In reply to Saam Barati from comment #9)
> (In reply to Tadeu Zagallo from comment #5)
> > I think I might have messed up the measurements, let me double-check it
> > before landing.
> 
> I was interested in how much faster the individual test gets. IIRC, on IRC,
> you said something like 5%-10%. I wouldn’t expect 5% on an individual test
> to show up as a measurable overall progression. When I make changes like
> this, I like to quote the impact on both the individual JS2 test and on the
> microbenchmark

Oops, my bad, will keep that in mind going forward. FWIW, it looks like a ~10% progression in prepack-wtb (which I'm a bit skeptical of, since the function wasn't that hot) and the microbenchmark is ~4% faster, but is within the noise (maybe it wasn't a great microbenchmark after all...)
Comment 11 Yusuke Suzuki 2019-05-25 20:47:49 PDT 
Nice! Seems that on iOS devices it gets 1-3% improvement in JetStream2/uglify-js-wtb