RESOLVED FIXED 229229
[JSC] Polymorphic PutByVal 
https://bugs.webkit.org/show_bug.cgi?id=229229
Summary [JSC] Polymorphic PutByVal
Yusuke Suzuki
Reported 2021-08-17 23:31:57 PDT
[JSC] Polymorphic PutByVal
Attachments
Patch (262.39 KB, patch)
2021-08-17 23:32 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (267.53 KB, patch)
2021-08-18 12:26 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (267.56 KB, patch)
2021-08-18 15:15 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (268.23 KB, patch)
2021-08-18 16:33 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (268.31 KB, patch)
2021-08-18 19:27 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (268.35 KB, patch)
2021-08-18 19:31 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (283.69 KB, patch)
2021-08-18 22:54 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (283.68 KB, patch)
2021-08-19 01:48 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (279.48 KB, patch)
2021-08-20 18:15 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (289.33 KB, patch)
2021-08-21 04:59 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (289.35 KB, patch)
2021-08-21 05:09 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (289.23 KB, patch)
2021-08-21 05:15 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (289.84 KB, patch)
2021-08-23 00:14 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (289.24 KB, patch)
2021-08-23 01:04 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (296.05 KB, patch)
2021-08-23 01:33 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (300.63 KB, patch)
2021-08-23 02:57 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (300.67 KB, patch)
2021-08-23 03:09 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (300.67 KB, patch)
2021-08-23 03:19 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (323.63 KB, patch)
2021-08-23 20:02 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (323.95 KB, patch)
2021-08-24 09:18 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (324.20 KB, patch)
2021-08-24 09:40 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (323.56 KB, patch)
2021-08-24 15:00 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (323.61 KB, patch)
2021-08-24 15:13 PDT, Yusuke Suzuki 		ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (323.43 KB, patch)
2021-08-24 15:25 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (338.20 KB, patch)
2021-08-25 14:05 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Patch (338.20 KB, patch)
2021-08-25 14:47 PDT, Yusuke Suzuki 		saam: review+
ews-feeder: commit-queue-
DetailsFormatted DiffDiff
Patch (338.45 KB, patch)
2021-08-25 21:26 PDT, Yusuke Suzuki 		no flags
DetailsFormatted DiffDiff
Show Obsolete (25) View All Add attachment proposed patch, testcase, etc.
Yusuke Suzuki
Comment 1 2021-08-17 23:32:33 PDT
Created attachment 435749 [details] Patch
Yusuke Suzuki
Comment 2 2021-08-18 12:26:32 PDT
Created attachment 435789 [details] Patch
Yusuke Suzuki
Comment 3 2021-08-18 15:15:38 PDT
Created attachment 435804 [details] Patch
Yusuke Suzuki
Comment 4 2021-08-18 16:33:38 PDT
Created attachment 435816 [details] Patch
Yusuke Suzuki
Comment 5 2021-08-18 19:27:50 PDT
Created attachment 435827 [details] Patch
Yusuke Suzuki
Comment 6 2021-08-18 19:31:38 PDT
Created attachment 435828 [details] Patch
Yusuke Suzuki
Comment 7 2021-08-18 22:54:42 PDT
Created attachment 435846 [details] Patch
Yusuke Suzuki
Comment 8 2021-08-19 01:48:42 PDT
Created attachment 435856 [details] Patch
Yusuke Suzuki
Comment 9 2021-08-20 18:15:41 PDT
Created attachment 436051 [details] Patch
Yusuke Suzuki
Comment 10 2021-08-21 04:59:46 PDT
Created attachment 436069 [details] Patch
Yusuke Suzuki
Comment 11 2021-08-21 05:09:49 PDT
Created attachment 436070 [details] Patch
Yusuke Suzuki
Comment 12 2021-08-21 05:15:48 PDT
Created attachment 436071 [details] Patch
Yusuke Suzuki
Comment 13 2021-08-23 00:14:02 PDT
Created attachment 436154 [details] Patch
Yusuke Suzuki
Comment 14 2021-08-23 01:04:17 PDT
Created attachment 436158 [details] Patch
Yusuke Suzuki
Comment 15 2021-08-23 01:33:02 PDT
Created attachment 436163 [details] Patch
Yusuke Suzuki
Comment 16 2021-08-23 02:57:55 PDT
Created attachment 436174 [details] Patch
Yusuke Suzuki
Comment 17 2021-08-23 03:09:42 PDT
Created attachment 436176 [details] Patch
Yusuke Suzuki
Comment 18 2021-08-23 03:19:12 PDT
Created attachment 436177 [details] Patch
Yusuke Suzuki
Comment 19 2021-08-23 20:02:26 PDT
Created attachment 436260 [details] Patch
Yusuke Suzuki
Comment 20 2021-08-24 09:18:20 PDT
Created attachment 436294 [details] Patch
Yusuke Suzuki
Comment 21 2021-08-24 09:40:59 PDT
Created attachment 436296 [details] Patch
Yusuke Suzuki
Comment 22 2021-08-24 15:00:51 PDT
Created attachment 436337 [details] Patch
Yusuke Suzuki
Comment 23 2021-08-24 15:13:39 PDT
Created attachment 436338 [details] Patch
Yusuke Suzuki
Comment 24 2021-08-24 15:25:01 PDT
Created attachment 436341 [details] Patch
Radar WebKit Bug Importer
Comment 25 2021-08-24 23:32:19 PDT
<rdar://problem/82327133>
Yusuke Suzuki
Comment 26 2021-08-25 14:05:33 PDT
Created attachment 436423 [details] Patch
Yusuke Suzuki
Comment 27 2021-08-25 14:47:44 PDT
Created attachment 436429 [details] Patch
Saam Barati
Comment 28 2021-08-25 19:45:15 PDT
Comment on attachment 436429 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436429&action=review Nice. r=me with a few comments. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1068 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) assert it's invalidGPR? > Source/JavaScriptCore/bytecode/AccessCase.cpp:1170 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); assert it's invalidGPR? > Source/JavaScriptCore/bytecode/AccessCase.cpp:1257 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); assert it's invalidGPR? > Source/JavaScriptCore/bytecode/AccessCase.cpp:1492 > + failAndIgnore.append(jit.branchIfNaN(state.scratchFPR)); Why ignore? Shouldn't this be a case to repatch, since we're not storing int32? Or maybe we expect this particular array to get transitioned into something more general, so we can kind of ignore the likelihood of this? I guess I'm just worried about the case where we see a lot of non numbers in practice? Like, say we started off with profiling a single number case, but then we ended up with many things that are never numbers, we'll never end up repatching. Not sure what the right approach is, but it's worth considering if we should do something else here. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1505 > + failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); ditto regarding repatching vs not repatching. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1573 > + state.failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); ditto about repatching or ignoring. > Source/JavaScriptCore/bytecode/AccessCase.cpp:1582 > + state.failAndIgnore.append(jit.branchIfNotNumber(valueRegs.payloadGPR())); ditto > Source/JavaScriptCore/bytecode/AccessCase.cpp:1594 > + state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR)); we fail and repatch here, but ignore the case for normal arrays when we go OOB past vector length. Is that intentional? > Source/JavaScriptCore/bytecode/AccessCase.cpp:2434 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); Assert invalidGPR? > Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp:145 > + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > + allocator.lock(stubInfo.m_arrayProfileGPR); assert is invalidGPR? > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6475 > + tryCompileAsPutByOffset = true; let's rename this to "compiledAsPutPrivateNameById" > Source/JavaScriptCore/jit/Repatch.cpp:899 > + GCSafeConcurrentJSLocker locker(codeBlock->m_lock, globalObject->vm().heap); small nit: Maybe grab lock below the if and switches, since some cases return?
Yusuke Suzuki
Comment 29 2021-08-25 21:26:37 PDT
Created attachment 436464 [details] Patch Patch for landing
Yusuke Suzuki
Comment 30 2021-08-25 22:58:38 PDT
Comment on attachment 436429 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=436429&action=review >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1068 >> + if (stubInfo.m_arrayProfileGPR != InvalidGPRReg) > > assert it's invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1170 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > assert it's invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1257 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > assert it's invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1492 >> + failAndIgnore.append(jit.branchIfNaN(state.scratchFPR)); > > Why ignore? Shouldn't this be a case to repatch, since we're not storing int32? Or maybe we expect this particular array to get transitioned into something more general, so we can kind of ignore the likelihood of this? > > I guess I'm just worried about the case where we see a lot of non numbers in practice? Like, say we started off with profiling a single number case, but then we ended up with many things that are never numbers, we'll never end up repatching. Not sure what the right approach is, but it's worth considering if we should do something else here. Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1505 >> + failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); > > ditto regarding repatching vs not repatching. Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1573 >> + state.failAndIgnore.append(jit.branchIfNotInt32(valueRegs)); > > ditto about repatching or ignoring. Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1582 >> + state.failAndIgnore.append(jit.branchIfNotNumber(valueRegs.payloadGPR())); > > ditto Changed to failAndRepatch. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:1594 >> + state.failAndRepatch.append(jit.branch32(CCallHelpers::AboveOrEqual, propertyGPR, scratchGPR)); > > we fail and repatch here, but ignore the case for normal arrays when we go OOB past vector length. Is that intentional? Discussed with Saam at Slack. We will continue using failAndRepatch since OOB TypedArray access case should soon get the slow path. >> Source/JavaScriptCore/bytecode/AccessCase.cpp:2434 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > Assert invalidGPR? Changed. >> Source/JavaScriptCore/bytecode/GetterSetterAccessCase.cpp:145 >> + allocator.lock(stubInfo.m_arrayProfileGPR); > > assert is invalidGPR? Changed. >> Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:6475 >> + tryCompileAsPutByOffset = true; > > let's rename this to "compiledAsPutPrivateNameById" Changed. >> Source/JavaScriptCore/jit/Repatch.cpp:899 >> + GCSafeConcurrentJSLocker locker(codeBlock->m_lock, globalObject->vm().heap); > > small nit: Maybe grab lock below the if and switches, since some cases return? Fixed!
Yusuke Suzuki
Comment 31 2021-08-26 00:39:11 PDT
Committed r281615 (240971@main): <https://commits.webkit.org/240971@main>
Yusuke Suzuki
Comment 32 2021-08-26 22:48:27 PDT
*** Bug 203866 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.