229412 – compileEnumeratorHasProperty uses flushRegisters incorrectly

Bug 229412 - compileEnumeratorHasProperty uses flushRegisters incorrectly

Summary: compileEnumeratorHasProperty uses flushRegisters incorrectly

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	JavaScriptCore (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Saam Barati

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2021-08-23 11:15 PDT by Saam Barati
Modified:	2021-08-24 09:54 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
patch (5.40 KB, patch) 2021-08-23 11:38 PDT, Saam Barati	ews-feeder: commit-queue-	Details \| Formatted Diff \| Diff
patch (3.61 KB, patch) 2021-08-23 12:13 PDT, Saam Barati	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Saam Barati 2021-08-23 11:15:15 PDT

...

Comment 1 Saam Barati 2021-08-23 11:17:39 PDT

<rdar://82020767>

Comment 2 Saam Barati 2021-08-23 11:38:44 PDT

Created attachment 436214 [details]
patch

Comment 3 Keith Miller 2021-08-23 11:49:48 PDT

Comment on attachment 436214 [details]
patch

View in context: https://bugs.webkit.org/attachment.cgi?id=436214&action=review

> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:13723
> +        addSlowPathGenerator(slowPathCall(slowCase, this, slowPathFunction, resultRegs, TrustedImmPtr::weakPointer(m_graph, m_graph.globalObjectFor(node->origin.semantic)), baseRegs, propertyNameRegs, indexGPR, modeGPR));

I don't think this is really a slow path. For example, in an indexed for-in loop you'll always take this call. Maybe this should be a silent spill/fill or flush? If you do change it to silent spill/fill can you also fix compileEnumeratorNextUpdatePropertyName to do the same.

Comment 4 Saam Barati 2021-08-23 12:13:24 PDT

Created attachment 436221 [details]
patch

Comment 5 Keith Miller 2021-08-23 12:14:39 PDT

Comment on attachment 436221 [details]
patch

r=me

Comment 6 EWS 2021-08-23 14:44:27 PDT

Committed r281473 (240852@main): <https://commits.webkit.org/240852@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 436221 [details].

Comment 7 Truitt Savell 2021-08-24 09:50:14 PDT

It looks like the new tests added in https://trac.webkit.org/changeset/281473/webkit
are constant failing on Debug

History example:
https://results.webkit.org/?suite=javascriptcore-tests&test=stress%2Ffor-in-in-by-val-shouldnt-flush-registers.js.no-llint

build:
https://build.webkit.org/#/builders/100/builds/736

Comment 8 Keith Miller 2021-08-24 09:54:28 PDT

(In reply to Truitt Savell from comment #7)
> It looks like the new tests added in
> https://trac.webkit.org/changeset/281473/webkit
> are constant failing on Debug
> 
> History example:
> https://results.webkit.org/?suite=javascriptcore-tests&test=stress%2Ffor-in-
> in-by-val-shouldnt-flush-registers.js.no-llint
> 
> build:
> https://build.webkit.org/#/builders/100/builds/736

Seems like a missing exception check. I'll fix.