Bug 63347 - DFG non-speculative JIT has potentially harmful speculations with respect to arithmetic operations.
Summary: DFG non-speculative JIT has potentially harmful speculations with respect to ...
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-24 13:28 PDT by Filip Pizlo
Modified: 2011-06-26 12:31 PDT (History)
2 users (show)

See Also:


Attachments
the patch (24.17 KB, patch)
2011-06-24 13:44 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
the patch (fix style) (24.16 KB, patch)
2011-06-24 13:50 PDT, Filip Pizlo
barraclough: review-
barraclough: commit-queue-
Details | Formatted Diff | Diff
the patch (fix for review) (25.18 KB, patch)
2011-06-24 23:27 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff
the patch (fixed review, style) (25.18 KB, patch)
2011-06-25 00:15 PDT, Filip Pizlo
barraclough: review-
barraclough: commit-queue-
Details | Formatted Diff | Diff
the patch (fixed review, style) (25.71 KB, patch)
2011-06-26 10:38 PDT, Filip Pizlo
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Filip Pizlo 2011-06-24 13:28:19 PDT
Currently, the DFG speculative JIT speculates that numbers are integers, while the DFG non-speculative JIT speculates that numbers are doubles.  The latter means that if speculative execution bails out for any reason, then any subsequent arithmetic operation will rebox the integers involved as doubles, meaning that after that all operations on that value (outside of this current non-speculative call frame) will bail out of the fast path.  This even affects GetByVal within non-speculative execution, but it may also affect other call frames if that value is returned or stored into the heap.  Instead, the non-speculative JIT should use the same policy as the baseline JIT: attempt a fast path integer operation and box the value as an integer if possible, and only bail to double arithmetic (or value operations) if it's really necessary.
Comment 1 Filip Pizlo 2011-06-24 13:44:55 PDT
Created attachment 98534 [details]
the patch
Comment 2 WebKit Review Bot 2011-06-24 13:47:48 PDT
Attachment 98534 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1

Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.h:104:  The parameter name "node" adds no information, so it should be removed.  [readability/parameter_name] [5]
Total errors found: 1 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Filip Pizlo 2011-06-24 13:50:38 PDT
Created attachment 98537 [details]
the patch (fix style)
Comment 4 Gavin Barraclough 2011-06-24 15:40:44 PDT
Comment on attachment 98537 [details]
the patch (fix style)

View in context: https://bugs.webkit.org/attachment.cgi?id=98537&action=review

Hi Filip, looks pretty good, just a few issues to fix.

> Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:242
> +    GPRTemporary temp(this);

Can either of these temporaries reuse arg1/arg2?

> Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:292
> +        appendCallWithExceptionCheck(operationValueAdd);

I think it would be a mistake to call operationValueAdd, which is passed an ExecState, but not check for an exception.  We wouldn't expect one to be thrown with numeric operands, but this is a subtlety that could a future change could trip over.  It's probably best to add an operationArithAdd that does not take an ExecState, and can assert that its arguments are numeric.

> Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:424
> +        GPRTemporary result(this);

I think this result should be able to reuse op1.

> Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:480
> +            GPRTemporary result(this);

We should reuse the register from op1 here, where possible.  (Not only will this reduce register pressure, but if the register bank returns the same register then the MacroAssembler will omit the move).

> Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:551
> +

For the Div & Mod I think it would be cleaner to follow the current pattern of planting calls out via a helper 'callOperation' method in JITCodeGenerator.h.  This should mean adding a J_DFGOperation_JJ operation type.

> Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:586
> +    case CompareLess:

Sharing the code for these four ops seems like a great idea, but merging them here has meant adding two extra switches & interleaves one in the implementation of a call.  I'd suggest it might be cleaner to add a helper function function that is passed a RelationalCondition, and a Z_DFGOperation_EJJ - each op could call the helper with the appropriate args & the extra switches could be ditched.

> Source/JavaScriptCore/dfg/DFGOperations.cpp:120
> +// FIXME: these operations would be faster if the arguments were pushed, since we will almost

I not sure that I believe this FIXME, particularly wrt. ARM platforms.  Please give a clearer explanation to justify this, or remove.
Comment 5 Filip Pizlo 2011-06-24 23:27:49 PDT
Created attachment 98583 [details]
the patch (fix for review)

Fixed all of the issues except creating a callOperation-like helper for div/mod and the other arithmetic operations, since I suspect that we'll be modifying the ABIs of these.
Comment 6 WebKit Review Bot 2011-06-24 23:31:45 PDT
Attachment 98583 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'Source/JavaScriptCore/ChangeLog', u'Source..." exit_code: 1

Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:167:  Missing space after ,  [whitespace/comma] [3]
Source/JavaScriptCore/dfg/DFGNonSpeculativeJIT.cpp:276:  Missing space after ,  [whitespace/comma] [3]
Total errors found: 2 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 7 Filip Pizlo 2011-06-25 00:15:22 PDT
Created attachment 98584 [details]
the patch (fixed review, style)
Comment 8 Gavin Barraclough 2011-06-25 19:24:38 PDT
Comment on attachment 98584 [details]
the patch (fixed review, style)

Hey Filip, looks good now, but I think you missed a review comment, I believe that in the case of UInt32ToNumber & ValueToNumber the result could be reusing the operand's register?
Comment 9 Filip Pizlo 2011-06-26 10:38:28 PDT
Created attachment 98630 [details]
the patch (fixed review, style)
Comment 10 WebKit Review Bot 2011-06-26 12:31:08 PDT
Comment on attachment 98630 [details]
the patch (fixed review, style)

Clearing flags on attachment: 98630

Committed r89772: <http://trac.webkit.org/changeset/89772>
Comment 11 WebKit Review Bot 2011-06-26 12:31:13 PDT
All reviewed patches have been landed.  Closing bug.