RESOLVED FIXED 93401
Remove uses of ClassInfo in StrictEq and CompareEq in the DFG 
https://bugs.webkit.org/show_bug.cgi?id=93401
Summary Remove uses of ClassInfo in StrictEq and CompareEq in the DFG
Mark Hahnenberg
Reported 2012-08-07 15:05:07 PDT
Another incremental step in removing the dependence on ClassInfo pointers in object headers.
Attachments
Patch (83.18 KB, patch)
2012-08-07 17:05 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (83.93 KB, patch)
2012-08-07 17:47 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (85.68 KB, patch)
2012-08-08 10:37 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (85.67 KB, patch)
2012-08-08 11:40 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (85.67 KB, patch)
2012-08-08 14:11 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (84.36 KB, patch)
2012-08-23 22:31 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (85.93 KB, patch)
2012-08-24 14:57 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (85.37 KB, patch)
2012-08-27 15:52 PDT, Mark Hahnenberg 		no flags
DetailsFormatted DiffDiff
Patch (85.19 KB, patch)
2012-08-27 15:57 PDT, Mark Hahnenberg 		fpizlo: review+
DetailsFormatted DiffDiff
Show Obsolete (8) View All Add attachment proposed patch, testcase, etc.
Mark Hahnenberg
Comment 1 2012-08-07 17:05:14 PDT
Created attachment 157047 [details] Patch
Mark Hahnenberg
Comment 2 2012-08-07 17:47:42 PDT
Created attachment 157059 [details] Patch
Mark Hahnenberg
Comment 3 2012-08-08 10:37:30 PDT
Created attachment 157250 [details] Patch
Early Warning System Bot
Comment 4 2012-08-08 11:33:09 PDT
Comment on attachment 157250 [details] Patch Attachment 157250 [details] did not pass qt-ews (qt): Output: http://queues.webkit.org/results/13458331
Mark Hahnenberg
Comment 5 2012-08-08 11:40:45 PDT
Created attachment 157262 [details] Patch
Early Warning System Bot
Comment 6 2012-08-08 12:43:20 PDT
Comment on attachment 157262 [details] Patch Attachment 157262 [details] did not pass qt-ews (qt): Output: http://queues.webkit.org/results/13452724
Early Warning System Bot
Comment 7 2012-08-08 12:52:15 PDT
Comment on attachment 157262 [details] Patch Attachment 157262 [details] did not pass qt-wk2-ews (qt): Output: http://queues.webkit.org/results/13457571
Mark Hahnenberg
Comment 8 2012-08-08 14:11:29 PDT
Created attachment 157290 [details] Patch
Build Bot
Comment 9 2012-08-08 17:55:03 PDT
Comment on attachment 157290 [details] Patch Attachment 157290 [details] did not pass mac-ews (mac): Output: http://queues.webkit.org/results/13461346
Geoffrey Garen
Comment 10 2012-08-08 21:47:59 PDT
Comment on attachment 157290 [details] Patch /Volumes/Data/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1620: warning: empty body in an if-statement /Volumes/Data/WebKit/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp:1630: warning: empty body in an if-statement Two more tweaks: (1) When we detect a "masquerades" object, it should only masquerade in code from its same global object / document. (2) The baseline JIT and interpreter should obey the same rules. Please add a test case for the cross-document case, as well.
Mark Hahnenberg
Comment 11 2012-08-23 22:31:03 PDT
Created attachment 160329 [details] Patch
Filip Pizlo
Comment 12 2012-08-23 22:35:01 PDT
Comment on attachment 160329 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=160329&action=review > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:763 > + forNode(node.child2()).filter(SpecCell | ~SpecString); Isn't SpecCell | ~SpecString = everything? As in: SpecCell = the set of all possible cells SpecString = the set of all possible strings. note, SpecString is a subset of SpecCell ~SpecString = the set of all possible values minus the set of all strings. Therefore, SpecCell | ~SpecString is the set of all possible values. I'm pretty sure you meant something different here. ;-)
Mark Hahnenberg
Comment 13 2012-08-23 22:48:29 PDT
(In reply to comment #12) > (From update of attachment 160329 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=160329&action=review > > > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:763 > > + forNode(node.child2()).filter(SpecCell | ~SpecString); > > Isn't SpecCell | ~SpecString = everything? > > As in: > > SpecCell = the set of all possible cells > SpecString = the set of all possible strings. note, SpecString is a subset of SpecCell > ~SpecString = the set of all possible values minus the set of all strings. > > Therefore, SpecCell | ~SpecString is the set of all possible values. > > I'm pretty sure you meant something different here. ;-) So maybe something like SpecCell & ~SpecString, if & is set intersection?
Mark Hahnenberg
Comment 14 2012-08-24 14:57:29 PDT
Created attachment 160506 [details] Patch
Filip Pizlo
Comment 15 2012-08-26 12:04:22 PDT
Comment on attachment 160506 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=160506&action=review I buy your changes to the backend, but I don't think that your decision procedure for choosing when to speculate cell-that-is-not-string is right. It will let through values that may be strings. > Source/JavaScriptCore/dfg/DFGAbstractState.cpp:773 > + if (left.shouldSpeculateCellOrOther() && right.shouldSpeculateCell()) { > node.setCanExit( > - !isArraySpeculation(forNode(node.child1()).m_type) > - || !isArrayOrOtherSpeculation(forNode(node.child2()).m_type)); > - forNode(node.child1()).filter(SpecArray); > - forNode(node.child2()).filter(SpecArray | SpecOther); > + !isCellOrOtherSpeculation(forNode(node.child1()).m_type) > + || !isCellSpeculation(forNode(node.child2()).m_type) > + || m_codeBlock->globalObjectFor(node.codeOrigin)->masqueradesAsUndefinedWatchpoint()->isStillValid()); > + forNode(node.child1()).filter((SpecCell & ~SpecString) | SpecOther); > + forNode(node.child2()).filter((SpecCell & ~SpecString) | SpecOther); I'm not sure I like how this case will be hit if a value can be either an object or a string (the previous if would not have fired since it only accepts strings), and then you'll speculate that the cell is not a string. Can you change shouldSpeculateCellOrOther to shouldSpeculateNonStringCellOrOther? Also, if we had proved that the thing is a string, then this will exit, but your setCanExit() call will say false. As I've mentioned before, you can fix this by just doing node.setCanExit(true). That is the safest thing to do here.
Mark Hahnenberg
Comment 16 2012-08-27 15:52:08 PDT
Created attachment 160836 [details] Patch
Mark Hahnenberg
Comment 17 2012-08-27 15:57:19 PDT
Created attachment 160839 [details] Patch
Filip Pizlo
Comment 18 2012-08-27 16:45:38 PDT
Comment on attachment 160839 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=160839&action=review R=me but fix the thingies. You know what to do! > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1194 > + if (at(node.child1()).shouldSpeculateCell() && at(node.child2()).shouldSpeculateFinalObjectOrOther()) You missed a thingy. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:1198 > + else if (at(node.child1()).shouldSpeculateCell() && at(node.child2()).shouldSpeculateCell()) You missed a thingy. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2922 > + if (at(node.child1()).shouldSpeculateCell() && at(node.child2()).shouldSpeculateFinalObjectOrOther()) { You missed a thingy. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2927 > + if (at(node.child1()).shouldSpeculateFinalObjectOrOther() && at(node.child2()).shouldSpeculateCell()) { You missed a thingy. > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:2932 > + if (at(node.child1()).shouldSpeculateCell() && at(node.child2()).shouldSpeculateCell()) { Thingy! > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:3068 > + if (at(node.child1()).shouldSpeculateCell() && at(node.child2()).shouldSpeculateCell()) { Thingy.
Mark Hahnenberg
Comment 19 2012-08-30 14:10:56 PDT
Committed r127189: <http://trac.webkit.org/changeset/127189>
Note You need to log in before you can comment on or make changes to this bug.