Changeset 249075 in webkit

Timestamp:

Aug 23, 2019 4:08:06 PM (5 years ago)

Author:

Tadeu Zagallo

Message:

Remove MaximalFlushInsertionPhase
​https://bugs.webkit.org/show_bug.cgi?id=201036

Reviewed by Saam Barati.

JSTests:

Remove all the references to maximal flush

• stress/arith-ceil-on-various-types.js:

(checkCompileCountForUselessNegativeZero):

• stress/arith-floor-on-various-types.js:

(checkCompileCountForUselessNegativeZero):

• stress/arith-negate-on-various-types.js:

(checkCompileCountForUselessNegativeZero):

• stress/arith-round-on-various-types.js:

(checkCompileCountForUselessNegativeZero):

• stress/arith-trunc-on-various-types.js:

(checkCompileCountForUselessNegativeZero):

• stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
• stress/has-indexed-property-should-accept-non-int32.js:
• stress/has-indexed-property-with-worsening-array-mode.js:
• stress/known-int32-cant-be-used-across-bytecode-boundary.js:
• stress/read-dead-bytecode-locals-in-must-handle-values1.js:
• stress/read-dead-bytecode-locals-in-must-handle-values2.js:
• stress/rest-parameter-many-arguments.js:
• stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
• stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
• stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:

Source/JavaScriptCore:

Maximal flush has found too many false positives recently, so we decided it's finally time
to remove it instead of hacking it to fix the most recent false positive.

The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
for the argument count that was being flushed in a much later block. Now, since that block was
the head of a loop, and there was a SetLocal in the same block to the same variable, this
generated a Phi of both values, which then led to the unification of their VariableAccessData
in the unification phase. This caused AI to assign the Int52 type to argument count, which
broke the AI’s assumption that it should always be an Int32.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleVarargsInlining):

• dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
• dfg/DFGMaximalFlushInsertionPhase.h: Removed.
• dfg/DFGPlan.cpp:

(JSC::DFG::Plan::compileInThreadImpl):

• runtime/Options.cpp:

(JSC::recomputeDependentOptions):

• runtime/Options.h:

Location:

trunk

Files:

• JSTests/ChangeLog (modified) (1 diff)
• JSTests/stress/arith-ceil-on-various-types.js (modified) (1 diff)
• JSTests/stress/arith-floor-on-various-types.js (modified) (1 diff)
• JSTests/stress/arith-negate-on-various-types.js (modified) (1 diff)
• JSTests/stress/arith-round-on-various-types.js (modified) (1 diff)
• JSTests/stress/arith-trunc-on-various-types.js (modified) (1 diff)
• JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js (modified) (1 diff)
• JSTests/stress/has-indexed-property-should-accept-non-int32.js (modified) (1 diff)
• JSTests/stress/has-indexed-property-with-worsening-array-mode.js (modified) (1 diff)
• JSTests/stress/known-int32-cant-be-used-across-bytecode-boundary.js (modified) (1 diff)
• JSTests/stress/read-dead-bytecode-locals-in-must-handle-values1.js (modified) (1 diff)
• JSTests/stress/read-dead-bytecode-locals-in-must-handle-values2.js (modified) (1 diff)
• JSTests/stress/rest-parameter-many-arguments.js (modified) (1 diff)
• JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js (modified) (1 diff)
• JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js (modified) (1 diff)
• JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js (modified) (1 diff)
• Source/JavaScriptCore/ChangeLog (modified) (1 diff)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/Sources.txt (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.cpp (deleted)
• Source/JavaScriptCore/dfg/DFGMaximalFlushInsertionPhase.h (deleted)
• Source/JavaScriptCore/dfg/DFGPlan.cpp (modified) (2 diffs)
• Source/JavaScriptCore/runtime/Options.cpp (modified) (1 diff)
• Source/JavaScriptCore/runtime/Options.h (modified) (2 diffs)

trunk/JSTests/ChangeLog

@@ +1 @@
+2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Remove MaximalFlushInsertionPhase
+        https://bugs.webkit.org/show_bug.cgi?id=201036
+
+        Reviewed by Saam Barati.
+
+        Remove all the references to maximal flush
+
+        * stress/arith-ceil-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-floor-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-negate-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-round-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/arith-trunc-on-various-types.js:
+        (checkCompileCountForUselessNegativeZero):
+        * stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js:
+        * stress/has-indexed-property-should-accept-non-int32.js:
+        * stress/has-indexed-property-with-worsening-array-mode.js:
+        * stress/known-int32-cant-be-used-across-bytecode-boundary.js:
+        * stress/read-dead-bytecode-locals-in-must-handle-values1.js:
+        * stress/read-dead-bytecode-locals-in-must-handle-values2.js:
+        * stress/rest-parameter-many-arguments.js:
+        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js:
+        * stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js:
+        * stress/to-index-string-should-not-assume-incoming-value-is-uint32.js:
+
 2019-08-23  Justin Michaud  <justin_michaud@apple.com>
 

trunk/JSTests/stress/arith-ceil-on-various-types.js

@@ -141 +141 @@
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }

trunk/JSTests/stress/arith-floor-on-various-types.js

@@ -141 +141 @@
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }

trunk/JSTests/stress/arith-negate-on-various-types.js

@@ -121 +121 @@
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }

trunk/JSTests/stress/arith-round-on-various-types.js

@@ -141 +141 @@
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }

trunk/JSTests/stress/arith-trunc-on-various-types.js

@@ -141 +141 @@
 function checkCompileCountForUselessNegativeZero(testFunction)
 {
-    if (jscOptions().useMaximalFlushInsertionPhase) {
-        // If we forced a flush after the operation, the negative zero becomes
-        // observable and we may be overly optimistic.
-        return numberOfDFGCompiles(testFunction) <= 2;
-    }
     return numberOfDFGCompiles(testFunction) <= 1;
 }

trunk/JSTests/stress/dfg-compare-eq-via-nonSpeculativeNonPeepholeCompareNullOrUndefined.js

@@ -1 @@
-//@ runDefault("--collectContinuously=true", "--collectContinuouslyPeriodMS=0.15", "--useMaximalFlushInsertionPhase=true", "--useLLInt=false", "--useFTLJIT=false", "--jitPolicyScale=0")
+//@ runDefault("--collectContinuously=true", "--collectContinuouslyPeriodMS=0.15", "--useLLInt=false", "--useFTLJIT=false", "--jitPolicyScale=0")
 
 // This test exercises DFG::SpeculativeJIT::nonSpeculativeNonPeepholeCompareNullOrUndefined().

trunk/JSTests/stress/has-indexed-property-should-accept-non-int32.js

@@ -1 @@
-//@ runDefault("--useRandomizingFuzzerAgent=1", "--jitPolicyScale=0", "--useMaximalFlushInsertionPhase=1", "--useConcurrentJIT=0")
+//@ runDefault("--useRandomizingFuzzerAgent=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
 function foo(obj) {
   for (var x in obj) {

trunk/JSTests/stress/has-indexed-property-with-worsening-array-mode.js

@@ -1 @@
-//@ requireOptions("--watchdog=1000", "--watchdog-exception-ok", "--useMaximalFlushInsertionPhase=1")
+//@ requireOptions("--watchdog=1000", "--watchdog-exception-ok")
 // This test only seems to reproduce the issue when it runs in an infinite loop. So we use the watchdog to time it out.
 for (let x in [0]) {

trunk/JSTests/stress/known-int32-cant-be-used-across-bytecode-boundary.js

@@ -1 @@
-//@ runDefault("--useConcurrentJIT=0", "--useMaximalFlushInsertionPhase=1")
+//@ runDefault("--useConcurrentJIT=0")
 
 function foo() {

trunk/JSTests/stress/read-dead-bytecode-locals-in-must-handle-values1.js

@@ -1 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useConcurrentJIT=0")
+//@ runDefault("--useConcurrentJIT=0")
 function bar(x) {
   if (x) {

trunk/JSTests/stress/read-dead-bytecode-locals-in-must-handle-values2.js

@@ -1 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useConcurrentJIT=0")
+//@ runDefault("--useConcurrentJIT=0")
 function bar(c) {
     if (c > 1) {

trunk/JSTests/stress/rest-parameter-many-arguments.js

@@ -1 +1 @@
 //@ skip if $architecture == "x86"
-//@ if $architecture == "x86" then defaultSpotCheckNoMaximalFlush else defaultRun end
 
 function assert(b) {

trunk/JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness-2.js

@@ -1 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--jitPolicyScale=0", "--useConcurrentJIT=0")
+//@ runDefault("--jitPolicyScale=0", "--useConcurrentJIT=0")
 
 function f0() {

trunk/JSTests/stress/set-argument-maybe-maximal-flush-should-not-extend-liveness.js

@@ -1 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--validateGraphAtEachPhase=1")
+//@ runDefault("--validateGraphAtEachPhase=1")
 
 function f1() {

trunk/JSTests/stress/to-index-string-should-not-assume-incoming-value-is-uint32.js

@@ -1 @@
-//@ runDefault("--useMaximalFlushInsertionPhase=1", "--useRandomizingFuzzerAgent=1")
+//@ runDefault("--useRandomizingFuzzerAgent=1")
 
 function foo() {

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2019-08-23  Tadeu Zagallo  <tzagallo@apple.com>
+
+        Remove MaximalFlushInsertionPhase
+        https://bugs.webkit.org/show_bug.cgi?id=201036
+
+        Reviewed by Saam Barati.
+
+        Maximal flush has found too many false positives recently, so we decided it's finally time
+        to remove it instead of hacking it to fix the most recent false positive.
+
+        The most recent false positive was caused by a LoadVarargs followed by a SetArgumentDefinitely
+        for the argument count that was being flushed in a much later block. Now, since that block was
+        the head of a loop, and there was a SetLocal in the same block to the same variable, this
+        generated a Phi of both values, which then led to the unification of their VariableAccessData
+        in the unification phase. This caused AI to assign the Int52 type to argument count, which
+        broke the AI’s assumption that it should always be an Int32.
+
+        * JavaScriptCore.xcodeproj/project.pbxproj:
+        * Sources.txt:
+        * dfg/DFGByteCodeParser.cpp:
+        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
+        * dfg/DFGMaximalFlushInsertionPhase.cpp: Removed.
+        * dfg/DFGMaximalFlushInsertionPhase.h: Removed.
+        * dfg/DFGPlan.cpp:
+        (JSC::DFG::Plan::compileInThreadImpl):
+        * runtime/Options.cpp:
+        (JSC::recomputeDependentOptions):
+        * runtime/Options.h:
+
 2019-08-23  Ross Kirsling  <ross.kirsling@sony.com>
 

trunk/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -1216 +1216 @@
                 79EE0C001B4AFB85000385C9 /* VariableEnvironment.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EE0BFE1B4AFB85000385C9 /* VariableEnvironment.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 79EFD4841EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h in Headers */ = {isa = PBXBuildFile; fileRef = 79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */; settings = {ATTRIBUTES = (Private, ); }; };
-                79F8FC1F1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h in Headers */ = {isa = PBXBuildFile; fileRef = 79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */; };
                 79FC8A081E32E9F000D88F0E /* DFGRegisteredStructure.h in Headers */ = {isa = PBXBuildFile; fileRef = 79FC8A071E32E9F000D88F0E /* DFGRegisteredStructure.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 7A9774A8206B82E4008D03D0 /* JSWeakValue.h in Headers */ = {isa = PBXBuildFile; fileRef = 7A9774A7206B82C9008D03D0 /* JSWeakValue.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -3991 +3990 @@
                 79EFD4811EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = JSWebAssemblyCodeBlockHeapCellType.cpp; path = js/JSWebAssemblyCodeBlockHeapCellType.cpp; sourceTree = "<group>"; };
                 79EFD4821EBC045C00F3DFEA /* JSWebAssemblyCodeBlockHeapCellType.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = JSWebAssemblyCodeBlockHeapCellType.h; path = js/JSWebAssemblyCodeBlockHeapCellType.h; sourceTree = "<group>"; };
-                79F8FC1C1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGMaximalFlushInsertionPhase.cpp; path = dfg/DFGMaximalFlushInsertionPhase.cpp; sourceTree = "<group>"; };
-                79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGMaximalFlushInsertionPhase.h; path = dfg/DFGMaximalFlushInsertionPhase.h; sourceTree = "<group>"; };
                 79FC8A071E32E9F000D88F0E /* DFGRegisteredStructure.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGRegisteredStructure.h; path = dfg/DFGRegisteredStructure.h; sourceTree = "<group>"; };
                 7A9774A6206B828C008D03D0 /* JSWeakValue.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JSWeakValue.cpp; sourceTree = "<group>"; };
@@ -7782 +7779 @@
                                 A767B5B317A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.cpp */,
                                 A767B5B417A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h */,
-                                79F8FC1C1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.cpp */,
-                                79F8FC1D1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h */,
                                 0F5874EB194FEB1200AAB2C1 /* DFGMayExit.cpp */,
                                 0F5874EC194FEB1200AAB2C1 /* DFGMayExit.h */,
@@ -9168 +9163 @@
                                 A7D89CFC17A0B8CC00773AD8 /* DFGLivenessAnalysisPhase.h in Headers */,
                                 A767B5B617A0B9650063D940 /* DFGLoopPreHeaderCreationPhase.h in Headers */,
-                                79F8FC1F1B9FED0F00CA66AB /* DFGMaximalFlushInsertionPhase.h in Headers */,
                                 0F5874EE194FEB1200AAB2C1 /* DFGMayExit.h in Headers */,
                                 0F2BDC451522801B00CD8910 /* DFGMinifiedGraph.h in Headers */,

trunk/Source/JavaScriptCore/Sources.txt

@@ -365 +365 @@
 dfg/DFGLivenessAnalysisPhase.cpp
 dfg/DFGLoopPreHeaderCreationPhase.cpp
-dfg/DFGMaximalFlushInsertionPhase.cpp
 dfg/DFGMayExit.cpp
 dfg/DFGMinifiedGraph.cpp

trunk/Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp

@@ -1863 +1863 @@
     registerOffset = -WTF::roundUpToMultipleOf(stackAlignmentRegisters(), -registerOffset);
 
-    Vector<VirtualRegister> setArgumentMaybes;
-    
     auto insertChecks = [&] (CodeBlock* codeBlock) {
         emitFunctionChecks(callVariant, callTargetNode, thisArgument);
@@ -1929 +1927 @@
             
             Node* setArgument = addToGraph(numSetArguments >= mandatoryMinimum ? SetArgumentMaybe : SetArgumentDefinitely, OpInfo(variable));
-            if (numSetArguments >= mandatoryMinimum && Options::useMaximalFlushInsertionPhase())
-                setArgumentMaybes.append(variable->local());
             m_currentBlock->variablesAtTail.setOperand(variable->local(), setArgument);
             ++numSetArguments;
@@ -1945 +1941 @@
     inlineCall(callTargetNode, result, callVariant, registerOffset, maxNumArguments, kind, nullptr, insertChecks);
 
-    for (VirtualRegister reg : setArgumentMaybes)
-        setDirect(reg, jsConstant(jsUndefined()), ImmediateNakedSet);
 
     VERBOSE_LOG("Successful inlining (varargs, monomorphic).\nStack: ", currentCodeOrigin(), "\n");

trunk/Source/JavaScriptCore/dfg/DFGPlan.cpp

@@ -52 +52 @@
 #include "DFGLivenessAnalysisPhase.h"
 #include "DFGLoopPreHeaderCreationPhase.h"
-#include "DFGMaximalFlushInsertionPhase.h"
 #include "DFGMovHintRemovalPhase.h"
 #include "DFGOSRAvailabilityAnalysisPhase.h"
@@ -286 +285 @@
     RUN_PHASE(performLiveCatchVariablePreservationPhase);
 
-    if (Options::useMaximalFlushInsertionPhase())
-        RUN_PHASE(performMaximalFlushInsertion);
-    
     RUN_PHASE(performCPSRethreading);
     RUN_PHASE(performUnification);

trunk/Source/JavaScriptCore/runtime/Options.cpp

@@ -472 +472 @@
         Options::useConcurrentJIT() = false;
     }
-    if (Options::useMaximalFlushInsertionPhase()) {
-        Options::useOSREntryToDFG() = false;
-        Options::useOSREntryToFTL() = false;
-    }
-    
 #if ENABLE(SEPARATED_WX_HEAP)
     // Override globally for now. Longer term we'll just make the default

trunk/Source/JavaScriptCore/runtime/Options.h

@@ -311 +311 @@
     v(unsigned, maximumVarargsForInlining, 100, Normal, nullptr) \
     \
-    v(bool, useMaximalFlushInsertionPhase, false, Normal, "Setting to true allows the DFG's MaximalFlushInsertionPhase to run.") \
-    \
     v(unsigned, maximumBinaryStringSwitchCaseLength, 50, Normal, nullptr) \
     v(unsigned, maximumBinaryStringSwitchTotalLength, 2000, Normal, nullptr) \
@@ -546 +544 @@
     v(enablePolyvariantCallInlining, usePolyvariantCallInlining, SameOption) \
     v(enablePolyvariantByIdInlining, usePolyvariantByIdInlining, SameOption) \
-    v(enableMaximalFlushInsertionPhase, useMaximalFlushInsertionPhase, SameOption) \
     v(objectsAreImmortal, useImmortalObjects, SameOption) \
     v(showObjectStatistics, dumpObjectStatistics, SameOption) \