Changeset 249736 in webkit


Ignore:
Timestamp:
Sep 10, 2019 3:07:08 PM (5 years ago)
Author:
ysuzuki@apple.com
Message:

[JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
https://bugs.webkit.org/show_bug.cgi?id=198253

Reviewed by Mark Lam.

ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.

In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.

  • parser/ResultType.h:

(JSC::ResultType::bigIntOrInt32Type):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r249721 r249736  
     12019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
     2
     3        [JSC] ResultType implementation is wrong for bit ops, and ends up making ArithDiv take the DFG Int32 fast path even if Baseline constantly produces Double result
     4        https://bugs.webkit.org/show_bug.cgi?id=198253
     5
     6        Reviewed by Mark Lam.
     7
     8        ResultType of bitwise operation needs to include TypeMaybeNumber. TypeInt32 is something like a flag indicating the number looks like a int32.
     9        When it is specified, TypeMaybeNumber must exist too. This issue compiles op_div in JetStream2/async-fs slow-path. And eventually DFG first mis-compiles
     10        it with Int32 ArithDiv while that div always produces double. And unnecessary OSR exit happens.
     11
     12        In this patch, we add TypeMaybeNumber to bigIntOrInt32Type correctly.
     13
     14        * parser/ResultType.h:
     15        (JSC::ResultType::bigIntOrInt32Type):
     16
    1172019-09-10  Yusuke Suzuki  <ysuzuki@apple.com>
    218

  • trunk/Source/JavaScriptCore/parser/ResultType.h

    r247819 r249736  
    2828namespace JSC {
    2929
     30    // FIXME: Consider whether this is actually necessary. Is LLInt and Baseline's profiling information enough?
     31    // https://bugs.webkit.org/show_bug.cgi?id=201659
    3032    struct ResultType {
    3133    private:
     
    149151        static constexpr ResultType bigIntOrInt32Type()
    150152        {
    151             return ResultType(TypeMaybeBigInt | TypeInt32);
     153            return ResultType(TypeMaybeBigInt | TypeInt32 | TypeMaybeNumber);
    152154        }
    153155
Note: See TracChangeset for help on using the changeset viewer.