Ignore:
Timestamp:
Apr 29, 2015, 9:40:55 PM (10 years ago)
Author:
[email protected]
Message:

[JSC] Remove RageConvert array conversion
https://bugs.webkit.org/show_bug.cgi?id=144433

Patch by Benjamin Poulain <[email protected]> on 2015-04-29
Reviewed by Filip Pizlo.

RageConvert was causing a subtle bug that was hitting the Kraken crypto tests
pretty hard:
-The indexing types shows that the array access varies between Int32 and DoubleArray.
-ArrayMode::fromObserved() decided to use the most generic type: DoubleArray.

An Arrayify node would convert the Int32 to that type.

-Somewhere, a GetByVal or PutByVal would have the flag NodeBytecodeUsesAsInt. That

node would use RageConvert instead of Convert.

-The Arrayify for that GetByVal with RageConvert would not convert the array to

Contiguous.

-All the following array access that do not have the flag NodeBytecodeUsesAsInt would

now expect a DoubleArray and always get a Contiguous Array. The CheckStructure
fail systematically and we never get to run the later code.

Getting rid of RageConvert fixes the problem and does not seems to have any
negative side effect on other benchmarks.

The improvments on Kraken are:

-stanford-crypto-aes: definitely 1.0915x faster.
-stanford-crypto-pbkdf2: definitely 1.2446x faster.
-stanford-crypto-sha256-iterative: definitely 1.0544x faster.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::refine):
(JSC::DFG::arrayConversionToString):

  • dfg/DFGArrayMode.h:
  • dfg/DFGArrayifySlowPathGenerator.h:
  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGOperations.cpp:
  • dfg/DFGOperations.h:
  • dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

  • dfg/DFGTypeCheckHoistingPhase.cpp:

(JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):

  • ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):

  • runtime/JSObject.cpp:

(JSC::JSObject::convertDoubleToContiguous):
(JSC::JSObject::ensureContiguousSlow):
(JSC::JSObject::genericConvertDoubleToContiguous): Deleted.
(JSC::JSObject::rageConvertDoubleToContiguous): Deleted.
(JSC::JSObject::rageEnsureContiguousSlow): Deleted.

  • runtime/JSObject.h:

(JSC::JSObject::rageEnsureContiguous): Deleted.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/JSObject.cpp

    r183291 r183615  
    837837}
    838838
    839 template<JSObject::DoubleToContiguousMode mode>
    840 ContiguousJSValues JSObject::genericConvertDoubleToContiguous(VM& vm)
     839ContiguousJSValues JSObject::convertDoubleToContiguous(VM& vm)
    841840{
    842841    ASSERT(hasDouble(indexingType()));
     
    850849            continue;
    851850        }
    852         JSValue v;
    853         switch (mode) {
    854         case EncodeValueAsDouble:
    855             v = JSValue(JSValue::EncodeAsDouble, value);
    856             break;
    857         case RageConvertDoubleToValue:
    858             v = jsNumber(value);
    859             break;
    860         default:
    861             v = JSValue();
    862             RELEASE_ASSERT_NOT_REACHED();
    863             break;
    864         }
    865         ASSERT(v.isNumber());
     851        JSValue v = JSValue(JSValue::EncodeAsDouble, value);
    866852        currentAsValue->setWithoutWriteBarrier(v);
    867853    }
     
    869855    setStructure(vm, Structure::nonPropertyTransition(vm, structure(vm), AllocateContiguous));
    870856    return m_butterfly->contiguous();
    871 }
    872 
    873 ContiguousJSValues JSObject::convertDoubleToContiguous(VM& vm)
    874 {
    875     return genericConvertDoubleToContiguous<EncodeValueAsDouble>(vm);
    876 }
    877 
    878 ContiguousJSValues JSObject::rageConvertDoubleToContiguous(VM& vm)
    879 {
    880     return genericConvertDoubleToContiguous<RageConvertDoubleToValue>(vm);
    881857}
    882858
     
    10501026}
    10511027
    1052 ContiguousJSValues JSObject::ensureContiguousSlow(VM& vm, DoubleToContiguousMode mode)
     1028ContiguousJSValues JSObject::ensureContiguousSlow(VM& vm)
    10531029{
    10541030    ASSERT(inherits(info()));
     
    10671043       
    10681044    case ALL_DOUBLE_INDEXING_TYPES:
    1069         if (mode == RageConvertDoubleToValue)
    1070             return rageConvertDoubleToContiguous(vm);
    10711045        return convertDoubleToContiguous(vm);
    10721046       
     
    10781052        return ContiguousJSValues();
    10791053    }
    1080 }
    1081 
    1082 ContiguousJSValues JSObject::ensureContiguousSlow(VM& vm)
    1083 {
    1084     return ensureContiguousSlow(vm, EncodeValueAsDouble);
    1085 }
    1086 
    1087 ContiguousJSValues JSObject::rageEnsureContiguousSlow(VM& vm)
    1088 {
    1089     return ensureContiguousSlow(vm, RageConvertDoubleToValue);
    10901054}
    10911055
Note: See TracChangeset for help on using the changeset viewer.