Changeset 194613 in webkit for trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

Timestamp:

Jan 5, 2016, 3:08:58 PM (9 years ago)

Author:

[email protected]

Message:

Profiling should detect when multiplication overflows but does not create negative zero.
​https://bugs.webkit.org/show_bug.cgi?id=132470

Reviewed by Geoffrey Garen.

• assembler/MacroAssemblerARM64.h:

(JSC::MacroAssemblerARM64::or32):

• assembler/MacroAssemblerARMv7.h:

(JSC::MacroAssemblerARMv7::or32):

• New or32 emitter needed by the mul snippet.

• bytecode/CodeBlock.cpp:

(JSC::CodeBlock::resultProfileForBytecodeOffset):
(JSC::CodeBlock::updateResultProfileForBytecodeOffset): Deleted.

• bytecode/CodeBlock.h:

(JSC::CodeBlock::ensureResultProfile):
(JSC::CodeBlock::addResultProfile): Deleted.
(JSC::CodeBlock::likelyToTakeDeepestSlowCase): Deleted.

• Added a m_bytecodeOffsetToResultProfileIndexMap because we can now add result profiles in any order (based on runtime execution), not necessarily in bytecode order at baseline compilation time.

• bytecode/ValueProfile.cpp:

(WTF::printInternal):

• bytecode/ValueProfile.h:

(JSC::ResultProfile::didObserveInt52Overflow):
(JSC::ResultProfile::setObservedInt52Overflow):

• Add new Int52Overflow flags.

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::makeSafe):

• Now with more straightforward mapping of profiling info.

• dfg/DFGCommon.h:
• Fixed a typo in a comment.

• dfg/DFGNode.h:

(JSC::DFG::Node::arithNodeFlags):
(JSC::DFG::Node::mayHaveNonIntResult):
(JSC::DFG::Node::hasConstantBuffer):

• dfg/DFGNodeFlags.cpp:

(JSC::DFG::dumpNodeFlags):

• dfg/DFGNodeFlags.h:

(JSC::DFG::nodeMayOverflowInt52):
(JSC::DFG::nodeCanSpeculateInt52):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• We now have profiling info for whether the result was ever seen to be a non-Int. Use this to make a better prediction.

• jit/JITArithmetic.cpp:

(JSC::JIT::emit_op_div):
(JSC::JIT::emit_op_mul):

• Switch to using CodeBlock::ensureResultProfile(). ResultProfiles can now be created at any time (including the slow path), not just in bytecode order during baseline compilation.

• jit/JITMulGenerator.cpp:

(JSC::JITMulGenerator::generateFastPath):

• Removed the fast path profiling code for NegZero because we'll go to the slow path anyway. Let the slow path do the profiling for us.
• Added profiling for NegZero and potential Int52 overflows in the fast path that does double math.

• runtime/CommonSlowPaths.cpp:

(JSC::updateResultProfileForBinaryArithOp):

• Removed the RETURN_WITH_RESULT_PROFILING macro (2 less macros), and just use the RETURN_WITH_PROFILING macro instead with a call to updateResultProfileForBinaryArithOp(). This makes it clear what we're doing to do profiling in each case, and also allows us to do custom profiling for each opcode if needed. However, so far, we always call updateResultProfileForBinaryArithOp().

File:

• trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp (modified) (6 diffs)

trunk/Source/JavaScriptCore/runtime/CommonSlowPaths.cpp

@@ -136 +136 @@
     } while (false)
 
-#define RETURN_WITH_RESULT_PROFILING(value__) \
-    RETURN_WITH_PROFILING(value__, PROFILE_RESULT(returnValue__))
-    
-#define PROFILE_RESULT(value__) do { \
-        CodeBlock* codeBlock = exec->codeBlock();                                   \
-        unsigned bytecodeOffset = codeBlock->bytecodeOffset(pc);                    \
-        codeBlock->updateResultProfileForBytecodeOffset(bytecodeOffset, value__);   \
-    } while (false)
-
 #define CALL_END_IMPL(exec, callTarget) RETURN_TWO((callTarget), (exec))
 
@@ -359 +350 @@
 }
 
+#if ENABLE(DFG_JIT)
+static void updateResultProfileForBinaryArithOp(ExecState* exec, Instruction* pc, JSValue result, JSValue left, JSValue right)
+{
+    CodeBlock* codeBlock = exec->codeBlock();
+    unsigned bytecodeOffset = codeBlock->bytecodeOffset(pc);
+    ResultProfile* profile = codeBlock->ensureResultProfile(bytecodeOffset);
+
+    if (result.isNumber()) {
+        if (!result.isInt32()) {
+            if (left.isInt32() && right.isInt32())
+                profile->setObservedInt32Overflow();
+
+            double doubleVal = result.asNumber();
+            if (!doubleVal && std::signbit(doubleVal))
+                profile->setObservedNegZeroDouble();
+            else {
+                profile->setObservedNonNegZeroDouble();
+
+                // The Int52 overflow check here intentionally omits 1ll << 51 as a valid negative Int52 value.
+                // Therefore, we will get a false positive if the result is that value. This is intentionally
+                // done to simplify the checking algorithm.
+                static const int64_t int52OverflowPoint = (1ll << 51);
+                int64_t int64Val = static_cast<int64_t>(std::abs(doubleVal));
+                if (int64Val >= int52OverflowPoint)
+                    profile->setObservedInt52Overflow();
+            }
+        }
+    } else
+        profile->setObservedNonNumber();
+}
+#else
+static void updateResultProfileForBinaryArithOp(ExecState*, Instruction*, JSValue, JSValue, JSValue) { }
+#endif
+
 SLOW_PATH_DECL(slow_path_add)
 {
@@ -364 +389 @@
     JSValue v1 = OP_C(2).jsValue();
     JSValue v2 = OP_C(3).jsValue();
-    
+    JSValue result;
+
     if (v1.isString() && !v2.isObject())
-        RETURN_WITH_RESULT_PROFILING(jsString(exec, asString(v1), v2.toString(exec)));
-    
-    if (v1.isNumber() && v2.isNumber())
-        RETURN_WITH_RESULT_PROFILING(jsNumber(v1.asNumber() + v2.asNumber()));
-    
-    RETURN_WITH_RESULT_PROFILING(jsAddSlowCase(exec, v1, v2));
+        result = jsString(exec, asString(v1), v2.toString(exec));
+    else if (v1.isNumber() && v2.isNumber())
+        result = jsNumber(v1.asNumber() + v2.asNumber());
+    else
+        result = jsAddSlowCase(exec, v1, v2);
+
+    RETURN_WITH_PROFILING(result, {
+        updateResultProfileForBinaryArithOp(exec, pc, result, v1, v2);
+    });
 }
 
@@ -381 +410 @@
 {
     BEGIN();
-    double a = OP_C(2).jsValue().toNumber(exec);
-    double b = OP_C(3).jsValue().toNumber(exec);
-    RETURN_WITH_RESULT_PROFILING(jsNumber(a * b));
+    JSValue left = OP_C(2).jsValue();
+    JSValue right = OP_C(3).jsValue();
+    double a = left.toNumber(exec);
+    double b = right.toNumber(exec);
+    JSValue result = jsNumber(a * b);
+    RETURN_WITH_PROFILING(result, {
+        updateResultProfileForBinaryArithOp(exec, pc, result, left, right);
+    });
 }
 
@@ -389 +423 @@
 {
     BEGIN();
-    double a = OP_C(2).jsValue().toNumber(exec);
-    double b = OP_C(3).jsValue().toNumber(exec);
-    RETURN_WITH_RESULT_PROFILING(jsNumber(a - b));
+    JSValue left = OP_C(2).jsValue();
+    JSValue right = OP_C(3).jsValue();
+    double a = left.toNumber(exec);
+    double b = right.toNumber(exec);
+    JSValue result = jsNumber(a - b);
+    RETURN_WITH_PROFILING(result, {
+        updateResultProfileForBinaryArithOp(exec, pc, result, left, right);
+    });
 }
 
@@ -397 +436 @@
 {
     BEGIN();
-    double a = OP_C(2).jsValue().toNumber(exec);
-    double b = OP_C(3).jsValue().toNumber(exec);
-    RETURN_WITH_RESULT_PROFILING(jsNumber(a / b));
+    JSValue left = OP_C(2).jsValue();
+    JSValue right = OP_C(3).jsValue();
+    double a = left.toNumber(exec);
+    double b = right.toNumber(exec);
+    JSValue result = jsNumber(a / b);
+    RETURN_WITH_PROFILING(result, {
+        updateResultProfileForBinaryArithOp(exec, pc, result, left, right);
+    });
 }