RESOLVED FIXED 100620
There should not be blind spots in array length array profiling 
https://bugs.webkit.org/show_bug.cgi?id=100620
Summary There should not be blind spots in array length array profiling
Filip Pizlo
Reported 2012-10-28 17:00:15 PDT
Currently if you have a program like: for (thousand times) thingy for (thousand times) thingy(array.length) There is the risk that we'll end up tiering into the baseline JIT before the LLInt would have a chance to profile array.length, and we may tier all the way to the DFG before the baseline JIT had a chance to patch (but after it executed) array.length. Hence the DFG will not know whether the array.length access is just unprofiled, or legitimately accesses something that isn't really a length. The solution is to ensure that statements of the form "blah.length" get array length profiling in the baseline JIT even before the patching machinery kicks in.
Attachments
the patch (3.80 KB, patch)
2012-10-28 17:07 PDT, Filip Pizlo 		oliver: review+
webkit-ews: commit-queue-
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2012-10-28 17:07:03 PDT
Created attachment 171145 [details] the patch
Early Warning System Bot
Comment 2 2012-10-28 17:13:29 PDT
Comment on attachment 171145 [details] the patch Attachment 171145 [details] did not pass qt-ews (qt): Output: http://queues.webkit.org/results/14606964
Early Warning System Bot
Comment 3 2012-10-28 17:14:23 PDT
Comment on attachment 171145 [details] the patch Attachment 171145 [details] did not pass qt-wk2-ews (qt): Output: http://queues.webkit.org/results/14615912
EFL EWS Bot
Comment 4 2012-10-28 17:25:48 PDT
Comment on attachment 171145 [details] the patch Attachment 171145 [details] did not pass efl-ews (efl): Output: http://queues.webkit.org/results/14609924
Build Bot
Comment 5 2012-10-28 17:34:27 PDT
Comment on attachment 171145 [details] the patch Attachment 171145 [details] did not pass win-ews (win): Output: http://queues.webkit.org/results/14617874
Filip Pizlo
Comment 6 2012-10-28 18:28:48 PDT
I've fixed the 32-bit stuffs.
Filip Pizlo
Comment 7 2012-10-28 19:18:34 PDT
Landed in http://trac.webkit.org/changeset/132757
Chris Dumez
Comment 8 2012-10-29 00:39:24 PDT
The following test cases started crashing after this patch landed: jquery/manipulation.html jquery/traversing.html Backtrace: crash log for DumpRenderTree (pid 860): STDOUT: <empty> STDERR: ASSERTION FAILED: ArrayMode(Array::Arguments).alreadyChecked(m_state.forNode(node.child1())) STDERR: /home/buildslave-1/webkit-buildslave/efl-linux-64-debug/build/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp(3247) : void JSC::DFG::SpeculativeJIT::compileGetByValOnArguments(JSC::DFG::Node&) STDERR: 1 0x7f56d6262474 JSC::DFG::SpeculativeJIT::compileGetByValOnArguments(JSC::DFG::Node&) STDERR: 2 0x7f56d6285456 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::Node&) STDERR: 3 0x7f56d6259602 JSC::DFG::SpeculativeJIT::compile(JSC::DFG::BasicBlock&) STDERR: 4 0x7f56d6259d87 JSC::DFG::SpeculativeJIT::compile() STDERR: 5 0x7f56d622a1ce JSC::DFG::JITCompiler::compileBody(JSC::DFG::SpeculativeJIT&) STDERR: 6 0x7f56d622b163 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) STDERR: 7 0x7f56d621dfab JSC::DFG::compile(JSC::DFG::CompileMode, JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr*, unsigned int) STDERR: 8 0x7f56d621d900 JSC::DFG::tryCompileFunction(JSC::ExecState*, JSC::CodeBlock*, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, unsigned int) STDERR: 9 0x7f56d63add8f JSC::jitCompileFunctionIfAppropriate(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::JITCompilationEffort) STDERR: 10 0x7f56d63ae08a JSC::prepareFunctionForExecution(JSC::ExecState*, WTF::OwnPtr<JSC::FunctionCodeBlock>&, JSC::JITCode&, JSC::MacroAssemblerCodePtr&, JSC::WriteBarrier<JSC::SharedSymbolTable>&, JSC::JITCode::JITType, unsigned int, JSC::CodeSpecializationKind) STDERR: 11 0x7f56d63abf71 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::JSScope*, JSC::JITCode::JITType, unsigned int) STDERR: 12 0x7f56d63ab39b JSC::FunctionExecutable::compileOptimizedForCall(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 13 0x7f56d614ad85 JSC::FunctionExecutable::compileOptimizedFor(JSC::ExecState*, JSC::JSScope*, unsigned int, JSC::CodeSpecializationKind) STDERR: 14 0x7f56d6146e38 JSC::FunctionCodeBlock::compileOptimized(JSC::ExecState*, JSC::JSScope*, unsigned int) STDERR: 15 0x7f56d63177bd STDERR: 16 0x7f56d6313be0 STDERR: 17 0x7f5682780058
Alexey Proskuryakov
Comment 9 2012-10-29 09:52:32 PDT
Bug 100636 tracks the regression.
Note You need to log in before you can comment on or make changes to this bug.