[Webkit-unassigned] [Bug 68335] DFG speculation failures should act as additional value profiles

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sun Sep 18 23:36:16 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=68335





--- Comment #3 from Filip Pizlo <fpizlo at apple.com>  2011-09-18 23:36:16 PST ---
The best way to do this might actually be to have slow case counters in the old JIT.

There are three cases of speculation failure:

1) We speculate on a value that was loaded from memory, was the result of a call, or was passed as an argument.  These are all things that the old JIT already profiles.  If speculation failures occur due to those cases, then all it takes is to let the old JIT warm itself up again, and the rerun the DFG.  The DFG::Propagator should take care to propagate the predictions from those profiles to all uses, even if they go through local or global variable accesses.

2) We speculate that a particular operation behaves a certain way: for example we speculate that an integer arithmetic does not overflow, or that an integer multiplication does not yield zero.  This only occurs in the case of integer speculation.  The old JIT will take the fast path for integer arithmetic except if it fails to behave in exactly the way that the DFG JIT would have speculated.  Thus, counting the number of slow path executions suffices to tell us that such a speculation would be unwise.

3) We speculate that the code is not crazy: for example we speculate that op_convert_this takes a cell as its input, and that this cell is not a string.  We will currently experience pathologies because the DFG has no facility to compile the code any other way, other than to perform the speculation.  This is a separate probem, since the DFG would have been able to realize that it should not speculate non-string-cell on ConvertThis if it just looked at the predictions.  Even if it did not do this, a slow path counter in the old JIT would catch this case!

I will think about this a bit more, but it seems like slow case counters are the way to go.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list