[Webkit-unassigned] [Bug 68750] Value profiling in baseline JIT for JSVALUE32_64

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 24 00:52:27 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=68750





--- Comment #4 from Filip Pizlo <fpizlo at apple.com>  2011-09-24 00:52:27 PST ---
(From update of attachment 108580)
View in context: https://bugs.webkit.org/attachment.cgi?id=108580&action=review

> Source/JavaScriptCore/jit/JITArithmetic32_64.cpp:998
>      unsigned op2 = currentInstruction[3].u.operand;
>      OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
>  
> +#if ENABLE(VALUE_PROFILER)
> +    m_codeBlock->addSpecialFastCaseProfile(m_bytecodeOffset);
> +#endif
> +
>      JumpList notInt32Op1;
>      JumpList notInt32Op2;
>  

The special fast case profile for op_mul should count the number of times that we went to the double slow path only because of negative zero.  You're counting this every time.  That'll throw the DFG off, since it'll think that every single execution of every multiply creates a negative zero result every time.

> Source/JavaScriptCore/jit/JITArithmetic32_64.cpp:1076
>      unsigned op2 = currentInstruction[3].u.operand;
>      OperandTypes types = OperandTypes::fromInt(currentInstruction[4].u.operand);
>  
> +#if ENABLE(VALUE_PROFILER)
> +    m_codeBlock->addSpecialFastCaseProfile(m_bytecodeOffset);
> +#endif
> +
>      if (!supportsFloatingPoint()) {
>          addSlowCase(jump());
>          return;

The special fast case profile for op_div should count a specific case, not all cases.  In this case, it should be counting the number of times that the division created a result that was not an integer.  You're counting every execution.  This will cause the DFG to think that every execution of a division creates a double, which will cause performance problems in a number of benchmarks.

It would be good to get this right on the first go, because DFG mis-speculation bugs are truly not fun to debug.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list