Closed Bug 848512 Opened 11 years ago Closed 10 years ago

BaselineCompiler: JSOP_DIV: int32 stub should handle lhs == 0 better

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: jandem, Assigned: sankha)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 3 obsolete files)

patch v4
3.96 KB, patch
Details | Diff | Splinter Review 
Currently the stub gives up if lhs == 0:

// Prevent negative 0 and -2147483648 / -1.
masm.branchTest32(Assembler::Zero, R0.payloadReg(), Imm32(0x7fffffff), &failure);

It should try a little harder and handle the case where the result is +0. This happens a lot on v8-raytrace, currently we keep attaching int32 stubs until we reach the limit..
Attached patch patch v1 (obsolete) — Splinter Review 
Jandem can you see if this is correct? I ran the raytrace script from the v8 benchmark. I am getting the following score (an average of 3 runs):

With patch: 22589
Without patch: 21012
Attachment #8359864 - Flags: review?(jdemooij)
Comment on attachment 8359864 [details] [diff] [review]
patch v1

Review of attachment 8359864 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for looking into this! I completely forgot about this bug.

::: js/src/jit/x86/BaselineIC-x86.cpp
@@ +93,5 @@
>          // Prevent negative 0 and -2147483648 / -1.
>          masm.branchTest32(Assembler::Zero, R0.payloadReg(), Imm32(0x7fffffff), &failure);
>  
> +        // Prevent positive 0.
> +        masm.branchTest32(Assembler::Zero, R0.payloadReg(), Imm32(0), &failure);

This branch will never be taken I think. The previous branch handles everything that has the lower 31-bits cleared, including 0.

I think the right fix is to split the previous check: first, if R0 == INT32_MIN, jump to |failures|. Then, if R0 == 0 AND R1 < 0, also jump to failures (result is -0 in this case).

Let me know if you need help with this :)
Attachment #8359864 - Flags: review?(jdemooij)
Component: JavaScript Engine → JavaScript Engine: JIT
Attached patch patch v2 (obsolete) — Splinter Review 

        Attachment #8359864 -
        Attachment is obsolete: true

        Attachment #8366606 -
        Flags: review?(jdemooij)

    
    

    
  
Comment on attachment 8366606 [details] [diff] [review]
patch v2

Review of attachment 8366606 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jit/x86/BaselineIC-x86.cpp
@@ +92,5 @@
>  
>          // Prevent negative 0 and -2147483648 / -1.
> +        masm.branchTest32(Assembler::Equal, R0.payloadReg(), Imm32(INT32_MIN), &failure);
> +        masm.branchTest32(Assembler::Equal, R0.payloadReg(), Imm32(0), &failure);
> +        masm.branchTest32(Assembler::Signed, R1.payloadReg(), R1.payloadReg(), &failure);

This jumps to |failure| if R0 == 0 OR R1 < 0. Instead, we want it to jump to |failure| if R0 == 0 AND R1 < 0. So you want something like this:

masm.branchTest32(Assembler::Equal, R0.payloadReg(), Imm32(INT32_MIN), &failure);

Label notZero;
masm.branchTest32(Assembler::NotEqual, R0.payloadReg(), Imm32(0), &notZero);
masm.branchTest32(Assembler::Signed, R1.payloadReg(), R1.payloadReg(), &failure);
masm.bind(&notZero);

        Attachment #8366606 -
        Flags: review?(jdemooij)

    
    

    
  
(In reply to Jan de Mooij [:jandem] from comment #4)
> masm.branchTest32(Assembler::NotEqual, R0.payloadReg(), Imm32(0), &notZero);

This should be branch32 btw.

    
    

    
  
(In reply to Jan de Mooij [:jandem] from comment #5)
> This should be branch32 btw.

To elaborate a bit: branch32 will emit a cmp instruction, branchTest32 will emit a test instruction. As a rule of thumb, use branch32 when you want to check if two values are equal/not equal/less than/greater than etc. "test" does a bitwise and of its two operands and is usually used with Assembler::Signed, Assembler::Zero, Assembler::NonZero.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v3 (obsolete)
        — Splinter Review
      

    


  
Thanks for the explanation. It really cleared up the the things! :)

        Attachment #8366606 -
        Attachment is obsolete: true

        Attachment #8366733 -
        Flags: review?(jdemooij)

    
    

    
  
Comment on attachment 8366733 [details] [diff] [review]
patch v3

Review of attachment 8366733 [details] [diff] [review]:
-----------------------------------------------------------------

Great, thanks! r=me with comment below addressed.

::: js/src/jit/x64/BaselineIC-x64.cpp
@@ +88,5 @@
>          // Prevent division by 0.
>          masm.branchTest32(Assembler::Zero, ExtractTemp0, ExtractTemp0, &failure);
>  
>          // Prevent negative 0 and -2147483648 / -1.
> +        masm.branchTest32(Assembler::Equal, eax, Imm32(INT32_MIN), &failure);

This should be branch32, same for x86.

        Attachment #8366733 -
        Flags: review?(jdemooij) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v4Splinter Review
      

    


  
Assignee: general → sankha93

        Attachment #8366733 -
        Attachment is obsolete: true

    
  
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/340cc0f16046
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: