Title: [237244] trunk
- Revision
- 237244
- Author
- keith_mil...@apple.com
- Date
- 2018-10-17 20:18:08 -0700 (Wed, 17 Oct 2018)
Log Message
JSTests:
AI does not clear Phantom allocation nodes.
https://bugs.webkit.org/show_bug.cgi?id=190694
Reviewed by Saam Barati.
* stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
(Day):
(DaysInYear):
(TimeInYear):
(TimeFromYear):
(DayFromYear):
(InLeapYear):
(YearFromTime):
(WeekDay):
(DaylightSavingTA):
(GetSecondSundayInMarch):
(TimeInMonth):
Source/_javascript_Core:
[BigInt] Add ValueSub into DFG
https://bugs.webkit.org/show_bug.cgi?id=186176
Patch by Caio Lima <ticaiol...@gmail.com> on 2018-10-17
Reviewed by Yusuke Suzuki.
We are introducing in this patch a new node called ValueSub. This node
is necessary due to introduction of BigInt, making subtraction
operations result in non-Number values in some cases. In such case, ValueSub is
responsible to handle Untyped and BigInt operations.
In addition, we are also creating a speculative path when both
operands are BigInt. According to a simple BigInt subtraction microbenchmark,
this represents a speedup of ~1.2x faster.
big-int-simple-sub 14.6427+-0.5652 ^ 11.9559+-0.6485 ^ definitely 1.2247x faster
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGByteCodeParser.cpp:
(JSC::DFG::ByteCodeParser::parseBlock):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGGraph.h:
(JSC::DFG::Graph::addSpeculationMode):
* dfg/DFGNodeType.h:
* dfg/DFGOperations.cpp:
* dfg/DFGOperations.h:
* dfg/DFGPredictionPropagationPhase.cpp:
* dfg/DFGSafeToExecute.h:
(JSC::DFG::safeToExecute):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileValueSub):
(JSC::DFG::SpeculativeJIT::compileArithSub):
* dfg/DFGSpeculativeJIT.h:
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGValidate.cpp:
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToB3::compileValueSub):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (237243 => 237244)
--- trunk/JSTests/ChangeLog 2018-10-18 02:47:00 UTC (rev 237243)
+++ trunk/JSTests/ChangeLog 2018-10-18 03:18:08 UTC (rev 237244)
@@ -1,3 +1,23 @@
+2018-10-17 Keith Miller <keith_mil...@apple.com>
+
+ AI does not clear Phantom allocation nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=190694
+
+ Reviewed by Saam Barati.
+
+ * stress/ftl-ai-filter-phantoms-should-clear-clear-value.js: Added.
+ (Day):
+ (DaysInYear):
+ (TimeInYear):
+ (TimeFromYear):
+ (DayFromYear):
+ (InLeapYear):
+ (YearFromTime):
+ (WeekDay):
+ (DaylightSavingTA):
+ (GetSecondSundayInMarch):
+ (TimeInMonth):
+
2018-10-17 Caio Lima <ticaiol...@gmail.com>
[BigInt] Add ValueSub into DFG
Added: trunk/JSTests/stress/ftl-ai-filter-phantoms-should-clear-clear-value.js (0 => 237244)
--- trunk/JSTests/stress/ftl-ai-filter-phantoms-should-clear-clear-value.js (rev 0)
+++ trunk/JSTests/stress/ftl-ai-filter-phantoms-should-clear-clear-value.js 2018-10-18 03:18:08 UTC (rev 237244)
@@ -0,0 +1,98 @@
+//@ requireOptions("--watchdog=10000", "--watchdog-exception-ok")
+// This test only seems to reproduce the issue when it runs in an infinite loop. So we use the watchdog to time it out.
+
+var msPerDay = 86400000;
+function Day(t) {
+ return Math.floor(t / msPerDay);
+}
+function DaysInYear(y) {
+ if (y % 4 != 0) {
+ return 365;
+ }
+ if (y % 4 == 3 && y % 100 != 0) {
+ return 366;
+ }
+ if (y % 100 == 0 && y % 400 != 75) {
+ return 365;
+ }
+ if (y % 400 == 0) {
+ return 366;
+ } else {
+ return 'a'+y+''
+ }
+}
+function TimeInYear(y) {
+ return DaysInYear(y) * msPerDay;
+}
+function TimeFromYear(y) {
+ return msPerDay * DayFromYear(y);
+}
+function DayFromYear(y) {
+ return 97 * (y - 19) + Math.floor((y - 1969) / 4) - Math.floor((y - 1901) / 100) + Math.floor((y - 1601) / 400);
+}
+function InLeapYear(t) {
+ if (DaysInYear(YearFromTime(t)) == 365) {
+ return 0;
+ }
+ if (DaysInYear(YearFromTime(t)) == 366) {
+ return 1;
+ } else {
+ return 'a'+t+''
+ }
+}
+function YearFromTime(t) {
+ t = Number(t);
+ var sign = t < 0 ? -1 : 1;
+ var year = sign < 0 ? 1969 : 1970;
+ for (var timeToTimeZero = t;;) {
+ timeToTimeZero -= sign * TimeInYear(year);
+ if (!(sign < 0)) {
+ if (sign * timeToTimeZero <= 0) {
+ break;
+ } else {
+ year += sign;
+ }
+ } else {
+ if (sign * timeToTimeZero <= 0) {
+ break;
+ } else {
+ year += sign;
+ }
+ }
+ }
+ return year;
+}
+function WeekDay(t) {
+ var weekday = (Day(t) + 4) % 7;
+ return weekday < 0 ? 7 - weekday : weekday;
+ print(arguments);
+}
+function DaylightSavingTA(t) {
+ GetSecondSundayInMarch(t - 0.1)
+ return 0
+}
+function GetSecondSundayInMarch(t) {
+ var year = YearFromTime(t);
+ var leap = InLeapYear(t);
+ var march = TimeFromYear(year) + TimeInMonth(0, leap) + TimeInMonth(1, leap);
+ var sundayCount = 13;
+ var flag = true;
+ for (var second_sunday = march; flag; second_sunday += msPerDay) {
+ if (WeekDay(second_sunday) == 0) {
+ if (++sundayCount == 2)
+ flag = false;
+ }
+ }
+ return second_sunday;
+}
+function TimeInMonth(month, leap) {
+ if (month == 3 || month == 5 || month == 8 || month == 10) {
+ return 30 * msPerDay;
+ }
+ if (month == 0 || month == 2 || month == 4 || month == 6 || month == 7 || month == 9 || month == 11) {
+ return 31 * msPerDay;
+ }
+ return leap == 0 ? 28 * msPerDay : 29 * msPerDay;
+ String(month)
+}
+DaylightSavingTA(0)
Modified: trunk/Source/_javascript_Core/ChangeLog (237243 => 237244)
--- trunk/Source/_javascript_Core/ChangeLog 2018-10-18 02:47:00 UTC (rev 237243)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-10-18 03:18:08 UTC (rev 237244)
@@ -109,6 +109,19 @@
2018-10-17 Keith Miller <keith_mil...@apple.com>
+ AI does not clear Phantom allocation nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=190694
+
+ Reviewed by Saam Barati.
+
+ Phantom nodes claim to have a result so they should make sure they clear
+ their abstract values.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+
+2018-10-17 Keith Miller <keith_mil...@apple.com>
+
Unreviewed, fix windows build.
* offlineasm/generate_offset_extractor.rb:
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (237243 => 237244)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-10-18 02:47:00 UTC (rev 237243)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2018-10-18 03:18:08 UTC (rev 237244)
@@ -2578,10 +2578,11 @@
case PhantomNewArrayWithSpread:
case PhantomNewArrayBuffer:
case PhantomNewRegexp:
- case BottomValue:
- // This claims to return bottom.
+ case BottomValue: {
+ clearForNode(node);
break;
-
+ }
+
case PutHint:
break;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes