Skip to site navigation (Press enter)

[webkit-changes] [96280] trunk/Source/JavaScriptCore

fpizlo Wed, 28 Sep 2011 17:46:20 -0700

Title: [96280] trunk/Source/_javascript_Core

Revision: 96280
Author: fpi...@apple.com
Date: 2011-09-28 17:47:07 -0700 (Wed, 28 Sep 2011)

Log Message

DFG JIT falls back on numerical comparisons when it does not
recognize a prediction
https://bugs.webkit.org/show_bug.cgi?id=68977


Reviewed by Geoffrey Garen.
        
This fixes both the way comparison implementations are selected. It
also fixes a bug where comparisons other than equality (like < or >)
on objects are compiled as if the comparison was equality.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compare):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (96279 => 96280)


--- trunk/Source/_javascript_Core/ChangeLog	2011-09-29 00:45:26 UTC (rev 96279)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-09-29 00:47:07 UTC (rev 96280)
@@ -1,3 +1,18 @@
+2011-09-28  Filip Pizlo  <fpi...@apple.com>
+
+        DFG JIT falls back on numerical comparisons when it does not
+        recognize a prediction
+        https://bugs.webkit.org/show_bug.cgi?id=68977
+
+        Reviewed by Geoffrey Garen.
+        
+        This fixes both the way comparison implementations are selected. It
+        also fixes a bug where comparisons other than equality (like < or >)
+        on objects are compiled as if the comparison was equality.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compare):
+
 2011-09-28  Gavin Barraclough  <barraclo...@apple.com>
 
         Implement callOperation(D_DFGOperation_DD) for DFG JIT 32_64

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (96279 => 96280)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-09-29 00:45:26 UTC (rev 96279)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2011-09-29 00:47:07 UTC (rev 96280)
@@ -650,27 +650,8 @@
         m_compileIndex = branchNodeIndex;
         return true;
     }
-    
-    if (shouldSpeculateFinalObject(node.child1(), node.child2()))
-        compileObjectEquality(node, m_jit.globalData()->jsFinalObjectVPtr);
-    else if (shouldSpeculateArray(node.child1(), node.child2()))
-        compileObjectEquality(node, m_jit.globalData()->jsArrayVPtr);
-    else if (!shouldSpeculateNumber(node.child1()) && !shouldSpeculateNumber(node.child2()))
-        nonSpeculativeNonPeepholeCompare(node, condition, operation);
-    else if ((shouldSpeculateNumber(node.child1()) || shouldSpeculateNumber(node.child2())) && !shouldSpeculateInteger(node.child1(), node.child2())) {
-        // Normal case, not fused to branch.
-        SpeculateDoubleOperand op1(this, node.child1());
-        SpeculateDoubleOperand op2(this, node.child2());
-        GPRTemporary result(this);
-        
-        m_jit.move(TrustedImm32(ValueTrue), result.gpr());
-        MacroAssembler::Jump trueCase = m_jit.branchDouble(doubleCondition, op1.fpr(), op2.fpr());
-        m_jit.xorPtr(Imm32(true), result.gpr());
-        trueCase.link(&m_jit);
 
-        jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
-    } else {
-        // Normal case, not fused to branch.
+    if (shouldSpeculateInteger(node.child1(), node.child2())) {
         SpeculateIntegerOperand op1(this, node.child1());
         SpeculateIntegerOperand op2(this, node.child2());
         GPRTemporary result(this, op1, op2);
@@ -680,7 +661,23 @@
         // If we add a DataFormatBool, we should use it here.
         m_jit.or32(TrustedImm32(ValueFalse), result.gpr());
         jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
-    }
+    } else if (shouldSpeculateNumber(node.child1(), node.child2())) {
+        SpeculateDoubleOperand op1(this, node.child1());
+        SpeculateDoubleOperand op2(this, node.child2());
+        GPRTemporary result(this);
+        
+        m_jit.move(TrustedImm32(ValueTrue), result.gpr());
+        MacroAssembler::Jump trueCase = m_jit.branchDouble(doubleCondition, op1.fpr(), op2.fpr());
+        m_jit.xorPtr(Imm32(true), result.gpr());
+        trueCase.link(&m_jit);
+
+        jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
+    } else if (node.op == CompareEq && shouldSpeculateFinalObject(node.child1(), node.child2()))
+        compileObjectEquality(node, m_jit.globalData()->jsFinalObjectVPtr);
+    else if (node.op == CompareEq && shouldSpeculateArray(node.child1(), node.child2()))
+        compileObjectEquality(node, m_jit.globalData()->jsArrayVPtr);
+    else
+        nonSpeculativeNonPeepholeCompare(node, condition, operation);
     
     return false;
 }

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes