Diff
Modified: releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog (228748 => 228749)
--- releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog 2018-02-20 08:22:11 UTC (rev 228748)
+++ releases/WebKitGTK/webkit-2.20/JSTests/ChangeLog 2018-02-20 08:22:21 UTC (rev 228749)
@@ -1,3 +1,20 @@
+2018-02-13 Yusuke Suzuki <utatane....@gmail.com>
+
+ Support GetArrayLength on ArrayStorage in the FTL
+ https://bugs.webkit.org/show_bug.cgi?id=182625
+
+ Reviewed by Saam Barati.
+
+ * stress/array-storage-length.js: Added.
+ (shouldBe):
+ (testInBound):
+ (testUncountable):
+ (testSlowPutInBound):
+ (testSlowPutUncountable):
+ * stress/undecided-length.js: Added.
+ (shouldBe):
+ (test2):
+
2018-02-16 Saam Barati <sbar...@apple.com>
Fix bugs from r228411
Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/array-storage-length.js (0 => 228749)
--- releases/WebKitGTK/webkit-2.20/JSTests/stress/array-storage-length.js (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/array-storage-length.js 2018-02-20 08:22:21 UTC (rev 228749)
@@ -0,0 +1,60 @@
+'use strict';
+
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+var object = { a: 10 };
+Object.defineProperties(object, {
+ "0": {
+ get: function() { return this.a; },
+ set: function(x) { this.a = x; },
+ },
+});
+
+var array = [ 0, 1, 2, 3, 4, 5 ];
+ensureArrayStorage(array);
+
+function testInBound(array)
+{
+ return array.length;
+}
+noInline(testInBound);
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(testInBound(array), 6);
+
+function testUncountable(array)
+{
+ return array.length;
+}
+noInline(testUncountable);
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(testUncountable(array), 6);
+array.length = 0xffffffff - 1;
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(testUncountable(array), 0xffffffff - 1);
+
+
+var slowPutArray = [ 0, 1, 2, 3, 4, 5 ];
+ensureArrayStorage(slowPutArray);
+slowPutArray.__proto__ = object;
+
+function testSlowPutInBound(array)
+{
+ return array.length;
+}
+noInline(testSlowPutInBound);
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(testSlowPutInBound(slowPutArray), 6);
+
+function testSlowPutUncountable(array)
+{
+ return array.length;
+}
+noInline(testSlowPutUncountable);
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(testSlowPutUncountable(slowPutArray), 6);
+slowPutArray.length = 0xffffffff - 1;
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(testSlowPutUncountable(slowPutArray), 0xffffffff - 1);
Added: releases/WebKitGTK/webkit-2.20/JSTests/stress/undecided-length.js (0 => 228749)
--- releases/WebKitGTK/webkit-2.20/JSTests/stress/undecided-length.js (rev 0)
+++ releases/WebKitGTK/webkit-2.20/JSTests/stress/undecided-length.js 2018-02-20 08:22:21 UTC (rev 228749)
@@ -0,0 +1,25 @@
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+var array = [];
+
+function test1(array)
+{
+ return array.length;
+}
+noInline(test1);
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(test1(array), 0);
+
+var array = [];
+array.ok = 42;
+
+function test2(array)
+{
+ return array.length;
+}
+noInline(test2);
+for (var i = 0; i < 1e5; ++i)
+ shouldBe(test2(array), 0);
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog (228748 => 228749)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-02-20 08:22:11 UTC (rev 228748)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ChangeLog 2018-02-20 08:22:21 UTC (rev 228749)
@@ -1,3 +1,25 @@
+2018-02-13 Yusuke Suzuki <utatane....@gmail.com>
+
+ Support GetArrayLength on ArrayStorage in the FTL
+ https://bugs.webkit.org/show_bug.cgi?id=182625
+
+ Reviewed by Saam Barati.
+
+ This patch adds GetArrayLength and CheckArray + ArrayStorage & SlowPutArrayStorage support for FTL.
+ The implementation is trivial; just porting one in DFG to FTL.
+
+ This fixes several FTL compilation failures in web-tooling-benchmarks while we still need to support
+ ArrayPush, ArrayPop, Arrayify, and PutByVal.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileGetArrayLength):
+ (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForArrayify):
+ (JSC::FTL::DFG::LowerDFGToB3::isArrayTypeForCheckArray):
+
2018-02-10 Filip Pizlo <fpi...@apple.com>
Lock down JSFunction
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (228748 => 228749)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-02-20 08:22:11 UTC (rev 228748)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-02-20 08:22:21 UTC (rev 228749)
@@ -822,13 +822,11 @@
return;
}
- const ClassInfo* expectedClassInfo = 0;
-
switch (node->arrayMode().type()) {
case Array::AnyTypedArray:
case Array::String:
RELEASE_ASSERT_NOT_REACHED(); // Should have been a Phantom(String:)
- break;
+ return;
case Array::Int32:
case Array::Double:
case Array::Contiguous:
@@ -860,20 +858,6 @@
noResult(m_currentNode);
return;
}
-
- RELEASE_ASSERT(expectedClassInfo);
-
- GPRTemporary temp(this);
- GPRTemporary temp2(this);
- m_jit.emitLoadStructure(*m_jit.vm(), baseReg, temp.gpr(), temp2.gpr());
- speculationCheck(
- BadType, JSValueSource::unboxedCell(baseReg), node,
- m_jit.branchPtr(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(temp.gpr(), Structure::classInfoOffset()),
- TrustedImmPtr(PoisonedClassInfoPtr(expectedClassInfo).bits())));
-
- noResult(m_currentNode);
}
void SpeculativeJIT::arrayify(Node* node, GPRReg baseReg, GPRReg propertyReg)
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLCapabilities.cpp (228748 => 228749)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2018-02-20 08:22:11 UTC (rev 228748)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2018-02-20 08:22:21 UTC (rev 228749)
@@ -355,6 +355,9 @@
case Array::Int32:
case Array::Double:
case Array::Contiguous:
+ case Array::Undecided:
+ case Array::ArrayStorage:
+ case Array::SlowPutArrayStorage:
case Array::DirectArguments:
case Array::ScopedArguments:
break;
@@ -370,6 +373,8 @@
case Array::Int32:
case Array::Double:
case Array::Contiguous:
+ case Array::ArrayStorage:
+ case Array::SlowPutArrayStorage:
case Array::String:
case Array::DirectArguments:
case Array::ScopedArguments:
Modified: releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (228748 => 228749)
--- releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-02-20 08:22:11 UTC (rev 228748)
+++ releases/WebKitGTK/webkit-2.20/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-02-20 08:22:21 UTC (rev 228749)
@@ -3644,6 +3644,14 @@
setInt32(m_out.load32NonNegative(lowStorage(m_node->child2()), m_heaps.Butterfly_publicLength));
return;
}
+
+ case Array::ArrayStorage:
+ case Array::SlowPutArrayStorage: {
+ LValue length = m_out.load32(lowStorage(m_node->child2()), m_heaps.Butterfly_publicLength);
+ speculate(Uncountable, noValue(), nullptr, m_out.lessThan(length, m_out.int32Zero));
+ setInt32(length);
+ return;
+ }
case Array::String: {
LValue string = lowCell(m_node->child1());
@@ -14540,7 +14548,10 @@
switch (arrayMode.type()) {
case Array::Int32:
case Array::Double:
- case Array::Contiguous: {
+ case Array::Contiguous:
+ case Array::Undecided:
+ case Array::ArrayStorage:
+ case Array::SlowPutArrayStorage: {
IndexingType shape = arrayMode.shapeMask();
LValue indexingType = m_out.load8ZeroExt32(cell, m_heaps.JSCell_indexingTypeAndMisc);
@@ -14580,6 +14591,9 @@
case Array::Int32:
case Array::Double:
case Array::Contiguous:
+ case Array::Undecided:
+ case Array::ArrayStorage:
+ case Array::SlowPutArrayStorage:
return isArrayTypeForArrayify(cell, arrayMode);
case Array::DirectArguments: