- Revision
- 230465
- Author
- fpi...@apple.com
- Date
- 2018-04-09 19:42:27 -0700 (Mon, 09 Apr 2018)
Log Message
Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
https://bugs.webkit.org/show_bug.cgi?id=184372
Reviewed by Saam Barati.
We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
have already proved, using techniques that are more precise than AI, that the edge has type
Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
other than a check - so we think we can call those just because we should have already
bailed. It's better to think of them as the result of folding a check. Therefore, we should
only do it if there had been a check to begin with.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (230464 => 230465)
--- trunk/Source/_javascript_Core/ChangeLog 2018-04-10 01:53:00 UTC (rev 230464)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-04-10 02:42:27 UTC (rev 230465)
@@ -1,3 +1,34 @@
+2018-04-09 Filip Pizlo <fpi...@apple.com>
+
+ Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
+ https://bugs.webkit.org/show_bug.cgi?id=184372
+
+ Reviewed by Saam Barati.
+
+ We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
+ have already proved, using techniques that are more precise than AI, that the edge has type
+ Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
+ because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
+ other than a check - so we think we can call those just because we should have already
+ bailed. It's better to think of them as the result of folding a check. Therefore, we should
+ only do it if there had been a check to begin with.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
+ (JSC::FTL::DFG::LowerDFGToB3::lowCell):
+ (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
+ (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
+
2018-04-08 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Introduce @putByIdDirectPrivate
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (230464 => 230465)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-04-10 01:53:00 UTC (rev 230464)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-04-10 02:42:27 UTC (rev 230465)
@@ -1088,7 +1088,8 @@
m_interpreter.filter(value, SpecInt32Only);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
returnFormat = DataFormatInt32;
return allocate();
}
@@ -1232,7 +1233,8 @@
m_interpreter.filter(value, SpecAnyInt);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return allocate();
}
@@ -1339,7 +1341,8 @@
info.fillDouble(*m_stream, fpr);
return fpr;
}
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return fprAllocate();
}
@@ -1372,7 +1375,8 @@
m_interpreter.filter(value, SpecCellCheck);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return allocate();
}
@@ -1447,7 +1451,8 @@
m_interpreter.filter(value, SpecBoolean);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return allocate();
}
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (230464 => 230465)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-04-10 01:53:00 UTC (rev 230464)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-04-10 02:42:27 UTC (rev 230465)
@@ -14043,7 +14043,8 @@
if (edge->hasConstant()) {
JSValue value = edge->asJSValue();
if (!value.isInt32()) {
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.int32Zero;
}
LValue result = m_out.constInt32(value.asInt32());
@@ -14074,7 +14075,8 @@
}
DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecInt32Only), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.int32Zero;
}
@@ -14108,7 +14110,8 @@
}
DFG_ASSERT(m_graph, m_node, !provenType(edge), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.int64Zero;
}
@@ -14160,7 +14163,8 @@
if (edge->op() == JSConstant) {
FrozenValue* value = edge->constant();
if (!value->value().isCell()) {
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.intPtrZero;
}
LValue result = frozenPointer(value);
@@ -14177,7 +14181,8 @@
}
DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecCellCheck), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.intPtrZero;
}
@@ -14269,7 +14274,8 @@
if (edge->hasConstant()) {
JSValue value = edge->asJSValue();
if (!value.isBoolean()) {
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.booleanFalse;
}
LValue result = m_out.constBool(value.asBoolean());
@@ -14290,9 +14296,10 @@
setBoolean(edge.node(), result);
return result;
}
-
+
DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecBoolean), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.booleanFalse;
}
@@ -14304,7 +14311,8 @@
if (isValid(value))
return value.value();
DFG_ASSERT(m_graph, m_node, !provenType(edge), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.doubleZero;
}
@@ -14763,6 +14771,9 @@
void speculateCellOrOther(Edge edge)
{
+ if (shouldNotHaveTypeCheck(edge.useKind()))
+ return;
+
LValue value = lowJSValue(edge, ManualOperandSpeculation);
LBasicBlock isNotCell = m_out.newBlock();
@@ -15172,6 +15183,9 @@
void speculateStringOrOther(Edge edge, LValue value)
{
+ if (!m_interpreter.needsTypeCheck(edge))
+ return;
+
LBasicBlock cellCase = m_out.newBlock();
LBasicBlock notCellCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
