Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (95126 => 95127)
--- trunk/Source/_javascript_Core/ChangeLog 2011-09-14 21:58:03 UTC (rev 95126)
+++ trunk/Source/_javascript_Core/ChangeLog 2011-09-14 22:04:50 UTC (rev 95127)
@@ -1,5 +1,21 @@
2011-09-14 Filip Pizlo <[email protected]>
+ DFG should not speculate that the child of LogicalNot is a boolean if
+ predictions tell us otherwise
+ https://bugs.webkit.org/show_bug.cgi?id=68118
+
+ Reviewed by Geoffrey Garen.
+
+ * dfg/DFGJITCodeGenerator.cpp:
+ (JSC::DFG::JITCodeGenerator::nonSpeculativeLogicalNot):
+ * dfg/DFGJITCodeGenerator.h:
+ * dfg/DFGNonSpeculativeJIT.cpp:
+ (JSC::DFG::NonSpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
+2011-09-14 Filip Pizlo <[email protected]>
+
Unreviewed build fix. Turn off tiered compilation.
* wtf/Platform.h:
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (95126 => 95127)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp 2011-09-14 21:58:03 UTC (rev 95126)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp 2011-09-14 22:04:50 UTC (rev 95127)
@@ -1028,6 +1028,33 @@
}
}
+void JITCodeGenerator::nonSpeculativeLogicalNot(Node& node)
+{
+ JSValueOperand arg1(this, node.child1());
+ GPRTemporary result(this);
+
+ GPRReg arg1GPR = arg1.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ arg1.use();
+
+ m_jit.move(arg1GPR, resultGPR);
+ m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), resultGPR);
+ JITCompiler::Jump fastCase = m_jit.branchTestPtr(JITCompiler::Zero, resultGPR, TrustedImm32(static_cast<int32_t>(~1)));
+
+ silentSpillAllRegisters(resultGPR);
+ m_jit.move(arg1GPR, GPRInfo::argumentGPR1);
+ m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
+ appendCallWithExceptionCheck(dfgConvertJSValueToBoolean);
+ m_jit.move(GPRInfo::returnValueGPR, resultGPR);
+ silentFillAllRegisters(resultGPR);
+
+ fastCase.link(&m_jit);
+
+ m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueTrue)), resultGPR);
+ jsValueResult(resultGPR, m_compileIndex, DataFormatJSBoolean, UseChildrenCalledExplicitly);
+}
+
void JITCodeGenerator::emitCall(Node& node)
{
P_DFGOperation_E slowCallFunction;
Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h (95126 => 95127)
--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h 2011-09-14 21:58:03 UTC (rev 95126)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.h 2011-09-14 22:04:50 UTC (rev 95127)
@@ -578,6 +578,8 @@
void emitBranch(Node&);
+ void nonSpeculativeLogicalNot(Node&);
+
MacroAssembler::Address addressOfCallData(int idx)
{
return MacroAssembler::Address(GPRInfo::callFrameRegister, (m_jit.codeBlock()->m_numCalleeRegisters + idx) * static_cast<int>(sizeof(Register)));
Modified: trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp (95126 => 95127)
--- trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-09-14 21:58:03 UTC (rev 95126)
+++ trunk/Source/_javascript_Core/dfg/DFGNonSpeculativeJIT.cpp 2011-09-14 22:04:50 UTC (rev 95127)
@@ -777,29 +777,7 @@
}
case LogicalNot: {
- JSValueOperand arg1(this, node.child1());
- GPRTemporary result(this);
-
- GPRReg arg1GPR = arg1.gpr();
- GPRReg resultGPR = result.gpr();
-
- arg1.use();
-
- m_jit.move(arg1GPR, resultGPR);
- m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), resultGPR);
- JITCompiler::Jump fastCase = m_jit.branchTestPtr(JITCompiler::Zero, resultGPR, TrustedImm32(static_cast<int32_t>(~1)));
-
- silentSpillAllRegisters(resultGPR);
- m_jit.move(arg1GPR, GPRInfo::argumentGPR1);
- m_jit.move(GPRInfo::callFrameRegister, GPRInfo::argumentGPR0);
- appendCallWithExceptionCheck(dfgConvertJSValueToBoolean);
- m_jit.move(GPRInfo::returnValueGPR, resultGPR);
- silentFillAllRegisters(resultGPR);
-
- fastCase.link(&m_jit);
-
- m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueTrue)), resultGPR);
- jsValueResult(resultGPR, m_compileIndex, UseChildrenCalledExplicitly);
+ nonSpeculativeLogicalNot(node);
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (95126 => 95127)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-09-14 21:58:03 UTC (rev 95126)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2011-09-14 22:04:50 UTC (rev 95127)
@@ -1047,16 +1047,23 @@
break;
}
- JSValueOperand value(this, node.child1());
- GPRTemporary result(this); // FIXME: We could reuse, but on speculation fail would need recovery to restore tag (akin to add).
-
- m_jit.move(value.gpr(), result.gpr());
- m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), result.gpr());
- speculationCheck(m_jit.branchTestPtr(JITCompiler::NonZero, result.gpr(), TrustedImm32(static_cast<int32_t>(~1))));
- m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueTrue)), result.gpr());
-
- // If we add a DataFormatBool, we should use it here.
- jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
+ PredictedType prediction = m_jit.graph().getPrediction(m_jit.graph()[node.child1()]);
+ if (isBooleanPrediction(prediction) || !isStrongPrediction(prediction)) {
+ JSValueOperand value(this, node.child1());
+ GPRTemporary result(this); // FIXME: We could reuse, but on speculation fail would need recovery to restore tag (akin to add).
+
+ m_jit.move(value.gpr(), result.gpr());
+ m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueFalse)), result.gpr());
+ speculationCheck(m_jit.branchTestPtr(JITCompiler::NonZero, result.gpr(), TrustedImm32(static_cast<int32_t>(~1))));
+ m_jit.xorPtr(TrustedImm32(static_cast<int32_t>(ValueTrue)), result.gpr());
+
+ // If we add a DataFormatBool, we should use it here.
+ jsValueResult(result.gpr(), m_compileIndex, DataFormatJSBoolean);
+ break;
+ }
+
+ nonSpeculativeLogicalNot(node);
+
break;
}
