Title: [204697] trunk
- Revision
- 204697
- Author
- [email protected]
- Date
- 2016-08-21 12:45:50 -0700 (Sun, 21 Aug 2016)
Log Message
[DFG] Should not fixup AnyIntUse in 32_64
https://bugs.webkit.org/show_bug.cgi?id=161029
Reviewed by Saam Barati.
JSTests:
* typeProfiler/int52-dfg.js: Added.
(test):
* typeProfiler/number-filter-dfg.js: Added.
(test):
Source/_javascript_Core:
DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
And this patch also fixes the case that the type set only contains TypeNumber. Previously,
we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (204696 => 204697)
--- trunk/JSTests/ChangeLog 2016-08-21 18:13:23 UTC (rev 204696)
+++ trunk/JSTests/ChangeLog 2016-08-21 19:45:50 UTC (rev 204697)
@@ -1,3 +1,15 @@
+2016-08-21 Yusuke Suzuki <[email protected]>
+
+ [DFG] Should not fixup AnyIntUse in 32_64
+ https://bugs.webkit.org/show_bug.cgi?id=161029
+
+ Reviewed by Saam Barati.
+
+ * typeProfiler/int52-dfg.js: Added.
+ (test):
+ * typeProfiler/number-filter-dfg.js: Added.
+ (test):
+
2016-08-19 Benjamin Poulain <[email protected]>
[JSC] ArithSqrt should work with any argument type
Added: trunk/JSTests/typeProfiler/int52-dfg.js (0 => 204697)
--- trunk/JSTests/typeProfiler/int52-dfg.js (rev 0)
+++ trunk/JSTests/typeProfiler/int52-dfg.js 2016-08-21 19:45:50 UTC (rev 204697)
@@ -0,0 +1,15 @@
+load("./driver/driver.js");
+
+function test()
+{
+ var ok = 0;
+ for (var i = 0; i < 1e4; ++i) {
+ ok += 0xfffffffff; // Int52
+ }
+ return ok;
+}
+test();
+
+var types = findTypeForExpression(test, "ok += 0x");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 1, "Primitive type names should one candidate.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
Added: trunk/JSTests/typeProfiler/number-filter-dfg.js (0 => 204697)
--- trunk/JSTests/typeProfiler/number-filter-dfg.js (rev 0)
+++ trunk/JSTests/typeProfiler/number-filter-dfg.js 2016-08-21 19:45:50 UTC (rev 204697)
@@ -0,0 +1,16 @@
+load("./driver/driver.js");
+
+function test(value)
+{
+ var ok = 0.5;
+ ok += value;
+ return ok;
+}
+noInline(test);
+for (var i = 0; i < 1e4; ++i)
+ test(1.2);
+test(0.5);
+var types = findTypeForExpression(test, "ok += value");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 2, "Primitive type names should two candidates.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Number) !== -1, "Primitive type names should contain 'Number'");
Modified: trunk/Source/_javascript_Core/ChangeLog (204696 => 204697)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-21 18:13:23 UTC (rev 204696)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-21 19:45:50 UTC (rev 204697)
@@ -1,3 +1,20 @@
+2016-08-21 Yusuke Suzuki <[email protected]>
+
+ [DFG] Should not fixup AnyIntUse in 32_64
+ https://bugs.webkit.org/show_bug.cgi?id=161029
+
+ Reviewed by Saam Barati.
+
+ DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
+ If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
+
+ And this patch also fixes the case that the type set only contains TypeNumber. Previously,
+ we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
+ passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
2016-08-20 Brian Burg <[email protected]>
Remote Inspector: some methods don't need to be marked virtual anymore
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (204696 => 204697)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-08-21 18:13:23 UTC (rev 204696)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-08-21 19:45:50 UTC (rev 204697)
@@ -1459,12 +1459,23 @@
RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
RuntimeTypeMask seenTypes = typeSet->seenTypes();
if (typeSet->doesTypeConformTo(TypeAnyInt)) {
- if (node->child1()->shouldSpeculateInt32())
+ if (node->child1()->shouldSpeculateInt32()) {
fixEdge<Int32Use>(node->child1());
- else
+ node->remove();
+ break;
+ }
+
+ if (enableInt52()) {
fixEdge<AnyIntUse>(node->child1());
- node->remove();
- } else if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
+ node->remove();
+ break;
+ }
+
+ // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
+ }
+
+ if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt) && ((seenTypes & TypeNumber) && (seenTypes & TypeAnyInt))) {
+ // NumberUse can pass TypeNumber and TypeAnyInt. Thus, this node removal is allowed only if both TypeNumber and TypeAnyInt are logged in the type set.
fixEdge<NumberUse>(node->child1());
node->remove();
} else if (typeSet->doesTypeConformTo(TypeString)) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
