Title: [204699] trunk
- Revision
- 204699
- Author
- [email protected]
- Date
- 2016-08-21 20:47:49 -0700 (Sun, 21 Aug 2016)
Log Message
[DFG] Should not fixup AnyIntUse in 32_64
https://bugs.webkit.org/show_bug.cgi?id=161029
Reviewed by Saam Barati.
JSTests:
* typeProfiler/int52-dfg.js: Added.
(test):
Source/_javascript_Core:
DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (204698 => 204699)
--- trunk/JSTests/ChangeLog 2016-08-21 20:36:49 UTC (rev 204698)
+++ trunk/JSTests/ChangeLog 2016-08-22 03:47:49 UTC (rev 204699)
@@ -1,5 +1,15 @@
2016-08-21 Yusuke Suzuki <[email protected]>
+ [DFG] Should not fixup AnyIntUse in 32_64
+ https://bugs.webkit.org/show_bug.cgi?id=161029
+
+ Reviewed by Saam Barati.
+
+ * typeProfiler/int52-dfg.js: Added.
+ (test):
+
+2016-08-21 Yusuke Suzuki <[email protected]>
+
Unreviewed, rolling out r204697
https://bugs.webkit.org/show_bug.cgi?id=161029
Added: trunk/JSTests/typeProfiler/int52-dfg.js (0 => 204699)
--- trunk/JSTests/typeProfiler/int52-dfg.js (rev 0)
+++ trunk/JSTests/typeProfiler/int52-dfg.js 2016-08-22 03:47:49 UTC (rev 204699)
@@ -0,0 +1,17 @@
+load("./driver/driver.js");
+
+function test()
+{
+ var ok = 0;
+ for (var i = 0; i < 1e4; ++i) {
+ // Int52. ProfileType should not use AnyIntUse edge in 32bit environment.
+ // If 32bit uses AnyIntUse, it leads crashing.
+ ok += 0xfffffffff;
+ }
+ return ok;
+}
+test();
+
+var types = findTypeForExpression(test, "ok += 0x");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 1, "Primitive type names should one candidate.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
Modified: trunk/Source/_javascript_Core/ChangeLog (204698 => 204699)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-21 20:36:49 UTC (rev 204698)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-22 03:47:49 UTC (rev 204699)
@@ -1,5 +1,18 @@
2016-08-21 Yusuke Suzuki <[email protected]>
+ [DFG] Should not fixup AnyIntUse in 32_64
+ https://bugs.webkit.org/show_bug.cgi?id=161029
+
+ Reviewed by Saam Barati.
+
+ DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
+ If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+
+2016-08-21 Yusuke Suzuki <[email protected]>
+
Unreviewed, rolling out r204697
https://bugs.webkit.org/show_bug.cgi?id=161029
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (204698 => 204699)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-08-21 20:36:49 UTC (rev 204698)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-08-22 03:47:49 UTC (rev 204699)
@@ -1459,12 +1459,22 @@
RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
RuntimeTypeMask seenTypes = typeSet->seenTypes();
if (typeSet->doesTypeConformTo(TypeAnyInt)) {
- if (node->child1()->shouldSpeculateInt32())
+ if (node->child1()->shouldSpeculateInt32()) {
fixEdge<Int32Use>(node->child1());
- else
+ node->remove();
+ break;
+ }
+
+ if (enableInt52()) {
fixEdge<AnyIntUse>(node->child1());
- node->remove();
- } else if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
+ node->remove();
+ break;
+ }
+
+ // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
+ }
+
+ if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
fixEdge<NumberUse>(node->child1());
node->remove();
} else if (typeSet->doesTypeConformTo(TypeString)) {
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
