[webkit-changes] [213135] releases/WebKitGTK/webkit-2.16/Source/JavaScriptCore

Tue, 28 Feb 2017 01:13:09 -0800

Title: [213135] releases/WebKitGTK/webkit-2.16/Source/_javascript_Core
Revision
213135
Author
carlo...@webkit.org
Date
2017-02-28 01:13:08 -0800 (Tue, 28 Feb 2017)

Log Message

Merge r212909 - SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check
https://bugs.webkit.org/show_bug.cgi?id=168787

Reviewed by Michael Saboff and Mark Lam.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):

Modified Paths

Diff

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (213134 => 213135)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-02-28 09:12:15 UTC (rev 213134)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog	2017-02-28 09:13:08 UTC (rev 213135)
@@ -1,3 +1,13 @@
+2017-02-23  Filip Pizlo  <fpi...@apple.com>
+
+        SpeculativeJIT::compilePutByValForIntTypedArray should only do the constant-folding optimization when the constant passes the type check
+        https://bugs.webkit.org/show_bug.cgi?id=168787
+
+        Reviewed by Michael Saboff and Mark Lam.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
+
 2017-02-23  Mark Lam  <mark....@apple.com>
 
         Ensure that the end of the last invalidation point does not extend beyond the end of the buffer.

Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (213134 => 213135)


--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-02-28 09:12:15 UTC (rev 213134)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2017-02-28 09:13:08 UTC (rev 213135)
@@ -2812,9 +2812,17 @@
 #endif
 
     JITCompiler::JumpList slowPathCases;
-
+    
+    bool isAppropriateConstant = false;
     if (valueUse->isConstant()) {
         JSValue jsValue = valueUse->asJSValue();
+        SpeculatedType expectedType = typeFilterFor(valueUse.useKind());
+        SpeculatedType actualType = speculationFromValue(jsValue);
+        isAppropriateConstant = (expectedType | actualType) == expectedType;
+    }
+
+    if (isAppropriateConstant) {
+        JSValue jsValue = valueUse->asJSValue();
         if (!jsValue.isNumber()) {
             terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
             noResult(node);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to