[webkit-changes] [214528] branches/safari-603-branch/Source/JavaScriptCore

Fri, 31 Mar 2017 13:30:54 -0700

Title: [214528] branches/safari-603-branch/Source/_javascript_Core
Revision
214528
Author
[email protected]
Date
2017-03-28 21:13:03 -0700 (Tue, 28 Mar 2017)

Log Message

Merge r214240. rdar://problem/31178794


Modified Paths

Diff

Modified: branches/safari-603-branch/Source/_javascript_Core/ChangeLog (214527 => 214528)


--- branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-03-29 04:09:14 UTC (rev 214527)
+++ branches/safari-603-branch/Source/_javascript_Core/ChangeLog	2017-03-29 04:13:03 UTC (rev 214528)
@@ -1,5 +1,22 @@
 2017-03-28  Jason Marcell  <[email protected]>
 
+        Merge r214240. rdar://problem/31178794
+
+    2017-03-21  Mark Lam  <[email protected]>
+
+            The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
+            https://bugs.webkit.org/show_bug.cgi?id=169933
+            <rdar://problem/31105125>
+
+            Reviewed by Filip Pizlo and Geoffrey Garen.
+
+            Also fixed the bit-rotted RangeKey::dump() function.
+
+            * dfg/DFGIntegerCheckCombiningPhase.cpp:
+            (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+
+2017-03-28  Jason Marcell  <[email protected]>
+
         Merge r214374. rdar://problem/31249971
 
     2017-03-24  Mark Lam  <[email protected]>

Modified: branches/safari-603-branch/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp (214527 => 214528)


--- branches/safari-603-branch/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp	2017-03-29 04:09:14 UTC (rev 214527)
+++ branches/safari-603-branch/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp	2017-03-29 04:13:03 UTC (rev 214528)
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -105,7 +105,16 @@
             out.print("ArrayBounds(");
             break;
         }
-        out.print(m_source, ", ", m_key, ")");
+        if (m_source)
+            out.print(m_source);
+        else
+            out.print("null");
+        out.print(", ");
+        if (m_key)
+            out.print(m_key);
+        else
+            out.print("null");
+        out.print(")");
     }
     
     RangeKind m_kind;
@@ -250,7 +259,13 @@
                     Node* maxNode;
                     
                     if (!data.m_key.m_source) {
-                        minNode = 0;
+                        // data.m_key.m_source being null means that we're comparing against int32 constants (see rangeKeyAndAddend()).
+                        // Since CheckInBounds does an unsigned comparison, if the minBound >= 0, it is also covered by the
+                        // maxBound comparison. However, if minBound < 0, then CheckInBounds should always fail its speculation check.
+                        // We'll force an OSR exit in that case.
+                        minNode = nullptr;
+                        if (range.m_minBound < 0)
+                            m_insertionSet.insertNode(nodeIndex, SpecNone, ForceOSRExit, node->origin);
                         maxNode = m_insertionSet.insertConstant(
                             nodeIndex, maxOrigin, jsNumber(range.m_maxBound));
                     } else {

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to