Title: [214777] releases/WebKitGTK/webkit-2.16/Source/_javascript_Core
- Revision
- 214777
- Author
- carlo...@webkit.org
- Date
- 2017-04-03 05:36:54 -0700 (Mon, 03 Apr 2017)
Log Message
Merge r214240 - The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
https://bugs.webkit.org/show_bug.cgi?id=169933
<rdar://problem/31105125>
Reviewed by Filip Pizlo and Geoffrey Garen.
Also fixed the bit-rotted RangeKey::dump() function.
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
Modified Paths
Diff
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog (214776 => 214777)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-04-03 12:35:30 UTC (rev 214776)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/ChangeLog 2017-04-03 12:36:54 UTC (rev 214777)
@@ -1,3 +1,16 @@
+2017-03-21 Mark Lam <mark....@apple.com>
+
+ The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
+ https://bugs.webkit.org/show_bug.cgi?id=169933
+ <rdar://problem/31105125>
+
+ Reviewed by Filip Pizlo and Geoffrey Garen.
+
+ Also fixed the bit-rotted RangeKey::dump() function.
+
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+
2017-03-21 Yusuke Suzuki <utatane....@gmail.com>
[JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double
Modified: releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp (214776 => 214777)
--- releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2017-04-03 12:35:30 UTC (rev 214776)
+++ releases/WebKitGTK/webkit-2.16/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2017-04-03 12:36:54 UTC (rev 214777)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -105,7 +105,16 @@
out.print("ArrayBounds(");
break;
}
- out.print(m_source, ", ", m_key, ")");
+ if (m_source)
+ out.print(m_source);
+ else
+ out.print("null");
+ out.print(", ");
+ if (m_key)
+ out.print(m_key);
+ else
+ out.print("null");
+ out.print(")");
}
RangeKind m_kind;
@@ -249,7 +258,13 @@
Node* maxNode;
if (!data.m_key.m_source) {
- minNode = 0;
+ // data.m_key.m_source being null means that we're comparing against int32 constants (see rangeKeyAndAddend()).
+ // Since CheckInBounds does an unsigned comparison, if the minBound >= 0, it is also covered by the
+ // maxBound comparison. However, if minBound < 0, then CheckInBounds should always fail its speculation check.
+ // We'll force an OSR exit in that case.
+ minNode = nullptr;
+ if (range.m_minBound < 0)
+ m_insertionSet.insertNode(nodeIndex, SpecNone, ForceOSRExit, node->origin);
maxNode = m_insertionSet.insertConstant(
nodeIndex, maxOrigin, jsNumber(range.m_maxBound));
} else {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
