Title: [221657] trunk
- Revision
- 221657
- Author
- [email protected]
- Date
- 2017-09-05 18:18:15 -0700 (Tue, 05 Sep 2017)
Log Message
isNotCellSpeculation is wrong with respect to SpecEmpty
https://bugs.webkit.org/show_bug.cgi?id=176429
Reviewed by Michael Saboff.
JSTests:
* microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
(Foo):
Source/_javascript_Core:
The isNotCellSpeculation(SpeculatedType t) function was not taking into account
SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
the empty value will fail a NotCell check. This bug would cause us to erroneously
generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
* bytecode/SpeculatedType.h:
(JSC::isNotCellSpeculation):
Modified Paths
Added Paths
Diff
Modified: trunk/JSTests/ChangeLog (221656 => 221657)
--- trunk/JSTests/ChangeLog 2017-09-06 01:01:36 UTC (rev 221656)
+++ trunk/JSTests/ChangeLog 2017-09-06 01:18:15 UTC (rev 221657)
@@ -1,3 +1,13 @@
+2017-09-05 Saam Barati <[email protected]>
+
+ isNotCellSpeculation is wrong with respect to SpecEmpty
+ https://bugs.webkit.org/show_bug.cgi?id=176429
+
+ Reviewed by Michael Saboff.
+
+ * microbenchmarks/is-not-cell-speculation-for-empty-value.js: Added.
+ (Foo):
+
2017-09-05 Joseph Pecoraro <[email protected]>
test262: Completion values for control flow do not match the spec
Added: trunk/JSTests/microbenchmarks/is-not-cell-speculation-for-empty-value.js (0 => 221657)
--- trunk/JSTests/microbenchmarks/is-not-cell-speculation-for-empty-value.js (rev 0)
+++ trunk/JSTests/microbenchmarks/is-not-cell-speculation-for-empty-value.js 2017-09-06 01:18:15 UTC (rev 221657)
@@ -0,0 +1,13 @@
+class Foo extends Object {
+ constructor() {
+ super();
+ let arrow = () => {
+ this.foo = 20;
+ };
+ this.arrow = arrow;
+ }
+}
+noInline(Foo);
+
+for (let i = 0; i < 400000; ++i)
+ new Foo();
Modified: trunk/Source/_javascript_Core/ChangeLog (221656 => 221657)
--- trunk/Source/_javascript_Core/ChangeLog 2017-09-06 01:01:36 UTC (rev 221656)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-09-06 01:18:15 UTC (rev 221657)
@@ -1,5 +1,20 @@
2017-09-05 Saam Barati <[email protected]>
+ isNotCellSpeculation is wrong with respect to SpecEmpty
+ https://bugs.webkit.org/show_bug.cgi?id=176429
+
+ Reviewed by Michael Saboff.
+
+ The isNotCellSpeculation(SpeculatedType t) function was not taking into account
+ SpecEmpty in the set for t. It should return false when SpecEmpty is present, since
+ the empty value will fail a NotCell check. This bug would cause us to erroneously
+ generate NotCellUse UseKinds for inputs that are the empty value, causing repeated OSR exits.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isNotCellSpeculation):
+
+2017-09-05 Saam Barati <[email protected]>
+
Make the distinction between entrypoints and CFG roots more clear by naming things better
https://bugs.webkit.org/show_bug.cgi?id=176336
Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.h (221656 => 221657)
--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.h 2017-09-06 01:01:36 UTC (rev 221656)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.h 2017-09-06 01:18:15 UTC (rev 221657)
@@ -119,7 +119,7 @@
inline bool isNotCellSpeculation(SpeculatedType value)
{
- return !(value & SpecCell) && value;
+ return !(value & SpecCellCheck) && value;
}
inline bool isObjectSpeculation(SpeculatedType value)
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
