Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (226439 => 226440)
--- trunk/Source/_javascript_Core/ChangeLog 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/ChangeLog 2018-01-05 08:26:02 UTC (rev 226440)
@@ -1,3 +1,18 @@
+2018-01-05 Commit Queue <[email protected]>
+
+ Unreviewed, rolling out r226434.
+ https://bugs.webkit.org/show_bug.cgi?id=181322
+
+ 32bit JSC failure in x86 (Requested by yusukesuzuki on
+ #webkit).
+
+ Reverted changeset:
+
+ "[DFG] Unify ToNumber implementation in 32bit and 64bit by
+ changing 32bit Int32Tag and LowestTag"
+ https://bugs.webkit.org/show_bug.cgi?id=181134
+ https://trac.webkit.org/changeset/226434
+
2018-01-04 Devin Rousso <[email protected]>
Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -2427,7 +2427,7 @@
MacroAssembler::AboveOrEqual, tagGPR,
TrustedImm32(JSValue::LowestTag)));
} else {
- JITCompiler::Jump isDouble = m_jit.branch32(MacroAssembler::Below, tagGPR, TrustedImm32(JSValue::LowestTag));
+ JITCompiler::Jump isNumber = m_jit.branch32(MacroAssembler::Below, tagGPR, TrustedImm32(JSValue::LowestTag));
DFG_TYPE_CHECK(
op1.jsValueRegs(), node->child1(), ~SpecCell,
@@ -2442,7 +2442,7 @@
m_jit.move(payloadGPR, resultGpr);
converted.append(m_jit.jump());
- isDouble.link(&m_jit);
+ isNumber.link(&m_jit);
}
unboxDouble(tagGPR, payloadGPR, fpr, scratch.fpr());
@@ -2644,7 +2644,7 @@
MacroAssembler::Equal, op1TagGPR, TrustedImm32(JSValue::Int32Tag));
if (node->child1().useKind() == NotCellUse) {
- JITCompiler::Jump isDouble = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag));
+ JITCompiler::Jump isNumber = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag + 1));
JITCompiler::Jump isUndefined = m_jit.branch32(JITCompiler::Equal, op1TagGPR, TrustedImm32(JSValue::UndefinedTag));
static const double zero = 0;
@@ -2666,7 +2666,7 @@
m_jit.loadDouble(TrustedImmPtr(&NaN), resultFPR);
done.append(m_jit.jump());
- isDouble.link(&m_jit);
+ isNumber.link(&m_jit);
} else if (needsTypeCheck(node->child1(), SpecBytecodeNumber)) {
typeCheck(
JSValueRegs(op1TagGPR, op1PayloadGPR), node->child1(), SpecBytecodeNumber,
@@ -9127,8 +9127,20 @@
return;
JSValueOperand value(this, edge, ManualOperandSpeculation);
- JSValueRegs valueRegs = value.jsValueRegs();
- DFG_TYPE_CHECK(valueRegs, edge, SpecBytecodeNumber, m_jit.branchIfNotNumber(valueRegs));
+#if USE(JSVALUE64)
+ GPRReg gpr = value.gpr();
+ typeCheck(
+ JSValueRegs(gpr), edge, SpecBytecodeNumber,
+ m_jit.branchTest64(MacroAssembler::Zero, gpr, GPRInfo::tagTypeNumberRegister));
+#else
+ GPRReg tagGPR = value.tagGPR();
+ DFG_TYPE_CHECK(
+ value.jsValueRegs(), edge, ~SpecInt32Only,
+ m_jit.branch32(MacroAssembler::Equal, tagGPR, TrustedImm32(JSValue::Int32Tag)));
+ DFG_TYPE_CHECK(
+ value.jsValueRegs(), edge, SpecBytecodeNumber,
+ m_jit.branch32(MacroAssembler::AboveOrEqual, tagGPR, TrustedImm32(JSValue::LowestTag)));
+#endif
}
void SpeculativeJIT::speculateRealNumber(Edge edge)
@@ -9594,7 +9606,18 @@
void SpeculativeJIT::speculateMisc(Edge edge, JSValueRegs regs)
{
- DFG_TYPE_CHECK(regs, edge, SpecMisc, m_jit.branchIfNotMisc(regs));
+#if USE(JSVALUE64)
+ DFG_TYPE_CHECK(
+ regs, edge, SpecMisc,
+ m_jit.branch64(MacroAssembler::Above, regs.gpr(), MacroAssembler::TrustedImm64(TagBitTypeOther | TagBitBool | TagBitUndefined)));
+#else
+ DFG_TYPE_CHECK(
+ regs, edge, ~SpecInt32Only,
+ m_jit.branch32(MacroAssembler::Equal, regs.tagGPR(), MacroAssembler::TrustedImm32(JSValue::Int32Tag)));
+ DFG_TYPE_CHECK(
+ regs, edge, SpecMisc,
+ m_jit.branch32(MacroAssembler::Below, regs.tagGPR(), MacroAssembler::TrustedImm32(JSValue::UndefinedTag)));
+#endif
}
void SpeculativeJIT::speculateMisc(Edge edge)
@@ -10907,7 +10930,7 @@
CCallHelpers::JumpList passThroughCases;
- passThroughCases.append(m_jit.branchIfNotNumber(keyRegs));
+ passThroughCases.append(m_jit.branchIfNotNumber(keyRegs, scratchGPR));
passThroughCases.append(m_jit.branchIfInt32(keyRegs));
#if USE(JSVALUE64)
@@ -11431,42 +11454,6 @@
jsValueResult(resultRegs, node, DataFormatJS, UseChildrenCalledExplicitly);
}
-void SpeculativeJIT::compileToNumber(Node* node)
-{
- JSValueOperand argument(this, node->child1());
- JSValueRegs argumentRegs = argument.jsValueRegs();
-
- // We have several attempts to remove ToNumber. But ToNumber still exists.
- // It means that converting non-numbers to numbers by this ToNumber is not rare.
- // Instead of the slow path generator, we emit callOperation here.
- if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
- flushRegisters();
- JSValueRegsFlushedCallResult result(this);
- JSValueRegs resultRegs = result.regs();
- callOperation(operationToNumber, resultRegs, argumentRegs);
- m_jit.exceptionCheck();
- jsValueResult(resultRegs, node);
- return;
- }
-
- JSValueRegsTemporary result(this, Reuse, argument);
- JSValueRegs resultRegs = result.regs();
-
- auto notNumber = m_jit.branchIfNotNumber(argumentRegs);
- m_jit.moveValueRegs(argumentRegs, resultRegs);
- auto done = m_jit.jump();
-
- notNumber.link(&m_jit);
- silentSpillAllRegisters(resultRegs);
- callOperation(operationToNumber, resultRegs, argumentRegs);
- silentFillAllRegisters();
- m_jit.exceptionCheck();
-
- done.link(&m_jit);
-
- jsValueResult(resultRegs, node);
-}
-
void SpeculativeJIT::compileLogShadowChickenPrologue(Node* node)
{
flushRegisters();
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (226439 => 226440)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2018-01-05 08:26:02 UTC (rev 226440)
@@ -3109,7 +3109,6 @@
void compileCreateThis(Node*);
void compileNewObject(Node*);
void compileToPrimitive(Node*);
- void compileToNumber(Node*);
void compileLogShadowChickenPrologue(Node*);
void compileLogShadowChickenTail(Node*);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -346,7 +346,7 @@
notCell.link(&m_jit);
// null or undefined?
- static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
+ COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
m_jit.or32(TrustedImm32(1), argTagGPR, resultPayloadGPR);
m_jit.compare32(JITCompiler::Equal, resultPayloadGPR, TrustedImm32(JSValue::NullTag), resultPayloadGPR);
@@ -410,7 +410,7 @@
notCell.link(&m_jit);
// null or undefined?
- static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
+ COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
m_jit.or32(TrustedImm32(1), argTagGPR, resultGPR);
branch32(invert ? JITCompiler::NotEqual : JITCompiler::Equal, resultGPR, JITCompiler::TrustedImm32(JSValue::NullTag), taken);
}
@@ -1781,7 +1781,7 @@
notCell.link(&m_jit);
- static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
+ COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
if (needsTypeCheck(nodeUse, SpecCell | SpecOther)) {
m_jit.or32(TrustedImm32(1), valueTagGPR, resultPayloadGPR);
typeCheck(
@@ -1899,7 +1899,7 @@
notCell.link(&m_jit);
- static_assert((JSValue::UndefinedTag | 1) == JSValue::NullTag, "");
+ COMPILE_ASSERT((JSValue::UndefinedTag | 1) == JSValue::NullTag, UndefinedTag_OR_1_EQUALS_NullTag);
if (needsTypeCheck(nodeUse, SpecCell | SpecOther)) {
m_jit.or32(TrustedImm32(1), valueTagGPR, scratchGPR);
typeCheck(
@@ -3450,7 +3450,44 @@
}
case ToNumber: {
- compileToNumber(node);
+ JSValueOperand argument(this, node->child1());
+ GPRTemporary resultTag(this, Reuse, argument, TagWord);
+ GPRTemporary resultPayload(this, Reuse, argument, PayloadWord);
+
+ GPRReg argumentPayloadGPR = argument.payloadGPR();
+ GPRReg argumentTagGPR = argument.tagGPR();
+ JSValueRegs argumentRegs = argument.jsValueRegs();
+ JSValueRegs resultRegs(resultTag.gpr(), resultPayload.gpr());
+
+ argument.use();
+
+ // We have several attempts to remove ToNumber. But ToNumber still exists.
+ // It means that converting non-numbers to numbers by this ToNumber is not rare.
+ // Instead of the slow path generator, we emit callOperation here.
+ if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
+ flushRegisters();
+ callOperation(operationToNumber, resultRegs, argumentRegs);
+ m_jit.exceptionCheck();
+ } else {
+ MacroAssembler::Jump notNumber;
+ {
+ GPRTemporary scratch(this);
+ notNumber = m_jit.branchIfNotNumber(argument.jsValueRegs(), scratch.gpr());
+ }
+ m_jit.move(argumentTagGPR, resultRegs.tagGPR());
+ m_jit.move(argumentPayloadGPR, resultRegs.payloadGPR());
+ MacroAssembler::Jump done = m_jit.jump();
+
+ notNumber.link(&m_jit);
+ silentSpillAllRegisters(resultRegs);
+ callOperation(operationToNumber, resultRegs, argumentRegs);
+ silentFillAllRegisters();
+ m_jit.exceptionCheck();
+
+ done.link(&m_jit);
+ }
+
+ jsValueResult(resultRegs.tagGPR(), resultRegs.payloadGPR(), node, UseChildrenCalledExplicitly);
break;
}
@@ -4348,7 +4385,8 @@
JSValueOperand value(this, node->child1());
GPRTemporary result(this, Reuse, value, TagWord);
- m_jit.compare32(JITCompiler::BelowOrEqual, result.gpr(), JITCompiler::TrustedImm32(JSValue::LowestTag), result.gpr());
+ m_jit.add32(TrustedImm32(1), value.tagGPR(), result.gpr());
+ m_jit.compare32(JITCompiler::Below, result.gpr(), JITCompiler::TrustedImm32(JSValue::LowestTag + 1), result.gpr());
booleanResult(result.gpr(), node);
break;
}
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -3665,7 +3665,36 @@
}
case ToNumber: {
- compileToNumber(node);
+ JSValueOperand argument(this, node->child1());
+ GPRTemporary result(this, Reuse, argument);
+
+ GPRReg argumentGPR = argument.gpr();
+ GPRReg resultGPR = result.gpr();
+
+ argument.use();
+
+ // We have several attempts to remove ToNumber. But ToNumber still exists.
+ // It means that converting non-numbers to numbers by this ToNumber is not rare.
+ // Instead of the slow path generator, we emit callOperation here.
+ if (!(m_state.forNode(node->child1()).m_type & SpecBytecodeNumber)) {
+ flushRegisters();
+ callOperation(operationToNumber, resultGPR, argumentGPR);
+ m_jit.exceptionCheck();
+ } else {
+ MacroAssembler::Jump notNumber = m_jit.branchIfNotNumber(argumentGPR);
+ m_jit.move(argumentGPR, resultGPR);
+ MacroAssembler::Jump done = m_jit.jump();
+
+ notNumber.link(&m_jit);
+ silentSpillAllRegisters(resultGPR);
+ callOperation(operationToNumber, resultGPR, argumentGPR);
+ silentFillAllRegisters();
+ m_jit.exceptionCheck();
+
+ done.link(&m_jit);
+ }
+
+ jsValueResult(resultGPR, node, UseChildrenCalledExplicitly);
break;
}
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -87,7 +87,7 @@
break;
case InferredType::Number:
- result.append(branchIfNotNumber(regs, mode));
+ result.append(branchIfNotNumber(regs, tempGPR, mode));
break;
case InferredType::String:
@@ -260,9 +260,11 @@
void AssemblyHelpers::jitAssertIsJSNumber(GPRReg gpr)
{
- Jump checkJSNumber = branch32(BelowOrEqual, gpr, TrustedImm32(JSValue::LowestTag));
+ Jump checkJSInt32 = branch32(Equal, gpr, TrustedImm32(JSValue::Int32Tag));
+ Jump checkJSDouble = branch32(Below, gpr, TrustedImm32(JSValue::LowestTag));
abortWithReason(AHIsNotJSNumber);
- checkJSNumber.link(this);
+ checkJSInt32.link(this);
+ checkJSDouble.link(this);
}
void AssemblyHelpers::jitAssertIsJSDouble(GPRReg gpr)
@@ -719,7 +721,12 @@
done.append(jump());
notBoolean.link(this);
- auto isNotNumber = branchIfNotNumber(value);
+#if USE(JSVALUE64)
+ auto isNotNumber = branchIfNotNumber(value.gpr());
+#else
+ ASSERT(scratch != InvalidGPRReg);
+ auto isNotNumber = branchIfNotNumber(value, scratch);
+#endif
auto isDouble = branchIfNotInt32(value);
// It's an int32.
Modified: trunk/Source/_javascript_Core/jit/AssemblyHelpers.h (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/AssemblyHelpers.h 2018-01-05 08:26:02 UTC (rev 226440)
@@ -731,29 +731,7 @@
return branch32(NotEqual, tempGPR, TrustedImm32(JSValue::NullTag));
#endif
}
-
- Jump branchIfMisc(JSValueRegs regs)
- {
-#if USE(JSVALUE64)
- return branch64(BelowOrEqual, regs.gpr(), TrustedImm64(TagBitTypeOther | TagBitBool | TagBitUndefined));
-#else
- static_assert(static_cast<unsigned>(JSValue::NullTag) >= static_cast<unsigned>(JSValue::BooleanTag), "");
- static_assert(static_cast<unsigned>(JSValue::UndefinedTag) >= static_cast<unsigned>(JSValue::BooleanTag), "");
- return branch32(AboveOrEqual, regs.tagGPR(), TrustedImm32(JSValue::BooleanTag));
-#endif
- }
- Jump branchIfNotMisc(JSValueRegs regs)
- {
-#if USE(JSVALUE64)
- return branch64(Above, regs.gpr(), TrustedImm64(TagBitTypeOther | TagBitBool | TagBitUndefined));
-#else
- static_assert(static_cast<unsigned>(JSValue::NullTag) >= static_cast<unsigned>(JSValue::BooleanTag), "");
- static_assert(static_cast<unsigned>(JSValue::UndefinedTag) >= static_cast<unsigned>(JSValue::BooleanTag), "");
- return branch32(Below, regs.tagGPR(), TrustedImm32(JSValue::BooleanTag));
-#endif
- }
-
Jump branchIfInt32(JSValueRegs regs, TagRegistersMode mode = HaveTagRegisters)
{
#if USE(JSVALUE64)
@@ -785,13 +763,16 @@
#endif
}
- Jump branchIfNumber(JSValueRegs regs, TagRegistersMode mode = HaveTagRegisters)
+ // Note that the tempGPR is not used in 64-bit mode.
+ Jump branchIfNumber(JSValueRegs regs, GPRReg tempGPR, TagRegistersMode mode = HaveTagRegisters)
{
#if USE(JSVALUE64)
+ UNUSED_PARAM(tempGPR);
return branchIfNumber(regs.gpr(), mode);
#else
UNUSED_PARAM(mode);
- return branch32(BelowOrEqual, regs.tagGPR(), TrustedImm32(JSValue::LowestTag));
+ add32(TrustedImm32(1), regs.tagGPR(), tempGPR);
+ return branch32(Below, tempGPR, TrustedImm32(JSValue::LowestTag + 1));
#endif
}
@@ -804,13 +785,16 @@
}
#endif
- Jump branchIfNotNumber(JSValueRegs regs, TagRegistersMode mode = HaveTagRegisters)
+ // Note that the tempGPR is not used in 64-bit mode.
+ Jump branchIfNotNumber(JSValueRegs regs, GPRReg tempGPR, TagRegistersMode mode = HaveTagRegisters)
{
#if USE(JSVALUE64)
+ UNUSED_PARAM(tempGPR);
return branchIfNotNumber(regs.gpr(), mode);
#else
UNUSED_PARAM(mode);
- return branch32(Above, regs.tagGPR(), TrustedImm32(JSValue::LowestTag));
+ add32(TrustedImm32(1), regs.tagGPR(), tempGPR);
+ return branch32(AboveOrEqual, tempGPR, TrustedImm32(JSValue::LowestTag + 1));
#endif
}
@@ -831,7 +815,7 @@
return branchTest64(Zero, regs.gpr(), TrustedImm64(TagTypeNumber));
#else
UNUSED_PARAM(mode);
- return branch32(Above, regs.tagGPR(), TrustedImm32(JSValue::LowestTag));
+ return branch32(AboveOrEqual, regs.tagGPR(), TrustedImm32(JSValue::LowestTag));
#endif
}
@@ -1478,7 +1462,7 @@
notCell.link(this);
- Jump notNumber = branchIfNotNumber(regs);
+ Jump notNumber = branchIfNotNumber(regs, tempGPR);
functor(TypeofType::Number, false);
notNumber.link(this);
Modified: trunk/Source/_javascript_Core/jit/JITAddGenerator.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITAddGenerator.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITAddGenerator.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -113,7 +113,7 @@
// Try to do doubleVar + double(intConstant).
notInt32.link(&jit);
if (!varOpr.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(var));
+ slowPathJumpList.append(jit.branchIfNotNumber(var, m_scratchGPR));
jit.unboxDoubleNonDestructive(var, m_leftFPR, m_scratchGPR, m_scratchFPR);
@@ -148,9 +148,9 @@
leftNotInt.link(&jit);
if (!m_leftOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_left));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
if (!m_rightOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_right));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
CCallHelpers::Jump rightIsDouble = jit.branchIfNotInt32(m_right);
@@ -160,7 +160,7 @@
rightNotInt.link(&jit);
if (!m_rightOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_right));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
jit.convertInt32ToDouble(m_left.payloadGPR(), m_leftFPR);
Modified: trunk/Source/_javascript_Core/jit/JITArithmetic32_64.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITArithmetic32_64.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITArithmetic32_64.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -178,7 +178,7 @@
// Verify Op1 is double.
if (!types.first().definitelyIsNumber())
- addSlowCase(branch32(AboveOrEqual, regT1, TrustedImm32(JSValue::LowestTag)));
+ addSlowCase(branch32(Above, regT1, TrustedImm32(JSValue::LowestTag)));
if (!op2IsInRegisters)
emitLoad(op2, regT3, regT2);
@@ -251,7 +251,7 @@
// Verify op2 is double.
if (!types.second().definitelyIsNumber())
- addSlowCase(branch32(AboveOrEqual, regT3, TrustedImm32(JSValue::LowestTag)));
+ addSlowCase(branch32(Above, regT3, TrustedImm32(JSValue::LowestTag)));
// Do the math.
switch (opcodeID) {
Modified: trunk/Source/_javascript_Core/jit/JITDivGenerator.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITDivGenerator.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITDivGenerator.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -50,7 +50,7 @@
#endif
} else {
if (!opr.definitelyIsNumber())
- m_slowPathJumpList.append(jit.branchIfNotNumber(oprRegs));
+ m_slowPathJumpList.append(jit.branchIfNotNumber(oprRegs, m_scratchGPR));
CCallHelpers::Jump notInt32 = jit.branchIfNotInt32(oprRegs);
jit.convertInt32ToDouble(oprRegs.payloadGPR(), destFPR);
CCallHelpers::Jump oprIsLoaded = jit.jump();
Modified: trunk/Source/_javascript_Core/jit/JITMulGenerator.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITMulGenerator.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITMulGenerator.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -51,9 +51,9 @@
return JITMathICInlineResult::DontGenerate;
if (!m_leftOperand.definitelyIsNumber())
- state.slowPathJumps.append(jit.branchIfNotNumber(m_left));
+ state.slowPathJumps.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
if (!m_rightOperand.definitelyIsNumber())
- state.slowPathJumps.append(jit.branchIfNotNumber(m_right));
+ state.slowPathJumps.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
state.slowPathJumps.append(jit.branchIfInt32(m_left));
state.slowPathJumps.append(jit.branchIfInt32(m_right));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
@@ -130,7 +130,7 @@
// Try to do doubleVar * double(intConstant).
notInt32.link(&jit);
if (!varOpr.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(var));
+ slowPathJumpList.append(jit.branchIfNotNumber(var, m_scratchGPR));
jit.unboxDoubleNonDestructive(var, m_leftFPR, m_scratchGPR, m_scratchFPR);
@@ -163,9 +163,9 @@
leftNotInt.link(&jit);
if (!m_leftOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_left));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
if (!m_rightOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_right));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
CCallHelpers::Jump rightIsDouble = jit.branchIfNotInt32(m_right);
@@ -175,7 +175,7 @@
rightNotInt.link(&jit);
if (!m_rightOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_right));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
jit.convertInt32ToDouble(m_left.payloadGPR(), m_leftFPR);
Modified: trunk/Source/_javascript_Core/jit/JITNegGenerator.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITNegGenerator.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITNegGenerator.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -64,7 +64,7 @@
}
if (observedTypes.isOnlyNumber()) {
state.slowPathJumps.append(jit.branchIfInt32(m_src));
- state.slowPathJumps.append(jit.branchIfNotNumber(m_src));
+ state.slowPathJumps.append(jit.branchIfNotNumber(m_src, m_scratchGPR));
#if USE(JSVALUE64)
if (m_src.payloadGPR() != m_result.payloadGPR()) {
jit.move(CCallHelpers::TrustedImm64(static_cast<int64_t>(1ull << 63)), m_result.payloadGPR());
@@ -74,7 +74,6 @@
jit.xor64(m_scratchGPR, m_result.payloadGPR());
}
#else
- UNUSED_PARAM(m_scratchGPR);
jit.moveValueRegs(m_src, m_result);
jit.xor32(CCallHelpers::TrustedImm32(1 << 31), m_result.tagGPR());
#endif
@@ -107,7 +106,7 @@
endJumpList.append(jit.jump());
srcNotInt.link(&jit);
- slowPathJumpList.append(jit.branchIfNotNumber(m_src));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_src, m_scratchGPR));
// For a double, all we need to do is to invert the sign bit.
#if USE(JSVALUE64)
Modified: trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITOpcodes32_64.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -273,7 +273,8 @@
int value = currentInstruction[2].u.operand;
emitLoadTag(value, regT0);
- compare32(BelowOrEqual, regT0, TrustedImm32(JSValue::LowestTag), regT0);
+ add32(TrustedImm32(1), regT0);
+ compare32(Below, regT0, TrustedImm32(JSValue::LowestTag + 1), regT0);
emitStoreBool(dst, regT0);
}
@@ -400,7 +401,7 @@
// Now handle the immediate cases - undefined & null
isImmediate.link(this);
- static_assert((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1), "");
+ ASSERT((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1));
or32(TrustedImm32(1), regT1);
addJump(branch32(Equal, regT1, TrustedImm32(JSValue::NullTag)), target);
@@ -426,7 +427,7 @@
// Now handle the immediate cases - undefined & null
isImmediate.link(this);
- static_assert((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1), "");
+ ASSERT((JSValue::UndefinedTag + 1 == JSValue::NullTag) && (JSValue::NullTag & 0x1));
or32(TrustedImm32(1), regT1);
addJump(branch32(NotEqual, regT1, TrustedImm32(JSValue::NullTag)), target);
@@ -653,7 +654,9 @@
emitLoad(src, regT1, regT0);
- addSlowCase(branch32(Above, regT1, TrustedImm32(JSValue::LowestTag)));
+ Jump isInt32 = branch32(Equal, regT1, TrustedImm32(JSValue::Int32Tag));
+ addSlowCase(branch32(AboveOrEqual, regT1, TrustedImm32(JSValue::LowestTag)));
+ isInt32.link(this);
emitValueProfilingSite();
if (src != dst)
@@ -1110,9 +1113,10 @@
jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::BooleanTag)));
else if (cachedTypeLocation->m_lastSeenType == TypeAnyInt)
jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::Int32Tag)));
- else if (cachedTypeLocation->m_lastSeenType == TypeNumber)
- jumpToEnd.append(branch32(BelowOrEqual, regT3, TrustedImm32(JSValue::LowestTag)));
- else if (cachedTypeLocation->m_lastSeenType == TypeString) {
+ else if (cachedTypeLocation->m_lastSeenType == TypeNumber) {
+ jumpToEnd.append(branch32(Below, regT3, TrustedImm32(JSValue::LowestTag)));
+ jumpToEnd.append(branch32(Equal, regT3, TrustedImm32(JSValue::Int32Tag)));
+ } else if (cachedTypeLocation->m_lastSeenType == TypeString) {
Jump isNotCell = branch32(NotEqual, regT3, TrustedImm32(JSValue::CellTag));
jumpToEnd.append(branch8(Equal, Address(regT0, JSCell::typeInfoTypeOffset()), TrustedImm32(StringType)));
isNotCell.link(this);
Modified: trunk/Source/_javascript_Core/jit/JITRightShiftGenerator.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITRightShiftGenerator.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITRightShiftGenerator.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -67,7 +67,7 @@
// Try to do (doubleVar >> intConstant).
notInt.link(&jit);
- m_slowPathJumpList.append(jit.branchIfNotNumber(m_left));
+ m_slowPathJumpList.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
m_slowPathJumpList.append(jit.branchTruncateDoubleToInt32(m_leftFPR, m_scratchGPR));
@@ -120,7 +120,7 @@
// Try to do (doubleVar >> intVar).
leftNotInt.link(&jit);
- m_slowPathJumpList.append(jit.branchIfNotNumber(m_left));
+ m_slowPathJumpList.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
m_slowPathJumpList.append(jit.branchTruncateDoubleToInt32(m_leftFPR, m_scratchGPR));
Modified: trunk/Source/_javascript_Core/jit/JITSubGenerator.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/jit/JITSubGenerator.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/jit/JITSubGenerator.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -51,9 +51,9 @@
return JITMathICInlineResult::DontGenerate;
if (!m_leftOperand.definitelyIsNumber())
- state.slowPathJumps.append(jit.branchIfNotNumber(m_left));
+ state.slowPathJumps.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
if (!m_rightOperand.definitelyIsNumber())
- state.slowPathJumps.append(jit.branchIfNotNumber(m_right));
+ state.slowPathJumps.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
state.slowPathJumps.append(jit.branchIfInt32(m_left));
state.slowPathJumps.append(jit.branchIfInt32(m_right));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
@@ -107,9 +107,9 @@
leftNotInt.link(&jit);
if (!m_leftOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_left));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_left, m_scratchGPR));
if (!m_rightOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_right));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
jit.unboxDoubleNonDestructive(m_left, m_leftFPR, m_scratchGPR, m_scratchFPR);
CCallHelpers::Jump rightIsDouble = jit.branchIfNotInt32(m_right);
@@ -119,7 +119,7 @@
rightNotInt.link(&jit);
if (!m_rightOperand.definitelyIsNumber())
- slowPathJumpList.append(jit.branchIfNotNumber(m_right));
+ slowPathJumpList.append(jit.branchIfNotNumber(m_right, m_scratchGPR));
jit.convertInt32ToDouble(m_left.payloadGPR(), m_leftFPR);
Modified: trunk/Source/_javascript_Core/llint/LLIntData.cpp (226439 => 226440)
--- trunk/Source/_javascript_Core/llint/LLIntData.cpp 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/llint/LLIntData.cpp 2018-01-05 08:26:02 UTC (rev 226440)
@@ -117,7 +117,16 @@
ASSERT(OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.tag) == 4);
ASSERT(OBJECT_OFFSETOF(EncodedValueDescriptor, asBits.payload) == 0);
#endif
-#if USE(JSVALUE64)
+#if USE(JSVALUE32_64)
+ STATIC_ASSERT(JSValue::Int32Tag == static_cast<unsigned>(-1));
+ STATIC_ASSERT(JSValue::BooleanTag == static_cast<unsigned>(-2));
+ STATIC_ASSERT(JSValue::NullTag == static_cast<unsigned>(-3));
+ STATIC_ASSERT(JSValue::UndefinedTag == static_cast<unsigned>(-4));
+ STATIC_ASSERT(JSValue::CellTag == static_cast<unsigned>(-5));
+ STATIC_ASSERT(JSValue::EmptyValueTag == static_cast<unsigned>(-6));
+ STATIC_ASSERT(JSValue::DeletedValueTag == static_cast<unsigned>(-7));
+ STATIC_ASSERT(JSValue::LowestTag == static_cast<unsigned>(-7));
+#else
STATIC_ASSERT(TagBitTypeOther == 0x2);
STATIC_ASSERT(TagBitBool == 0x4);
STATIC_ASSERT(TagBitUndefined == 0x8);
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm (226439 => 226440)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter.asm 2018-01-05 08:26:02 UTC (rev 226440)
@@ -194,14 +194,14 @@
const TagTypeNumber = 0xffff000000000000
const TagMask = TagTypeNumber | TagBitTypeOther
else
- const NullTag = constexpr JSValue::NullTag
- const UndefinedTag = constexpr JSValue::UndefinedTag
- const BooleanTag = constexpr JSValue::BooleanTag
- const CellTag = constexpr JSValue::CellTag
- const EmptyValueTag = constexpr JSValue::EmptyValueTag
- const DeletedValueTag = constexpr JSValue::DeletedValueTag
- const Int32Tag = constexpr JSValue::Int32Tag
- const LowestTag = constexpr JSValue::LowestTag
+ const Int32Tag = -1
+ const BooleanTag = -2
+ const NullTag = -3
+ const UndefinedTag = -4
+ const CellTag = -5
+ const EmptyValueTag = -6
+ const DeletedValueTag = -7
+ const LowestTag = DeletedValueTag
end
# PutByIdFlags data
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (226439 => 226440)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2018-01-05 08:26:02 UTC (rev 226440)
@@ -914,8 +914,9 @@
loadi 8[PC], t0
loadi 4[PC], t1
loadConstantOrVariable(t0, t2, t3)
- bia t2, Int32Tag, .opToNumberSlow
-.opToNumberIsNumber:
+ bieq t2, Int32Tag, .opToNumberIsInt
+ biaeq t2, LowestTag, .opToNumberSlow
+.opToNumberIsInt:
storei t2, TagOffset[cfr, t1, 8]
storei t3, PayloadOffset[cfr, t1, 8]
valueProfile(t2, t3, 12, t1)
@@ -1273,7 +1274,8 @@
loadi 4[PC], t2
loadConstantOrVariableTag(t1, t0)
storei BooleanTag, TagOffset[cfr, t2, 8]
- cibeq t0, LowestTag, t1
+ addi 1, t0
+ cib t0, LowestTag + 1, t1
storei t1, PayloadOffset[cfr, t2, 8]
dispatch(constexpr op_is_number_length)
@@ -1490,9 +1492,15 @@
bilt t1, PutByIdSecondaryTypeInt32, .opPutByIdTypeCheckLessThanInt32
# We are either Int32 or Number.
- bibeq t2, LowestTag, .opPutByIdDoneCheckingTypes
+ bieq t1, PutByIdSecondaryTypeNumber, .opPutByIdTypeCheckNumber
+
+ bieq t2, Int32Tag, .opPutByIdDoneCheckingTypes
jmp .opPutByIdSlow
+.opPutByIdTypeCheckNumber:
+ bib t2, LowestTag + 1, .opPutByIdDoneCheckingTypes
+ jmp .opPutByIdSlow
+
.opPutByIdTypeCheckLessThanInt32:
# We are one of the following: Bottom, Boolean, Other
bineq t1, PutByIdSecondaryTypeBoolean, .opPutByIdTypeCheckBottomOrOther
Modified: trunk/Source/_javascript_Core/runtime/JSCJSValue.h (226439 => 226440)
--- trunk/Source/_javascript_Core/runtime/JSCJSValue.h 2018-01-05 06:40:30 UTC (rev 226439)
+++ trunk/Source/_javascript_Core/runtime/JSCJSValue.h 2018-01-05 08:26:02 UTC (rev 226440)
@@ -147,15 +147,15 @@
public:
#if USE(JSVALUE32_64)
- enum { NullTag = 0xffffffff };
- enum { UndefinedTag = 0xfffffffe }; // ^ Other
- enum { BooleanTag = 0xfffffffd }; // ^ Misc
- enum { CellTag = 0xfffffffc };
- enum { EmptyValueTag = 0xfffffffb };
- enum { DeletedValueTag = 0xfffffffa };
- enum { Int32Tag = 0xfffffff9 }; // v Number
+ enum { Int32Tag = 0xffffffff };
+ enum { BooleanTag = 0xfffffffe };
+ enum { NullTag = 0xfffffffd };
+ enum { UndefinedTag = 0xfffffffc };
+ enum { CellTag = 0xfffffffb };
+ enum { EmptyValueTag = 0xfffffffa };
+ enum { DeletedValueTag = 0xfffffff9 };
- enum { LowestTag = Int32Tag };
+ enum { LowestTag = DeletedValueTag };
#endif
static EncodedJSValue encode(JSValue);
