Skip to site navigation (Press enter)

[webkit-changes] [229855] trunk

utatane . tea Thu, 22 Mar 2018 10:07:40 -0700

Title: [229855] trunk

Revision: 229855
Author: [email protected]
Date: 2018-03-22 10:07:26 -0700 (Thu, 22 Mar 2018)

Log Message

[JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
https://bugs.webkit.org/show_bug.cgi?id=183559


Reviewed by Mark Lam.

JSTests:

* stress/double-to-string-in-loop-removed.js: Added.
(test):
* stress/int32-to-string-in-loop-removed.js: Added.
(test):
* stress/int52-to-string-in-loop-removed.js: Added.
(test):

Source/_javascript_Core:

When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
to clear NodeMustGenerate for this ToString. It should be since it does not have
any user-observable side effect. This patch clears NodeMustGenerate.

* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants):

Modified Paths

trunk/JSTests/ChangeLog
trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp

Added Paths

trunk/JSTests/stress/double-to-string-in-loop-removed.js
trunk/JSTests/stress/int32-to-string-in-loop-removed.js
trunk/JSTests/stress/int52-to-string-in-loop-removed.js

Diff

Modified: trunk/JSTests/ChangeLog (229854 => 229855)


--- trunk/JSTests/ChangeLog	2018-03-22 15:58:59 UTC (rev 229854)
+++ trunk/JSTests/ChangeLog	2018-03-22 17:07:26 UTC (rev 229855)
@@ -1,3 +1,17 @@
+2018-03-22  Yusuke Suzuki  <[email protected]>
+
+        [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
+        https://bugs.webkit.org/show_bug.cgi?id=183559
+
+        Reviewed by Mark Lam.
+
+        * stress/double-to-string-in-loop-removed.js: Added.
+        (test):
+        * stress/int32-to-string-in-loop-removed.js: Added.
+        (test):
+        * stress/int52-to-string-in-loop-removed.js: Added.
+        (test):
+
 2018-03-22  Michael Saboff  <[email protected]>
 
         Race Condition in arrayProtoFuncReverse() causes wrong results or crash

Added: trunk/JSTests/stress/double-to-string-in-loop-removed.js (0 => 229855)


--- trunk/JSTests/stress/double-to-string-in-loop-removed.js	                        (rev 0)
+++ trunk/JSTests/stress/double-to-string-in-loop-removed.js	2018-03-22 17:07:26 UTC (rev 229855)
@@ -0,0 +1,8 @@
+function test()
+{
+    for (var i = 0; i < 1e6; ++i)
+        (i * 0.1).toString();
+}
+noInline(test);
+
+test();

Added: trunk/JSTests/stress/int32-to-string-in-loop-removed.js (0 => 229855)


--- trunk/JSTests/stress/int32-to-string-in-loop-removed.js	                        (rev 0)
+++ trunk/JSTests/stress/int32-to-string-in-loop-removed.js	2018-03-22 17:07:26 UTC (rev 229855)
@@ -0,0 +1,8 @@
+function test()
+{
+    for (var i = 0; i < 1e6; ++i)
+        i.toString();
+}
+noInline(test);
+
+test();

Added: trunk/JSTests/stress/int52-to-string-in-loop-removed.js (0 => 229855)


--- trunk/JSTests/stress/int52-to-string-in-loop-removed.js	                        (rev 0)
+++ trunk/JSTests/stress/int52-to-string-in-loop-removed.js	2018-03-22 17:07:26 UTC (rev 229855)
@@ -0,0 +1,8 @@
+function test()
+{
+    for (var i = 0; i < 1e6; ++i)
+        fiatInt52(i).toString();
+}
+noInline(test);
+
+test();

Modified: trunk/Source/_javascript_Core/ChangeLog (229854 => 229855)


--- trunk/Source/_javascript_Core/ChangeLog	2018-03-22 15:58:59 UTC (rev 229854)
+++ trunk/Source/_javascript_Core/ChangeLog	2018-03-22 17:07:26 UTC (rev 229855)
@@ -1,5 +1,19 @@
 2018-03-22  Yusuke Suzuki  <[email protected]>
 
+        [JSC] Clear MustGenerate for ToString(Number) converted from NumberToStringWithRadix
+        https://bugs.webkit.org/show_bug.cgi?id=183559
+
+        Reviewed by Mark Lam.
+
+        When converting NumberToStringWithRadix to ToString(Int52/Int32/Double), we forget
+        to clear NodeMustGenerate for this ToString. It should be since it does not have
+        any user-observable side effect. This patch clears NodeMustGenerate.
+
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+
+2018-03-22  Yusuke Suzuki  <[email protected]>
+
         [JSC] List up all candidates in DFGCapabilities and FTLCapabilities
         https://bugs.webkit.org/show_bug.cgi?id=183897

Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (229854 => 229855)


--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp	2018-03-22 15:58:59 UTC (rev 229854)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp	2018-03-22 17:07:26 UTC (rev 229855)
@@ -706,6 +706,7 @@
                     if (2 <= radix && radix <= 36) {
                         if (radix == 10) {
                             node->setOpAndDefaultFlags(ToString);
+                            node->clearFlags(NodeMustGenerate);
                             node->child2() = Edge();
                         } else
                             node->convertToNumberToStringWithValidRadixConstant(radix);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes