- Revision
- 231826
- Author
- [email protected]
- Date
- 2018-05-15 18:41:49 -0700 (Tue, 15 May 2018)
Log Message
Cherry-pick r230465. rdar://problem/39988131
Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
https://bugs.webkit.org/show_bug.cgi?id=184372
Reviewed by Saam Barati.
We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
have already proved, using techniques that are more precise than AI, that the edge has type
Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
other than a check - so we think we can call those just because we should have already
bailed. It's better to think of them as the result of folding a check. Therefore, we should
only do it if there had been a check to begin with.
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::lowInt32):
(JSC::FTL::DFG::LowerDFGToB3::lowInt52):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
(JSC::FTL::DFG::LowerDFGToB3::lowDouble):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230465 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-605-branch/Source/_javascript_Core/ChangeLog (231825 => 231826)
--- branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-16 00:39:10 UTC (rev 231825)
+++ branches/safari-605-branch/Source/_javascript_Core/ChangeLog 2018-05-16 01:41:49 UTC (rev 231826)
@@ -1,3 +1,71 @@
+2018-05-15 Kocsen Chung <[email protected]>
+
+ Cherry-pick r230465. rdar://problem/39988131
+
+ Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
+ https://bugs.webkit.org/show_bug.cgi?id=184372
+
+ Reviewed by Saam Barati.
+
+ We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
+ have already proved, using techniques that are more precise than AI, that the edge has type
+ Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
+ because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
+ other than a check - so we think we can call those just because we should have already
+ bailed. It's better to think of them as the result of folding a check. Therefore, we should
+ only do it if there had been a check to begin with.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
+ (JSC::FTL::DFG::LowerDFGToB3::lowCell):
+ (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
+ (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@230465 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2018-04-09 Filip Pizlo <[email protected]>
+
+ Executing known edge types may reveal a contradiction causing us to emit an exit at a node that is not allowed to exit
+ https://bugs.webkit.org/show_bug.cgi?id=184372
+
+ Reviewed by Saam Barati.
+
+ We do a pretty good job of not emitting checks for KnownBlah edges, since those mean that we
+ have already proved, using techniques that are more precise than AI, that the edge has type
+ Blah. Unfortunately, we do not handle this case gracefully when AI state becomes bottom,
+ because we have a bad habit of treating terminate/terminateSpeculativeExecution as something
+ other than a check - so we think we can call those just because we should have already
+ bailed. It's better to think of them as the result of folding a check. Therefore, we should
+ only do it if there had been a check to begin with.
+
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+ (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::lowInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::lowInt52):
+ (JSC::FTL::DFG::LowerDFGToB3::lowCell):
+ (JSC::FTL::DFG::LowerDFGToB3::lowBoolean):
+ (JSC::FTL::DFG::LowerDFGToB3::lowDouble):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
+
2018-05-09 Keith Miller <[email protected]>
Cherry-pick r231316. rdar://problem/40050814
Modified: branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (231825 => 231826)
--- branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-05-16 00:39:10 UTC (rev 231825)
+++ branches/safari-605-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2018-05-16 01:41:49 UTC (rev 231826)
@@ -1088,7 +1088,8 @@
m_interpreter.filter(value, SpecInt32Only);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
returnFormat = DataFormatInt32;
return allocate();
}
@@ -1232,7 +1233,8 @@
m_interpreter.filter(value, SpecAnyInt);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return allocate();
}
@@ -1339,7 +1341,8 @@
info.fillDouble(*m_stream, fpr);
return fpr;
}
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return fprAllocate();
}
@@ -1372,7 +1375,8 @@
m_interpreter.filter(value, SpecCellCheck);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return allocate();
}
@@ -1447,7 +1451,8 @@
m_interpreter.filter(value, SpecBoolean);
if (value.isClear()) {
- terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
return allocate();
}
Modified: branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (231825 => 231826)
--- branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-05-16 00:39:10 UTC (rev 231825)
+++ branches/safari-605-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2018-05-16 01:41:49 UTC (rev 231826)
@@ -13664,7 +13664,8 @@
if (edge->hasConstant()) {
JSValue value = edge->asJSValue();
if (!value.isInt32()) {
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.int32Zero;
}
LValue result = m_out.constInt32(value.asInt32());
@@ -13695,7 +13696,8 @@
}
DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecInt32Only), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.int32Zero;
}
@@ -13729,7 +13731,8 @@
}
DFG_ASSERT(m_graph, m_node, !provenType(edge), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.int64Zero;
}
@@ -13781,7 +13784,8 @@
if (edge->op() == JSConstant) {
FrozenValue* value = edge->constant();
if (!value->value().isCell()) {
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.intPtrZero;
}
LValue result = frozenPointer(value);
@@ -13798,7 +13802,8 @@
}
DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecCellCheck), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.intPtrZero;
}
@@ -13890,7 +13895,8 @@
if (edge->hasConstant()) {
JSValue value = edge->asJSValue();
if (!value.isBoolean()) {
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.booleanFalse;
}
LValue result = m_out.constBool(value.asBoolean());
@@ -13911,9 +13917,10 @@
setBoolean(edge.node(), result);
return result;
}
-
+
DFG_ASSERT(m_graph, m_node, !(provenType(edge) & SpecBoolean), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.booleanFalse;
}
@@ -13925,7 +13932,8 @@
if (isValid(value))
return value.value();
DFG_ASSERT(m_graph, m_node, !provenType(edge), provenType(edge));
- terminate(Uncountable);
+ if (mayHaveTypeCheck(edge.useKind()))
+ terminate(Uncountable);
return m_out.doubleZero;
}
@@ -14381,6 +14389,9 @@
void speculateCellOrOther(Edge edge)
{
+ if (shouldNotHaveTypeCheck(edge.useKind()))
+ return;
+
LValue value = lowJSValue(edge, ManualOperandSpeculation);
LBasicBlock isNotCell = m_out.newBlock();
@@ -14737,6 +14748,9 @@
void speculateStringOrOther(Edge edge, LValue value)
{
+ if (!m_interpreter.needsTypeCheck(edge))
+ return;
+
LBasicBlock cellCase = m_out.newBlock();
LBasicBlock notCellCase = m_out.newBlock();
LBasicBlock continuation = m_out.newBlock();
