- Revision
- 241361
- Author
- [email protected]
- Date
- 2019-02-13 01:02:41 -0800 (Wed, 13 Feb 2019)
Log Message
Cherry-pick r240998. rdar://problem/47832956
Fix DFG's doesGC() for a few more nodes.
https://bugs.webkit.org/show_bug.cgi?id=194307
<rdar://problem/47832956>
Reviewed by Yusuke Suzuki.
Fix doesGC() for the following nodes:
NumberToStringWithValidRadixConstant:
Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
which can allocate a string.
Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
which can allocate a string.
Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
which can allocate a string.
RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
memory for all kinds of objects.
RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
RegExpObject::execInline() and RegExpObject::matchGlobal(). Both of
these allocates memory for the match result.
RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
calls RegExpObject's collectMatches(), which allocates an array amongst
other objects.
StringFromCharCode:
If the uint32 code to convert is greater than maxSingleCharacterString,
we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
which allocates a new string if the code is greater than maxSingleCharacterString.
Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
to use maxSingleCharacterString instead of a literal constant.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileFromCharCode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240998 268f45cc-cd09-0410-ab3c-d52691b4dbfc
Modified Paths
Diff
Modified: branches/safari-608.1.5.1-branch/Source/_javascript_Core/ChangeLog (241360 => 241361)
--- branches/safari-608.1.5.1-branch/Source/_javascript_Core/ChangeLog 2019-02-13 09:02:38 UTC (rev 241360)
+++ branches/safari-608.1.5.1-branch/Source/_javascript_Core/ChangeLog 2019-02-13 09:02:41 UTC (rev 241361)
@@ -1,5 +1,95 @@
2019-02-13 Babak Shafiei <[email protected]>
+ Cherry-pick r240998. rdar://problem/47832956
+
+ Fix DFG's doesGC() for a few more nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=194307
+ <rdar://problem/47832956>
+
+ Reviewed by Yusuke Suzuki.
+
+ Fix doesGC() for the following nodes:
+
+ NumberToStringWithValidRadixConstant:
+ Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
+ which can allocate a string.
+ Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
+ which can allocate a string.
+ Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
+ which can allocate a string.
+
+ RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
+ memory for all kinds of objects.
+ RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
+ RegExpObject::execInline() and RegExpObject::matchGlobal(). Both of
+ these allocates memory for the match result.
+ RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
+ calls RegExpObject's collectMatches(), which allocates an array amongst
+ other objects.
+
+ StringFromCharCode:
+ If the uint32 code to convert is greater than maxSingleCharacterString,
+ we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
+ which allocates a new string if the code is greater than maxSingleCharacterString.
+
+ Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
+ to use maxSingleCharacterString instead of a literal constant.
+
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
+
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@240998 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2019-02-05 Mark Lam <[email protected]>
+
+ Fix DFG's doesGC() for a few more nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=194307
+ <rdar://problem/47832956>
+
+ Reviewed by Yusuke Suzuki.
+
+ Fix doesGC() for the following nodes:
+
+ NumberToStringWithValidRadixConstant:
+ Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
+ which can allocate a string.
+ Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
+ which can allocate a string.
+ Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
+ which can allocate a string.
+
+ RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
+ memory for all kinds of objects.
+ RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
+ RegExpObject::execInline() and RegExpObject::matchGlobal(). Both of
+ these allocates memory for the match result.
+ RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
+ calls RegExpObject's collectMatches(), which allocates an array amongst
+ other objects.
+
+ StringFromCharCode:
+ If the uint32 code to convert is greater than maxSingleCharacterString,
+ we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
+ which allocates a new string if the code is greater than maxSingleCharacterString.
+
+ Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
+ to use maxSingleCharacterString instead of a literal constant.
+
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
+
+2019-02-13 Babak Shafiei <[email protected]>
+
Cherry-pick r240991. rdar://problem/47827589
Move DFG nodes that clobberize() says will write(Heap) to the doesGC() list that returns true.
Modified: branches/safari-608.1.5.1-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp (241360 => 241361)
--- branches/safari-608.1.5.1-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-13 09:02:38 UTC (rev 241360)
+++ branches/safari-608.1.5.1-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-13 09:02:41 UTC (rev 241361)
@@ -121,9 +121,6 @@
case CheckNotEmpty:
case AssertNotEmpty:
case CheckStringIdent:
- case RegExpExecNonGlobalOrSticky:
- case RegExpMatchFast:
- case RegExpMatchFastGlobal:
case CompareLess:
case CompareLessEq:
case CompareGreater:
@@ -150,7 +147,6 @@
case IsTypedArrayView:
case TypeOf:
case LogicalNot:
- case NumberToStringWithValidRadixConstant:
case Jump:
case Branch:
case Switch:
@@ -165,7 +161,6 @@
case ForceOSRExit:
case CPUIntrinsic:
case CheckTraps:
- case StringFromCharCode:
case NormalizeMapKey:
case GetMapBucket:
case GetMapBucketHead:
@@ -301,6 +296,7 @@
case InstanceOfCustom:
case LoadVarargs:
case NumberToStringWithRadix:
+ case NumberToStringWithValidRadixConstant:
case PutById:
case PutByIdDirect:
case PutByIdFlush:
@@ -316,6 +312,9 @@
case PutStack:
case PutToArguments:
case RegExpExec:
+ case RegExpExecNonGlobalOrSticky:
+ case RegExpMatchFast:
+ case RegExpMatchFastGlobal:
case RegExpTest:
case ResolveScope:
case ResolveScopeForHoistingFuncDeclInEval:
@@ -417,6 +416,13 @@
return false;
return true;
+ case StringFromCharCode:
+ // FIXME: Should we constant fold this case?
+ // https://bugs.webkit.org/show_bug.cgi?id=194308
+ if (node->child1()->isInt32Constant() && (node->child1()->asUInt32() <= maxSingleCharacterString))
+ return false;
+ return true;
+
case LastNodeType:
RELEASE_ASSERT_NOT_REACHED();
return true;
Modified: branches/safari-608.1.5.1-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (241360 => 241361)
--- branches/safari-608.1.5.1-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-02-13 09:02:38 UTC (rev 241360)
+++ branches/safari-608.1.5.1-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-02-13 09:02:41 UTC (rev 241361)
@@ -2282,7 +2282,7 @@
GPRReg smallStringsReg = smallStrings.gpr();
JITCompiler::JumpList slowCases;
- slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(0xff)));
+ slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(maxSingleCharacterString)));
m_jit.move(TrustedImmPtr(m_jit.vm()->smallStrings.singleCharacterStrings()), smallStringsReg);
m_jit.loadPtr(MacroAssembler::BaseIndex(smallStringsReg, propertyReg, MacroAssembler::ScalePtr, 0), scratchReg);
Modified: branches/safari-608.1.5.1-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (241360 => 241361)
--- branches/safari-608.1.5.1-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-13 09:02:38 UTC (rev 241360)
+++ branches/safari-608.1.5.1-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-13 09:02:41 UTC (rev 241361)
@@ -6707,7 +6707,7 @@
LBasicBlock continuation = m_out.newBlock();
m_out.branch(
- m_out.aboveOrEqual(value, m_out.constInt32(0xff)),
+ m_out.aboveOrEqual(value, m_out.constInt32(maxSingleCharacterString)),
rarely(slowCase), usually(smallIntCase));
LBasicBlock lastNext = m_out.appendTo(smallIntCase, slowCase);
