Diff
Modified: trunk/JSTests/ChangeLog (278464 => 278465)
--- trunk/JSTests/ChangeLog 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/JSTests/ChangeLog 2021-06-04 16:32:57 UTC (rev 278465)
@@ -1,3 +1,16 @@
+2021-06-03 Filip Pizlo <fpi...@apple.com>
+
+ DFG should speculate on CompareStrictEq(@x, @x)
+ https://bugs.webkit.org/show_bug.cgi?id=226621
+
+ Reviewed by Mark Lam.
+
+ * microbenchmarks/untyped-stricteq-self.js: Added.
+ (foo):
+ * stress/untyped-stricteq-self-fail.js: Added.
+ (bar):
+ (foo):
+
2021-06-04 Keith Miller <keith_mil...@apple.com>
Fix tests that fail under executable allocation fuzzing
Added: trunk/JSTests/microbenchmarks/untyped-stricteq-self.js (0 => 278465)
--- trunk/JSTests/microbenchmarks/untyped-stricteq-self.js (rev 0)
+++ trunk/JSTests/microbenchmarks/untyped-stricteq-self.js 2021-06-04 16:32:57 UTC (rev 278465)
@@ -0,0 +1,17 @@
+function foo(x) {
+ var y;
+ if (x===x)
+ y = 42;
+ else
+ y = bar();
+ return y + 1;
+}
+
+var result = 0;
+var array = ["foo", 42, true, null, {}, [], foo];
+for (var i = 0; i < 10000000; ++i)
+ result += foo(array[i % array.length]);
+
+if (result != (42 + 1) * 10000000)
+ throw "Error";
+
Added: trunk/JSTests/stress/untyped-stricteq-self-fail.js (0 => 278465)
--- trunk/JSTests/stress/untyped-stricteq-self-fail.js (rev 0)
+++ trunk/JSTests/stress/untyped-stricteq-self-fail.js 2021-06-04 16:32:57 UTC (rev 278465)
@@ -0,0 +1,24 @@
+function bar() { return 10; }
+
+function foo(x) {
+ var y;
+ if (x===x)
+ y = 42;
+ else
+ y = bar();
+ return y + 1;
+}
+
+noInline(foo);
+
+var result = 0;
+var array = ["foo", 42, true, null, {}, [], foo];
+for (var i = 0; i < 1000000; ++i)
+ result += foo(array[i % array.length]);
+
+if (result != (42 + 1) * 1000000)
+ throw "Error";
+
+var resultAtEnd = foo(0.0 / 0.0);
+if (resultAtEnd != 11)
+ throw "Error at end";
Modified: trunk/Source/_javascript_Core/ChangeLog (278464 => 278465)
--- trunk/Source/_javascript_Core/ChangeLog 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-06-04 16:32:57 UTC (rev 278465)
@@ -1,3 +1,35 @@
+2021-06-03 Filip Pizlo <fpi...@apple.com>
+
+ DFG should speculate on CompareStrictEq(@x, @x)
+ https://bugs.webkit.org/show_bug.cgi?id=226621
+
+ Reviewed by Mark Lam.
+
+ Introduces a NotDouble: speculation. We use it to speculate on CompareStrictEq(@x, @x).
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isNotDoubleSpeculation):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateNotDouble):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculateNotDouble):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::checkMayCrashIfInputIsEmpty):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateNotDouble):
+
2021-06-04 Robin Morisset <rmoris...@apple.com>
Drop the FTL(DFG) graph after lowering to B3
Modified: trunk/Source/_javascript_Core/bytecode/SpeculatedType.h (278464 => 278465)
--- trunk/Source/_javascript_Core/bytecode/SpeculatedType.h 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/bytecode/SpeculatedType.h 2021-06-04 16:32:57 UTC (rev 278465)
@@ -439,6 +439,11 @@
return value && !(value & SpecBoolean);
}
+inline bool isNotDoubleSpeculation(SpeculatedType type)
+{
+ return !(type & SpecFullDouble);
+}
+
inline bool isOtherSpeculation(SpeculatedType value)
{
return value == SpecOther;
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2021-06-04 16:32:57 UTC (rev 278465)
@@ -4282,6 +4282,14 @@
{
ASSERT(node->op() == SameValue || node->op() == CompareStrictEq);
+ if (node->child1().node() == node->child2().node()
+ && node->child1()->shouldSpeculateNotDouble()) {
+ m_insertionSet.insertNode(
+ m_indexInBlock, SpecNone, Check, node->origin,
+ Edge(node->child1().node(), NotDoubleUse));
+ m_graph.convertToConstant(node, jsBoolean(true));
+ return;
+ }
if (Node::shouldSpeculateBoolean(node->child1().node(), node->child2().node())) {
fixEdge<BooleanUse>(node->child1());
fixEdge<BooleanUse>(node->child2());
Modified: trunk/Source/_javascript_Core/dfg/DFGNode.h (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGNode.h 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGNode.h 2021-06-04 16:32:57 UTC (rev 278465)
@@ -2797,6 +2797,11 @@
{
return isNotCellNorBigIntSpeculation(prediction());
}
+
+ bool shouldSpeculateNotDouble()
+ {
+ return isNotDoubleSpeculation(prediction());
+ }
bool shouldSpeculateUntypedForArithmetic()
{
Modified: trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2021-06-04 16:32:57 UTC (rev 278465)
@@ -92,6 +92,7 @@
case MiscUse:
case AnyIntUse:
case DoubleRepAnyIntUse:
+ case NotDoubleUse:
return;
case KnownInt32Use:
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-06-04 16:32:57 UTC (rev 278465)
@@ -11432,6 +11432,18 @@
#endif
}
+void SpeculativeJIT::speculateNotDouble(Edge edge)
+{
+ JSValueOperand operand(this, edge, ManualOperandSpeculation);
+ GPRTemporary temp(this);
+ JSValueRegs regs = operand.jsValueRegs();
+ GPRReg tempGPR = temp.gpr();
+
+ JITCompiler::Jump done = m_jit.branchIfInt32(regs);
+ DFG_TYPE_CHECK(regs, edge, ~SpecFullDouble, m_jit.branchIfNumber(regs, tempGPR));
+ done.link(&m_jit);
+}
+
void SpeculativeJIT::speculateOther(Edge edge, JSValueRegs regs, GPRReg tempGPR)
{
DFG_TYPE_CHECK(regs, edge, SpecOther, m_jit.branchIfNotOther(regs, tempGPR));
@@ -11614,6 +11626,9 @@
case NotCellNorBigIntUse:
speculateNotCellNorBigInt(edge);
break;
+ case NotDoubleUse:
+ speculateNotDouble(edge);
+ break;
case OtherUse:
speculateOther(edge);
break;
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-06-04 16:32:57 UTC (rev 278465)
@@ -1671,6 +1671,7 @@
void speculateNotCell(Edge, JSValueRegs);
void speculateNotCell(Edge);
void speculateNotCellNorBigInt(Edge);
+ void speculateNotDouble(Edge);
void speculateOther(Edge, JSValueRegs, GPRReg temp);
void speculateOther(Edge, JSValueRegs);
void speculateOther(Edge);
Modified: trunk/Source/_javascript_Core/dfg/DFGUseKind.cpp (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGUseKind.cpp 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGUseKind.cpp 2021-06-04 16:32:57 UTC (rev 278465)
@@ -170,6 +170,9 @@
case NotCellNorBigIntUse:
out.print("NotCellNorBigInt");
return;
+ case NotDoubleUse:
+ out.print("NotDouble");
+ return;
case KnownOtherUse:
out.print("KnownOther");
return;
Modified: trunk/Source/_javascript_Core/dfg/DFGUseKind.h (278464 => 278465)
--- trunk/Source/_javascript_Core/dfg/DFGUseKind.h 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/dfg/DFGUseKind.h 2021-06-04 16:32:57 UTC (rev 278465)
@@ -81,6 +81,7 @@
NotSymbolUse,
NotCellUse,
NotCellNorBigIntUse,
+ NotDoubleUse,
KnownOtherUse,
OtherUse,
MiscUse,
@@ -187,6 +188,8 @@
return ~SpecCellCheck;
case NotCellNorBigIntUse:
return ~SpecCellCheck & ~SpecBigInt;
+ case NotDoubleUse:
+ return ~SpecFullDouble;
case KnownOtherUse:
case OtherUse:
return SpecOther;
@@ -305,6 +308,7 @@
case MiscUse:
case NotCellUse:
case NotCellNorBigIntUse:
+ case NotDoubleUse:
return false;
default:
return true;
Modified: trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp (278464 => 278465)
--- trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2021-06-04 16:32:57 UTC (rev 278465)
@@ -528,6 +528,7 @@
case NotSymbolUse:
case AnyIntUse:
case DoubleRepAnyIntUse:
+ case NotDoubleUse:
// These are OK.
break;
default:
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (278464 => 278465)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-06-04 16:08:45 UTC (rev 278464)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-06-04 16:32:57 UTC (rev 278465)
@@ -18403,6 +18403,9 @@
case NotCellNorBigIntUse:
speculateNotCellNorBigInt(edge);
break;
+ case NotDoubleUse:
+ speculateNotDouble(edge);
+ break;
case OtherUse:
speculateOther(edge);
break;
@@ -18447,6 +18450,22 @@
speculateNotCell(edge);
#endif
}
+
+ void speculateNotDouble(Edge edge)
+ {
+ LValue value = lowJSValue(edge, ManualOperandSpeculation);
+
+ LBasicBlock isNotInt32 = m_out.newBlock();
+ LBasicBlock continuation = m_out.newBlock();
+
+ m_out.branch(isInt32(value, provenType(edge)), unsure(continuation), unsure(isNotInt32));
+
+ LBasicBlock lastNext = m_out.appendTo(isNotInt32, continuation);
+ FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecFullDouble, isNumber(value));
+ m_out.jump(continuation);
+
+ m_out.appendTo(continuation, lastNext);
+ }
void speculateCellOrOther(Edge edge)
{
