Modified: trunk/Source/_javascript_Core/ChangeLog (280148 => 280149)
--- trunk/Source/_javascript_Core/ChangeLog 2021-07-21 17:24:44 UTC (rev 280148)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-07-21 17:48:56 UTC (rev 280149)
@@ -1,3 +1,19 @@
+2021-07-21 Keith Miller <[email protected]>
+
+ speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch
+ https://bugs.webkit.org/show_bug.cgi?id=228146
+
+ Reviewed by Robin Morisset.
+
+ Since StringType and HeapBigIntType are adjacent JSTypes
+ we can do an integer range check rather than two separate
+ JSType checks.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::speculateNeitherDoubleNorHeapBigIntNorString):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2021-07-20 Yijia Huang <[email protected]>
Add ARM64 EON opcode and select it in AIR
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (280148 => 280149)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-07-21 17:24:44 UTC (rev 280148)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-07-21 17:48:56 UTC (rev 280149)
@@ -11788,8 +11788,8 @@
if (mayNotBeCell)
done.append(m_jit.branchIfNotCell(regs));
- DFG_TYPE_CHECK(regs, edge, ~SpecString, m_jit.branchIfString(regs.payloadGPR()));
- DFG_TYPE_CHECK(regs, edge, ~SpecHeapBigInt, m_jit.branchIfHeapBigInt(regs.payloadGPR()));
+ static_assert(StringType + 1 == HeapBigIntType);
+ DFG_TYPE_CHECK(regs, edge, ~(SpecString | SpecHeapBigInt), m_jit.branchIfType(regs.payloadGPR(), JSTypeRange { StringType, HeapBigIntType }));
if (mayBeInt32 || mayNotBeCell)
done.link(&m_jit);
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (280148 => 280149)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-21 17:24:44 UTC (rev 280148)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-07-21 17:48:56 UTC (rev 280149)
@@ -18665,8 +18665,9 @@
m_out.branch(isCell(value, provenType(edge)), unsure(isCellBlock), unsure(continuation));
m_out.appendTo(isCellBlock, continuation);
- FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecString, isString(value));
- FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecHeapBigInt, isHeapBigInt(value));
+
+ static_assert(StringType + 1 == HeapBigIntType);
+ FTL_TYPE_CHECK(jsValueValue(value), edge, ~(SpecString | SpecHeapBigInt), isType(value, JSTypeRange { StringType, HeapBigIntType }));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);
@@ -19007,11 +19008,23 @@
m_out.constInt32(MasqueradesAsUndefined | OverridesGetCallData));
}
+ LValue isType(LValue cell, JSTypeRange range)
+ {
+ if (range.last == range.first) {
+ return m_out.equal(
+ m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
+ m_out.constInt32(range.first));
+ }
+
+ ASSERT(range.last > range.first);
+ return m_out.belowOrEqual(
+ m_out.sub(m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType), m_out.constInt32(range.first)),
+ m_out.constInt32(range.last - range.first));
+ }
+
LValue isType(LValue cell, JSType type)
{
- return m_out.equal(
- m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
- m_out.constInt32(type));
+ return isType(cell, JSTypeRange { type, type });
}
LValue isNotType(LValue cell, JSType type)
