Diff
Modified: branches/safari-612-branch/JSTests/ChangeLog (285463 => 285464)
--- branches/safari-612-branch/JSTests/ChangeLog 2021-11-09 01:09:09 UTC (rev 285463)
+++ branches/safari-612-branch/JSTests/ChangeLog 2021-11-09 01:09:12 UTC (rev 285464)
@@ -1,5 +1,45 @@
2021-11-08 Kocsen Chung <kocsen_ch...@apple.com>
+ Cherry-pick r283938. rdar://problem/85166798
+
+ Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+ https://bugs.webkit.org/show_bug.cgi?id=231465
+ <rdar://83876470>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added.
+ (foo):
+
+ Source/_javascript_Core:
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283938 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-11 Saam Barati <sbar...@apple.com>
+
+ Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+ https://bugs.webkit.org/show_bug.cgi?id=231465
+ <rdar://83876470>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added.
+ (foo):
+
+2021-11-08 Kocsen Chung <kocsen_ch...@apple.com>
+
Cherry-pick r283818. rdar://problem/85173568
RegExpExec can't statically prove which of the two structures it will get in AI by just looking at the RegExp*
Added: branches/safari-612-branch/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (0 => 285464)
--- branches/safari-612-branch/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (rev 0)
+++ branches/safari-612-branch/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js 2021-11-09 01:09:12 UTC (rev 285464)
@@ -0,0 +1,10 @@
+function foo(o) {
+ for (let p in o) {
+ o[p];
+ }
+}
+
+for (let i=0; i<10000; i++) {
+ foo(new Uint32Array());
+ foo({o:undefined});
+}
Modified: branches/safari-612-branch/Source/_javascript_Core/ChangeLog (285463 => 285464)
--- branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-11-09 01:09:09 UTC (rev 285463)
+++ branches/safari-612-branch/Source/_javascript_Core/ChangeLog 2021-11-09 01:09:12 UTC (rev 285464)
@@ -1,5 +1,51 @@
2021-11-08 Kocsen Chung <kocsen_ch...@apple.com>
+ Cherry-pick r283938. rdar://problem/85166798
+
+ Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+ https://bugs.webkit.org/show_bug.cgi?id=231465
+ <rdar://83876470>
+
+ Reviewed by Yusuke Suzuki.
+
+ JSTests:
+
+ * stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added.
+ (foo):
+
+ Source/_javascript_Core:
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@283938 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2021-10-11 Saam Barati <sbar...@apple.com>
+
+ Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+ https://bugs.webkit.org/show_bug.cgi?id=231465
+ <rdar://83876470>
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
+2021-11-08 Kocsen Chung <kocsen_ch...@apple.com>
+
Cherry-pick r283862. rdar://problem/85167292
Run backwards propagation before we prune the graph after ForceOSRExit nodes in BytecodeParser
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (285463 => 285464)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-09 01:09:09 UTC (rev 285463)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-11-09 01:09:12 UTC (rev 285464)
@@ -3340,19 +3340,20 @@
}
}
-void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox)
+void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox, FPRReg resultFPR)
{
bool isUInt32 = elementSize(type) == 4 && !isSigned(type);
+ if (isUInt32)
+ ASSERT(resultFPR != InvalidFPRReg);
GPRReg resultReg = resultRegs.payloadGPR();
if (shouldBox) {
if (isUInt32) {
- FPRTemporary fresult(this);
- m_jit.convertInt32ToDouble(resultReg, fresult.fpr());
+ m_jit.convertInt32ToDouble(resultReg, resultFPR);
JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, resultReg, TrustedImm32(0));
- m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), fresult.fpr());
+ m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), resultFPR);
positive.link(&m_jit);
- m_jit.boxDouble(fresult.fpr(), resultRegs);
+ m_jit.boxDouble(resultFPR, resultRegs);
} else
m_jit.boxInt32(resultRegs.payloadGPR(), resultRegs);
jsValueResult(resultRegs, node);
@@ -3380,12 +3381,11 @@
}
#endif
- FPRTemporary fresult(this);
- m_jit.convertInt32ToDouble(resultReg, fresult.fpr());
+ m_jit.convertInt32ToDouble(resultReg, resultFPR);
JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, resultReg, TrustedImm32(0));
- m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), fresult.fpr());
+ m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), resultFPR);
positive.link(&m_jit);
- doubleResult(fresult.fpr(), node);
+ doubleResult(resultFPR, node);
}
void SpeculativeJIT::compileGetByValOnIntTypedArray(Node* node, TypedArrayType type, const ScopedLambda<std::tuple<JSValueRegs, DataFormat>(DataFormat preferredFormat)>& prefix)
@@ -3402,6 +3402,13 @@
GPRReg storageReg = storage.gpr();
GPRReg scratchGPR = scratch.gpr();
+ std::optional<FPRTemporary> fprTemp;
+ FPRReg resultFPR = InvalidFPRReg;
+ if (elementSize(type) == 4 && !isSigned(type)) {
+ fprTemp.emplace(this);
+ resultFPR = fprTemp->fpr();
+ }
+
JSValueRegs resultRegs;
DataFormat format;
std::tie(resultRegs, format) = prefix(DataFormatInt32);
@@ -3410,7 +3417,7 @@
emitTypedArrayBoundsCheck(node, baseReg, propertyReg, scratchGPR);
loadFromIntTypedArray(storageReg, propertyReg, resultRegs.payloadGPR(), type);
constexpr bool canSpeculate = true;
- setIntTypedArrayLoadResult(node, resultRegs, type, canSpeculate, shouldBox);
+ setIntTypedArrayLoadResult(node, resultRegs, type, canSpeculate, shouldBox, resultFPR);
}
bool SpeculativeJIT::getIntTypedArrayStoreOperand(
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (285463 => 285464)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-11-09 01:09:09 UTC (rev 285463)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-11-09 01:09:12 UTC (rev 285464)
@@ -1474,7 +1474,7 @@
#endif
Edge valueUse);
void loadFromIntTypedArray(GPRReg storageReg, GPRReg propertyReg, GPRReg resultReg, TypedArrayType);
- void setIntTypedArrayLoadResult(Node*, JSValueRegs resultRegs, TypedArrayType, bool canSpeculate, bool shouldBox);
+ void setIntTypedArrayLoadResult(Node*, JSValueRegs resultRegs, TypedArrayType, bool canSpeculate, bool shouldBox, FPRReg);
template <typename ClassType> void compileNewFunctionCommon(GPRReg, RegisteredStructure, GPRReg, GPRReg, GPRReg, MacroAssembler::JumpList&, size_t, FunctionExecutable*);
void compileNewFunction(Node*);
void compileSetFunctionName(Node*);
Modified: branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (285463 => 285464)
--- branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-11-09 01:09:09 UTC (rev 285463)
+++ branches/safari-612-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-11-09 01:09:12 UTC (rev 285464)
@@ -3668,6 +3668,12 @@
GPRReg oldValueGPR = oldValue.gpr();
resultGPR = result.gpr();
GPRReg newValueGPR = newValue.gpr();
+ std::optional<FPRTemporary> fprTemp;
+ FPRReg resultFPR = InvalidFPRReg;
+ if (elementSize(type) == 4 && !isSigned(type)) {
+ fprTemp.emplace(this);
+ resultFPR = fprTemp->fpr();
+ }
// FIXME: It shouldn't be necessary to nop-pad between register allocation and a jump label.
// https://bugs.webkit.org/show_bug.cgi?id=170974
@@ -3771,7 +3777,7 @@
}
constexpr bool canSpeculate = false;
constexpr bool shouldBox = false;
- setIntTypedArrayLoadResult(node, JSValueRegs(resultGPR), type, canSpeculate, shouldBox);
+ setIntTypedArrayLoadResult(node, JSValueRegs(resultGPR), type, canSpeculate, shouldBox, resultFPR);
break;
}
Modified: branches/safari-612-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (285463 => 285464)
--- branches/safari-612-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-11-09 01:09:09 UTC (rev 285463)
+++ branches/safari-612-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-11-09 01:09:12 UTC (rev 285464)
@@ -13637,7 +13637,7 @@
if (elementSize(type) < 4 || isSigned(type))
genericResult = boxInt32(genericResult);
else
- genericResult = strictInt52ToJSValue(genericResult);
+ genericResult = strictInt52ToJSValue(m_out.zeroExt(genericResult, Int64));
} else if (genericResult->type() == Double)
genericResult = boxDouble(genericResult);
