Diff
Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124668 => 124669)
--- branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-03 23:03:15 UTC (rev 124668)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog 2012-08-03 23:12:58 UTC (rev 124669)
@@ -1,5 +1,27 @@
2012-08-02 Lucas Forschler <[email protected]>
+ Merge 121307
+
+ 2012-06-26 Filip Pizlo <[email protected]>
+
+ DFG PutByValAlias is too aggressive
+ https://bugs.webkit.org/show_bug.cgi?id=90026
+ <rdar://problem/11751830>
+
+ Reviewed by Gavin Barraclough.
+
+ * fast/js/dfg-put-by-val-setter-then-get-by-val-expected.txt: Added.
+ * fast/js/dfg-put-by-val-setter-then-get-by-val.html: Added.
+ * fast/js/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias-expected.txt: Added.
+ * fast/js/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias.html: Added.
+ * fast/js/script-tests/dfg-put-by-val-setter-then-get-by-val.js: Added.
+ (foo):
+ (for):
+ * fast/js/script-tests/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias.js: Added.
+ (foo):
+
+2012-08-02 Lucas Forschler <[email protected]>
+
Merge 123912
2012-07-27 Beth Dakin <[email protected]>
Modified: branches/safari-536.26-branch/Source/_javascript_Core/ChangeLog (124668 => 124669)
--- branches/safari-536.26-branch/Source/_javascript_Core/ChangeLog 2012-08-03 23:03:15 UTC (rev 124668)
+++ branches/safari-536.26-branch/Source/_javascript_Core/ChangeLog 2012-08-03 23:12:58 UTC (rev 124669)
@@ -1,3 +1,33 @@
+2012-08-02 Lucas Forschler <[email protected]>
+
+ Merge 121307
+
+ 2012-06-26 Filip Pizlo <[email protected]>
+
+ DFG PutByValAlias is too aggressive
+ https://bugs.webkit.org/show_bug.cgi?id=90026
+ <rdar://problem/11751830>
+
+ Reviewed by Gavin Barraclough.
+
+ For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
+ performance by much.
+
+ For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
+ is within bounds. This also has the effect of making our out-of-bounds handling consistent
+ with WebCore.
+
+ * dfg/DFGCSEPhase.cpp:
+ (JSC::DFG::CSEPhase::performNodeCSE):
+ * dfg/DFGGraph.h:
+ (JSC::DFG::Graph::byValIsPure):
+ (JSC::DFG::Graph::clobbersWorld):
+ * dfg/DFGNodeType.h:
+ (DFG):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):
+
2012-07-30 Lucas Forschler <[email protected]>
Merge 121391
Modified: branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGCSEPhase.cpp (124668 => 124669)
--- branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGCSEPhase.cpp 2012-08-03 23:03:15 UTC (rev 124668)
+++ branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGCSEPhase.cpp 2012-08-03 23:12:58 UTC (rev 124669)
@@ -138,10 +138,31 @@
bool byValIsPure(Node& node)
{
- return m_graph[node.child2()].shouldSpeculateInteger()
- && ((node.op() == PutByVal || node.op() == PutByValAlias)
- ? isActionableMutableArrayPrediction(m_graph[node.child1()].prediction())
- : isActionableArrayPrediction(m_graph[node.child1()].prediction()));
+ if (!m_graph[node.child2()].shouldSpeculateInteger())
+ return false;
+ PredictedType prediction = m_graph[node.child1()].prediction();
+ switch (node.op()) {
+ case PutByVal:
+ if (!isActionableMutableArrayPrediction(prediction))
+ return false;
+ if (isArrayPrediction(prediction))
+ return false;
+ return true;
+
+ case PutByValAlias:
+ if (!isActionableMutableArrayPrediction(prediction))
+ return false;
+ return true;
+
+ case GetByVal:
+ if (!isActionableArrayPrediction(prediction))
+ return false;
+ return true;
+
+ default:
+ ASSERT_NOT_REACHED();
+ return false;
+ }
}
bool clobbersWorld(NodeIndex nodeIndex)
@@ -162,6 +183,8 @@
case LogicalNot:
return !logicalNotIsPure(node);
case GetByVal:
+ case PutByVal:
+ case PutByValAlias:
return !byValIsPure(node);
default:
ASSERT_NOT_REACHED();
@@ -642,8 +665,14 @@
break;
case PutByVal:
- if (byValIsPure(node) && getByValLoadElimination(node.child1().index(), node.child2().index()) != NoNode)
+ if (isActionableMutableArrayPrediction(m_graph[node.child1()].prediction())
+ && m_graph[node.child2()].shouldSpeculateInteger()) {
+ NodeIndex nodeIndex = getByValLoadElimination(
+ node.child1().index(), node.child2().index());
+ if (nodeIndex == NoNode)
+ break;
node.setOp(PutByValAlias);
+ }
break;
case CheckStructure:
Modified: branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGNodeType.h (124668 => 124669)
--- branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGNodeType.h 2012-08-03 23:03:15 UTC (rev 124668)
+++ branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGNodeType.h 2012-08-03 23:12:58 UTC (rev 124669)
@@ -104,8 +104,8 @@
/* Since a put to 'length' may invalidate optimizations here, */\
/* this must be the directly subsequent property put. */\
macro(GetByVal, NodeResultJS | NodeMustGenerate | NodeMightClobber) \
- macro(PutByVal, NodeMustGenerate | NodeClobbersWorld) \
- macro(PutByValAlias, NodeMustGenerate | NodeClobbersWorld) \
+ macro(PutByVal, NodeMustGenerate | NodeMightClobber) \
+ macro(PutByValAlias, NodeMustGenerate | NodeMightClobber) \
macro(GetById, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
macro(GetByIdFlush, NodeResultJS | NodeMustGenerate | NodeClobbersWorld) \
macro(PutById, NodeMustGenerate | NodeClobbersWorld) \
Modified: branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (124668 => 124669)
--- branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-08-03 23:03:15 UTC (rev 124668)
+++ branches/safari-536.26-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-08-03 23:12:58 UTC (rev 124669)
@@ -1908,10 +1908,10 @@
return;
}
- MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset));
- m_jit.xorPtr(resultReg, resultReg);
- MacroAssembler::Jump outOfBounds = m_jit.jump();
- inBounds.link(&m_jit);
+ speculationCheck(
+ Uncountable, JSValueRegs(), NoNode,
+ m_jit.branch32(
+ MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset)));
switch (elementSize) {
case 1:
if (signedness == SignedTypedArray)
@@ -1931,7 +1931,6 @@
default:
ASSERT_NOT_REACHED();
}
- outOfBounds.link(&m_jit);
if (elementSize < 4 || signedness == SignedTypedArray) {
integerResult(resultReg, m_compileIndex);
return;
@@ -2073,11 +2072,10 @@
FPRTemporary result(this);
FPRReg resultReg = result.fpr();
ASSERT(speculationRequirements != NoTypedArraySpecCheck);
- MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset));
- static const double zero = 0;
- m_jit.loadDouble(&zero, resultReg);
- MacroAssembler::Jump outOfBounds = m_jit.jump();
- inBounds.link(&m_jit);
+ speculationCheck(
+ Uncountable, JSValueRegs(), NoNode,
+ m_jit.branch32(
+ MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset)));
switch (elementSize) {
case 4:
m_jit.loadFloat(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour), resultReg);
@@ -2094,7 +2092,6 @@
default:
ASSERT_NOT_REACHED();
}
- outOfBounds.link(&m_jit);
doubleResult(resultReg, m_compileIndex);
}
