Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (128424 => 128425)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-13 08:40:00 UTC (rev 128425)
@@ -1,3 +1,21 @@
+2012-09-13 Filip Pizlo <[email protected]>
+
+ Testing whether indexing type is ArrayWithArrayStorage should not compare against ArrayWithArrayStorage
+ https://bugs.webkit.org/show_bug.cgi?id=96611
+
+ Reviewed by Gavin Barraclough.
+
+ * dfg/DFGRepatch.cpp:
+ (JSC::DFG::tryCacheGetByID):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::checkArray):
+ * jit/JITPropertyAccess.cpp:
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ * jit/JITPropertyAccess32_64.cpp:
+ (JSC::JIT::privateCompilePatchGetArrayLength):
+ * llint/LowLevelInterpreter32_64.asm:
+ * llint/LowLevelInterpreter64.asm:
+
2012-09-09 Filip Pizlo <[email protected]>
JSC should have property butterflies
Modified: trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp (128424 => 128425)
--- trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/dfg/DFGRepatch.cpp 2012-09-13 08:40:00 UTC (rev 128425)
@@ -254,7 +254,9 @@
MacroAssembler::JumpList failureCases;
stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSCell::structureOffset()), scratchGPR);
- failureCases.append(stubJit.branch8(MacroAssembler::NotEqual, MacroAssembler::Address(baseGPR, Structure::indexingTypeOffset()), MacroAssembler::TrustedImm32(ArrayWithArrayStorage)));
+ stubJit.load8(MacroAssembler::Address(scratchGPR, Structure::indexingTypeOffset()), scratchGPR);
+ failureCases.append(stubJit.branchTest32(MacroAssembler::Zero, scratchGPR, MacroAssembler::TrustedImm32(IsArray)));
+ failureCases.append(stubJit.branchTest32(MacroAssembler::Zero, scratchGPR, MacroAssembler::TrustedImm32(HasArrayStorage)));
stubJit.loadPtr(MacroAssembler::Address(baseGPR, JSObject::butterflyOffset()), scratchGPR);
stubJit.load32(MacroAssembler::Address(scratchGPR, ArrayStorage::lengthOffset()), scratchGPR);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (128424 => 128425)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2012-09-13 08:40:00 UTC (rev 128425)
@@ -331,14 +331,21 @@
}
case ARRAY_WITH_ARRAY_STORAGE_MODES: {
GPRTemporary temp(this);
+ GPRReg tempGPR = temp.gpr();
m_jit.loadPtr(
- MacroAssembler::Address(baseReg, JSCell::structureOffset()), temp.gpr());
+ MacroAssembler::Address(baseReg, JSCell::structureOffset()), tempGPR);
+ m_jit.load8(MacroAssembler::Address(tempGPR, Structure::indexingTypeOffset()), tempGPR);
+ // FIXME: This can be turned into a single branch. But we currently have no evidence
+ // that doing so would be profitable, nor do I feel comfortable with the present test
+ // coverage for this code path.
speculationCheck(
Uncountable, JSValueRegs(), NoNode,
- m_jit.branch8(
- MacroAssembler::NotEqual,
- MacroAssembler::Address(temp.gpr(), Structure::indexingTypeOffset()),
- MacroAssembler::TrustedImm32(ArrayWithArrayStorage)));
+ m_jit.branchTest32(
+ MacroAssembler::Zero, tempGPR, MacroAssembler::TrustedImm32(IsArray)));
+ speculationCheck(
+ Uncountable, JSValueRegs(), NoNode,
+ m_jit.branchTest32(
+ MacroAssembler::Zero, tempGPR, MacroAssembler::TrustedImm32(HasArrayStorage)));
noResult(m_compileIndex);
return;
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp (128424 => 128425)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess.cpp 2012-09-13 08:40:00 UTC (rev 128425)
@@ -660,12 +660,14 @@
#if ENABLE(VALUE_PROFILER)
storePtr(regT3, m_codeBlock->getOrAddArrayProfile(stubInfo->bytecodeIndex)->addressOfLastSeenStructure());
#endif
- Jump failureCases1 = branch8(NotEqual, Address(regT3, Structure::indexingTypeOffset()), TrustedImm32(ArrayWithArrayStorage));
+ load8(Address(regT3, Structure::indexingTypeOffset()), regT3);
+ Jump failureCases1 = branchTest32(Zero, regT3, TrustedImm32(IsArray));
+ Jump failureCases2 = branchTest32(Zero, regT3, TrustedImm32(HasArrayStorage));
// Checks out okay! - get the length from the storage
loadPtr(Address(regT0, JSObject::butterflyOffset()), regT3);
load32(Address(regT3, ArrayStorage::lengthOffset()), regT2);
- Jump failureCases2 = branch32(LessThan, regT2, TrustedImm32(0));
+ Jump failureCases3 = branch32(LessThan, regT2, TrustedImm32(0));
emitFastArithIntToImmNoCheck(regT2, regT0);
Jump success = jump();
@@ -676,6 +678,7 @@
CodeLocationLabel slowCaseBegin = stubInfo->callReturnLocation.labelAtOffset(-stubInfo->patch.baseline.u.get.coldPathBegin);
patchBuffer.link(failureCases1, slowCaseBegin);
patchBuffer.link(failureCases2, slowCaseBegin);
+ patchBuffer.link(failureCases3, slowCaseBegin);
// On success return back to the hot patch code, at a point it will perform the store to dest for us.
patchBuffer.link(success, stubInfo->hotPathBegin.labelAtOffset(stubInfo->patch.baseline.u.get.putResult));
Modified: trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp (128424 => 128425)
--- trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/jit/JITPropertyAccess32_64.cpp 2012-09-13 08:40:00 UTC (rev 128425)
@@ -620,13 +620,15 @@
#if ENABLE(VALUE_PROFILER)
storePtr(regT2, m_codeBlock->getOrAddArrayProfile(stubInfo->bytecodeIndex)->addressOfLastSeenStructure());
#endif
- Jump failureCases1 = branch8(NotEqual, Address(regT2, Structure::indexingTypeOffset()), TrustedImm32(ArrayWithArrayStorage));
+ load8(Address(regT2, Structure::indexingTypeOffset()), regT3);
+ Jump failureCases1 = branchTest32(Zero, regT2, TrustedImm32(IsArray));
+ Jump failureCases2 = branchTest32(Zero, regT2, TrustedImm32(HasArrayStorage));
// Checks out okay! - get the length from the storage
loadPtr(Address(regT0, JSArray::butterflyOffset()), regT2);
load32(Address(regT2, ArrayStorage::lengthOffset()), regT2);
- Jump failureCases2 = branch32(Above, regT2, TrustedImm32(INT_MAX));
+ Jump failureCases3 = branch32(Above, regT2, TrustedImm32(INT_MAX));
move(regT2, regT0);
move(TrustedImm32(JSValue::Int32Tag), regT1);
Jump success = jump();
@@ -637,6 +639,7 @@
CodeLocationLabel slowCaseBegin = stubInfo->callReturnLocation.labelAtOffset(-stubInfo->patch.baseline.u.get.coldPathBegin);
patchBuffer.link(failureCases1, slowCaseBegin);
patchBuffer.link(failureCases2, slowCaseBegin);
+ patchBuffer.link(failureCases3, slowCaseBegin);
// On success return back to the hot patch code, at a point it will perform the store to dest for us.
patchBuffer.link(success, stubInfo->hotPathBegin.labelAtOffset(stubInfo->patch.baseline.u.get.putResult));
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm (128424 => 128425)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter32_64.asm 2012-09-13 08:40:00 UTC (rev 128425)
@@ -1177,7 +1177,9 @@
if VALUE_PROFILER
storep t2, ArrayProfile::m_lastSeenStructure[t1]
end
- bbneq Structure::m_indexingType[t2], IsArray | HasArrayStorage, .opGetArrayLengthSlow
+ loadb Structure::m_indexingType[t2], t1
+ btiz t1, IsArray, .opGetArrayLengthSlow
+ btiz t1, HasArrayStorage, .opGetArrayLengthSlow
loadi 4[PC], t1
loadp 32[PC], t2
loadp JSObject::m_butterfly[t3], t0
Modified: trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm (128424 => 128425)
--- trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2012-09-13 08:38:23 UTC (rev 128424)
+++ trunk/Source/_javascript_Core/llint/LowLevelInterpreter64.asm 2012-09-13 08:40:00 UTC (rev 128425)
@@ -1024,7 +1024,9 @@
if VALUE_PROFILER
storep t2, ArrayProfile::m_lastSeenStructure[t1]
end
- bbneq Structure::m_indexingType[t2], IsArray | HasArrayStorage, .opGetArrayLengthSlow
+ loadb Structure::m_indexingType[t2], t1
+ btiz t1, IsArray, .opGetArrayLengthSlow
+ btiz t1, HasArrayStorage, .opGetArrayLengthSlow
loadis 8[PB, PC, 8], t1
loadp 64[PB, PC, 8], t2
loadp JSObject::m_butterfly[t3], t0
