Title: [129053] trunk/Source/_javascript_Core
- Revision
- 129053
- Author
- [email protected]
- Date
- 2012-09-19 15:36:44 -0700 (Wed, 19 Sep 2012)
Log Message
DFG should not assume that a ByVal access is generic just because it was unprofiled
https://bugs.webkit.org/show_bug.cgi?id=97088
Reviewed by Geoffrey Garen.
We were not disambiguating between "Undecided" in the sense that the array profile
has no useful information versus "Undecided" in the sense that the array profile
knows that the access has not executed. That's an important distinction, since
the former form of "Undecided" means that we should consult value profiling, while
the latter means that we should force exit unless the value profiling indicates
that the access must be generic (base is not cell or property is not int).
* dfg/DFGAbstractState.cpp:
(JSC::DFG::AbstractState::execute):
* dfg/DFGArrayMode.cpp:
(JSC::DFG::fromObserved):
(JSC::DFG::refineArrayMode):
(JSC::DFG::modeAlreadyChecked):
(JSC::DFG::modeToString):
* dfg/DFGArrayMode.h:
(JSC::DFG::canCSEStorage):
(JSC::DFG::modeIsSpecific):
(JSC::DFG::modeSupportsLength):
(JSC::DFG::benefitsFromStructureCheck):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (129052 => 129053)
--- trunk/Source/_javascript_Core/ChangeLog 2012-09-19 22:36:35 UTC (rev 129052)
+++ trunk/Source/_javascript_Core/ChangeLog 2012-09-19 22:36:44 UTC (rev 129053)
@@ -1,5 +1,32 @@
2012-09-19 Filip Pizlo <[email protected]>
+ DFG should not assume that a ByVal access is generic just because it was unprofiled
+ https://bugs.webkit.org/show_bug.cgi?id=97088
+
+ Reviewed by Geoffrey Garen.
+
+ We were not disambiguating between "Undecided" in the sense that the array profile
+ has no useful information versus "Undecided" in the sense that the array profile
+ knows that the access has not executed. That's an important distinction, since
+ the former form of "Undecided" means that we should consult value profiling, while
+ the latter means that we should force exit unless the value profiling indicates
+ that the access must be generic (base is not cell or property is not int).
+
+ * dfg/DFGAbstractState.cpp:
+ (JSC::DFG::AbstractState::execute):
+ * dfg/DFGArrayMode.cpp:
+ (JSC::DFG::fromObserved):
+ (JSC::DFG::refineArrayMode):
+ (JSC::DFG::modeAlreadyChecked):
+ (JSC::DFG::modeToString):
+ * dfg/DFGArrayMode.h:
+ (JSC::DFG::canCSEStorage):
+ (JSC::DFG::modeIsSpecific):
+ (JSC::DFG::modeSupportsLength):
+ (JSC::DFG::benefitsFromStructureCheck):
+
+2012-09-19 Filip Pizlo <[email protected]>
+
DFG should not emit PutByVal hole case unless it has to
https://bugs.webkit.org/show_bug.cgi?id=97080
Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractState.cpp (129052 => 129053)
--- trunk/Source/_javascript_Core/dfg/DFGAbstractState.cpp 2012-09-19 22:36:35 UTC (rev 129052)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractState.cpp 2012-09-19 22:36:44 UTC (rev 129053)
@@ -841,6 +841,7 @@
node.setCanExit(true);
switch (node.arrayMode()) {
case Array::Undecided:
+ case Array::Unprofiled:
ASSERT_NOT_REACHED();
break;
case Array::ForceExit:
Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp (129052 => 129053)
--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp 2012-09-19 22:36:35 UTC (rev 129052)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.cpp 2012-09-19 22:36:44 UTC (rev 129053)
@@ -36,7 +36,7 @@
{
switch (profile->observedArrayModes()) {
case 0:
- return Array::Undecided;
+ return Array::Unprofiled;
case asArrayModes(NonArray):
if (action == Array::Write && !profile->mayInterceptIndexedAccesses())
return Array::BlankToArrayStorage; // FIXME: we don't know whether to go to slow put mode, or not. This is a decent guess.
@@ -87,6 +87,12 @@
if (!isInt32Speculation(index) || !isCellSpeculation(base))
return Array::Generic;
+ if (arrayMode == Array::Unprofiled) {
+ // If the indexing type wasn't recorded in the array profile but the values are
+ // base=cell property=int, then we know that this access didn't execute.
+ return Array::ForceExit;
+ }
+
if (arrayMode != Array::Undecided)
return arrayMode;
@@ -198,6 +204,7 @@
return isFloat64ArraySpeculation(value.m_type);
case Array::Undecided:
+ case Array::Unprofiled:
break;
}
@@ -210,6 +217,8 @@
switch (mode) {
case Array::Undecided:
return "Undecided";
+ case Array::Unprofiled:
+ return "Unprofiled";
case Array::Generic:
return "Generic";
case Array::ForceExit:
Modified: trunk/Source/_javascript_Core/dfg/DFGArrayMode.h (129052 => 129053)
--- trunk/Source/_javascript_Core/dfg/DFGArrayMode.h 2012-09-19 22:36:35 UTC (rev 129052)
+++ trunk/Source/_javascript_Core/dfg/DFGArrayMode.h 2012-09-19 22:36:44 UTC (rev 129053)
@@ -48,6 +48,7 @@
enum Mode {
Undecided, // Implies that we need predictions to decide. We will never get to the backend in this mode.
+ Unprofiled, // Implies that array profiling didn't see anything. But that could be because the operands didn't comply with basic type assumptions (base is cell, property is int). This either becomes Generic or ForceExit depending on value profiling.
ForceExit, // Implies that we have no idea how to execute this operation, so we should just give up.
Generic,
String,
@@ -199,6 +200,7 @@
{
switch (arrayMode) {
case Array::Undecided:
+ case Array::Unprofiled:
case Array::ForceExit:
case Array::Generic:
case Array::Arguments:
@@ -231,6 +233,7 @@
{
switch (mode) {
case Array::Undecided:
+ case Array::Unprofiled:
case Array::ForceExit:
case Array::Generic:
return false;
@@ -243,6 +246,7 @@
{
switch (mode) {
case Array::Undecided:
+ case Array::Unprofiled:
case Array::ForceExit:
case Array::Generic:
case NON_ARRAY_ARRAY_STORAGE_MODES:
@@ -257,6 +261,7 @@
switch (mode) {
case ALL_EFFECTFUL_ARRAY_STORAGE_MODES:
case Array::Undecided:
+ case Array::Unprofiled:
case Array::ForceExit:
case Array::Generic:
return false;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo/webkit-changes
