[webkit-changes] [143314] trunk/Source/JavaScriptCore

[fpizlo]

Title: [143314] trunk/Source/_javascript_Core

Revision

143314

Author

fpi...@apple.com

Date

2013-02-19 02:41:39 -0800 (Tue, 19 Feb 2013)

Log Message

REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
https://bugs.webkit.org/show_bug.cgi?id=110184

Reviewed by Zoltan Herczeg.

32-bit backend was making all sorts of crazy assumptions, which happened to mostly
not break things prior to http://trac.webkit.org/changeset/143241. This brings the
32-bit backend's type speculation fully into compliance with what the 64-bit
backend does.

* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
(JSC::DFG::SpeculativeJIT::compileValueToInt32):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (143313 => 143314)

--- trunk/Source/_javascript_Core/ChangeLog	2013-02-19 10:14:07 UTC (rev 143313)
+++ trunk/Source/_javascript_Core/ChangeLog	2013-02-19 10:41:39 UTC (rev 143314)
@@ -1,3 +1,24 @@
+2013-02-19  Filip Pizlo  <fpi...@apple.com>
+
+        REGRESSION(r143241): It made 27 layout tests crash on 32 bit platforms
+        https://bugs.webkit.org/show_bug.cgi?id=110184
+
+        Reviewed by Zoltan Herczeg.
+        
+        32-bit backend was making all sorts of crazy assumptions, which happened to mostly
+        not break things prior to http://trac.webkit.org/changeset/143241. This brings the
+        32-bit backend's type speculation fully into compliance with what the 64-bit
+        backend does.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::checkGeneratedTypeForToInt32):
+        (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+        * dfg/DFGSpeculativeJIT32_64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
+        (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
+
 2013-02-18  Ilya Tikhonovsky  <loi...@chromium.org>
 
         Unreviewed build fix for Apple Windows. Second stage.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (143313 => 143314)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2013-02-19 10:14:07 UTC (rev 143313)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2013-02-19 10:41:39 UTC (rev 143314)
@@ -2074,10 +2074,10 @@
     }
 
     switch (info.registerFormat()) {
-    case DataFormatBoolean: // This type never occurs.
     case DataFormatStorage:
         RELEASE_ASSERT_NOT_REACHED();
 
+    case DataFormatBoolean:
     case DataFormatCell:
         terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0);
         return GeneratedOperandTypeUnknown;
@@ -2249,7 +2249,7 @@
         return;
     }
     case GeneratedOperandTypeUnknown:
-        RELEASE_ASSERT_NOT_REACHED();
+        ASSERT(!m_compileOkay);
         break;
     }
 }

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (143313 => 143314)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2013-02-19 10:14:07 UTC (rev 143313)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp	2013-02-19 10:41:39 UTC (rev 143314)
@@ -855,7 +855,12 @@
 
     switch (info.registerFormat()) {
     case DataFormatNone: {
-
+        if ((node->hasConstant() && !isInt32Constant(node)) || info.spillFormat() == DataFormatDouble) {
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+            returnFormat = DataFormatInteger;
+            return allocate();
+        }
+        
         if (node->hasConstant()) {
             ASSERT(isInt32Constant(node));
             GPRReg gpr = allocate();
@@ -913,9 +918,11 @@
     case DataFormatJSDouble:
     case DataFormatJSCell:
     case DataFormatJSBoolean:
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+        returnFormat = DataFormatInteger;
+        return allocate();
+
     case DataFormatStorage:
-        RELEASE_ASSERT_NOT_REACHED();
-
     default:
         RELEASE_ASSERT_NOT_REACHED();
         return InvalidGPRReg;
@@ -959,8 +966,10 @@
                 m_fprs.retain(fpr, virtualRegister, SpillOrderConstant);
                 info.fillDouble(*m_stream, fpr);
                 return fpr;
-            } else
-                RELEASE_ASSERT_NOT_REACHED();
+            } else {
+                terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+                return fprAllocate();
+            }
         } else {
             DataFormat spillFormat = info.spillFormat();
             ASSERT((spillFormat & DataFormatJS) || spillFormat == DataFormatInteger);
@@ -1052,11 +1061,14 @@
 
     case DataFormatNone:
     case DataFormatStorage:
+        RELEASE_ASSERT_NOT_REACHED();
+
     case DataFormatCell:
     case DataFormatJSCell:
     case DataFormatBoolean:
     case DataFormatJSBoolean:
-        RELEASE_ASSERT_NOT_REACHED();
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+        return fprAllocate();
 
     default:
         RELEASE_ASSERT_NOT_REACHED();
@@ -1078,11 +1090,14 @@
 
         if (node->hasConstant()) {
             JSValue jsValue = valueOfJSConstant(node);
-            ASSERT(jsValue.isCell());
             GPRReg gpr = allocate();
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
-            info.fillCell(*m_stream, gpr);
+            if (jsValue.isCell()) {
+                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+                m_jit.move(MacroAssembler::TrustedImmPtr(jsValue.asCell()), gpr);
+                info.fillCell(*m_stream, gpr);
+                return gpr;
+            }
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
             return gpr;
         }
 
@@ -1124,6 +1139,9 @@
     case DataFormatDouble:
     case DataFormatJSBoolean:
     case DataFormatBoolean:
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+        return allocate();
+
     case DataFormatStorage:
         RELEASE_ASSERT_NOT_REACHED();
 
@@ -1141,22 +1159,24 @@
     SpeculatedType type = m_state.forNode(node).m_type;
     VirtualRegister virtualRegister = node->virtualRegister();
     GenerationInfo& info = m_generationInfo[virtualRegister];
-    if ((node->hasConstant() && !valueOfJSConstant(node).isBoolean())
-        || !(info.isJSBoolean() || info.isUnknownJS())) {
-        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
-        return allocate();
-    }
 
     switch (info.registerFormat()) {
     case DataFormatNone: {
-
+        if (info.spillFormat() == DataFormatInteger || info.spillFormat() == DataFormatDouble) {
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+            return allocate();
+        }
+        
         if (node->hasConstant()) {
             JSValue jsValue = valueOfJSConstant(node);
-            ASSERT(jsValue.isBoolean());
             GPRReg gpr = allocate();
-            m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
-            m_jit.move(MacroAssembler::TrustedImm32(jsValue.asBoolean()), gpr);
-            info.fillBoolean(*m_stream, gpr);
+            if (jsValue.isBoolean()) {
+                m_gprs.retain(gpr, virtualRegister, SpillOrderConstant);
+                m_jit.move(MacroAssembler::TrustedImm32(jsValue.asBoolean()), gpr);
+                info.fillBoolean(*m_stream, gpr);
+                return gpr;
+            }
+            terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
             return gpr;
         }
 
@@ -1201,6 +1221,9 @@
     case DataFormatDouble:
     case DataFormatJSCell:
     case DataFormatCell:
+        terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0, direction);
+        return allocate();
+
     case DataFormatStorage:
         RELEASE_ASSERT_NOT_REACHED();
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes