Skip to site navigation (Press enter)

[webkit-changes] [192949] trunk/Source/JavaScriptCore

mark . lam Wed, 02 Dec 2015 11:17:19 -0800

Title: [192949] trunk/Source/_javascript_Core

Revision: 192949
Author: [email protected]
Date: 2015-12-02 11:15:33 -0800 (Wed, 02 Dec 2015)

Log Message

Teach DFG that ArithSub can now clobber the heap (and other things).
https://bugs.webkit.org/show_bug.cgi?id=151733


Reviewed by Geoffrey Garen.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGClobberize.h:
(JSC::DFG::clobberize):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):

Modified Paths

trunk/Source/_javascript_Core/ChangeLog
trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h
trunk/Source/_javascript_Core/dfg/DFGClobberize.h
trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (192948 => 192949)


--- trunk/Source/_javascript_Core/ChangeLog	2015-12-02 19:13:02 UTC (rev 192948)
+++ trunk/Source/_javascript_Core/ChangeLog	2015-12-02 19:15:33 UTC (rev 192949)
@@ -1,3 +1,17 @@
+2015-12-02  Mark Lam  <[email protected]>
+
+        Teach DFG that ArithSub can now clobber the heap (and other things).
+        https://bugs.webkit.org/show_bug.cgi?id=151733
+
+        Reviewed by Geoffrey Garen.
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGClobberize.h:
+        (JSC::DFG::clobberize):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+
 2015-12-02  Benjamin Poulain  <[email protected]>
 
         [JSC] Handle x86 partial register stalls in Air

Modified: trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (192948 => 192949)


--- trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-12-02 19:13:02 UTC (rev 192948)
+++ trunk/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h	2015-12-02 19:15:33 UTC (rev 192949)
@@ -528,7 +528,8 @@
                     forNode(node->child1()).m_type, forNode(node->child2()).m_type));
             break;
         case UntypedUse:
-            forNode(node).setType(m_graph, SpecHeapTop);
+            clobberWorld(node->origin.semantic, clobberLimit);
+            forNode(node).setType(m_graph, SpecBytecodeNumber);
             break;
         default:
             RELEASE_ASSERT_NOT_REACHED();

Modified: trunk/Source/_javascript_Core/dfg/DFGClobberize.h (192948 => 192949)


--- trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2015-12-02 19:13:02 UTC (rev 192948)
+++ trunk/Source/_javascript_Core/dfg/DFGClobberize.h	2015-12-02 19:15:33 UTC (rev 192949)
@@ -247,7 +247,6 @@
     }
 
     case ArithAdd:
-    case ArithSub:
     case ArithNegate:
     case ArithMul:
     case ArithDiv:
@@ -257,6 +256,23 @@
         def(PureValue(node, node->arithMode()));
         return;
 
+    case ArithSub:
+        switch (node->binaryUseKind()) {
+        case Int32Use:
+#if USE(JSVALUE64)
+        case Int52RepUse:
+#endif
+        case DoubleRepUse:
+            def(PureValue(node, node->arithMode()));
+            return;
+        case UntypedUse:
+            read(World);
+            write(Heap);
+            return;
+        default:
+            DFG_CRASH(graph, node, "Bad use kind");
+        }
+
     case ArithRound:
         def(PureValue(node, static_cast<uintptr_t>(node->arithRoundingMode())));
         return;

Modified: trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp (192948 => 192949)


--- trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2015-12-02 19:13:02 UTC (rev 192948)
+++ trunk/Source/_javascript_Core/dfg/DFGPredictionPropagationPhase.cpp	2015-12-02 19:15:33 UTC (rev 192949)
@@ -269,8 +269,7 @@
             break;
         }
 
-        case ArithAdd:
-        case ArithSub: {
+        case ArithAdd: {
             SpeculatedType left = node->child1()->prediction();
             SpeculatedType right = node->child2()->prediction();
             
@@ -285,6 +284,25 @@
             break;
         }
             
+        case ArithSub: {
+            SpeculatedType left = node->child1()->prediction();
+            SpeculatedType right = node->child2()->prediction();
+
+            if (left && right) {
+                if (isFullNumberOrBooleanSpeculationExpectingDefined(left)
+                    && isFullNumberOrBooleanSpeculationExpectingDefined(right)) {
+                    if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
+                        changed |= mergePrediction(SpecInt32);
+                    else if (m_graph.addShouldSpeculateMachineInt(node))
+                        changed |= mergePrediction(SpecInt52);
+                    else
+                        changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
+                } else
+                    changed |= mergePrediction(SpecInt32 | SpecBytecodeDouble);
+            }
+            break;
+        }
+
         case ArithNegate:
             if (node->child1()->prediction()) {
                 if (m_graph.negateShouldSpeculateInt32(node, m_pass))

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes