Title: [197370] trunk/Source/_javascript_Core
- Revision
- 197370
- Author
- keith_mil...@apple.com
- Date
- 2016-02-29 14:45:16 -0800 (Mon, 29 Feb 2016)
Log Message
OverridesHasInstance constant folding is wrong
https://bugs.webkit.org/show_bug.cgi?id=154833
Reviewed by Filip Pizlo.
The current implementation of OverridesHasInstance constant folding
is incorrect. Since it relies on OSR exit information it has been
moved to the StrengthReductionPhase. Normally, such an optimazation would be
put in FixupPhase, however, there are a number of cases where we don't
determine an edge of OverridesHasInstance is a constant until after fixup.
Performing the optimization during StrengthReductionPhase means we can defer
our decision until later.
In the future we should consider creating a version of this optimization
that does not depend on OSR exit information and move the optimization back
to ConstantFoldingPhase.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (197369 => 197370)
--- trunk/Source/_javascript_Core/ChangeLog 2016-02-29 22:41:06 UTC (rev 197369)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-02-29 22:45:16 UTC (rev 197370)
@@ -1,3 +1,27 @@
+2016-02-29 Keith Miller <keith_mil...@apple.com>
+
+ OverridesHasInstance constant folding is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=154833
+
+ Reviewed by Filip Pizlo.
+
+ The current implementation of OverridesHasInstance constant folding
+ is incorrect. Since it relies on OSR exit information it has been
+ moved to the StrengthReductionPhase. Normally, such an optimazation would be
+ put in FixupPhase, however, there are a number of cases where we don't
+ determine an edge of OverridesHasInstance is a constant until after fixup.
+ Performing the optimization during StrengthReductionPhase means we can defer
+ our decision until later.
+
+ In the future we should consider creating a version of this optimization
+ that does not depend on OSR exit information and move the optimization back
+ to ConstantFoldingPhase.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+
2016-02-28 Filip Pizlo <fpi...@apple.com>
B3 should have global store elimination
Modified: trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp (197369 => 197370)
--- trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2016-02-29 22:41:06 UTC (rev 197369)
+++ trunk/Source/_javascript_Core/dfg/DFGConstantFoldingPhase.cpp 2016-02-29 22:45:16 UTC (rev 197370)
@@ -553,24 +553,6 @@
break;
}
- case OverridesHasInstance: {
- if (!node->child2().node()->isCellConstant())
- break;
-
- if (node->child2().node()->asCell() != m_graph.globalObjectFor(node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
- m_graph.convertToConstant(node, jsBoolean(true));
- changed = true;
-
- } else if (!m_graph.hasExitSite(node->origin.semantic, BadTypeInfoFlags)) {
- // We optimistically assume that we will not see a function that has a custom instanceof operation as they should be rare.
- m_insertionSet.insertNode(indexInBlock, SpecNone, CheckTypeInfoFlags, node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(node->child1().node(), CellUse));
- m_graph.convertToConstant(node, jsBoolean(false));
- changed = true;
- }
-
- break;
- }
-
case Check: {
alreadyHandled = true;
m_interpreter.execute(indexInBlock);
Modified: trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp (197369 => 197370)
--- trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2016-02-29 22:41:06 UTC (rev 197369)
+++ trunk/Source/_javascript_Core/dfg/DFGStrengthReductionPhase.cpp 2016-02-29 22:45:16 UTC (rev 197370)
@@ -255,6 +255,26 @@
m_changed = true;
break;
}
+
+ // FIXME: we should probably do this in constant folding but this currently relies on an OSR exit rule.
+ // https://bugs.webkit.org/show_bug.cgi?id=154832
+ case OverridesHasInstance: {
+ if (!m_node->child2().node()->isCellConstant())
+ break;
+
+ if (m_node->child2().node()->asCell() != m_graph.globalObjectFor(m_node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
+ m_graph.convertToConstant(m_node, jsBoolean(true));
+ m_changed = true;
+
+ } else if (!m_graph.hasExitSite(m_node->origin.semantic, BadTypeInfoFlags)) {
+ // We optimistically assume that we will not see a function that has a custom instanceof operation as they should be rare.
+ m_insertionSet.insertNode(m_nodeIndex, SpecNone, CheckTypeInfoFlags, m_node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(m_node->child1().node(), CellUse));
+ m_graph.convertToConstant(m_node, jsBoolean(false));
+ m_changed = true;
+ }
+
+ break;
+ }
default:
break;
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
