Diff
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog (198017 => 198018)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog 2016-03-11 14:37:34 UTC (rev 198017)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ChangeLog 2016-03-11 14:45:14 UTC (rev 198018)
@@ -1,3 +1,31 @@
+2016-03-07 Benjamin Poulain <[email protected]>
+
+ [JSC] Simplify the overflow check of ArithAbs
+ https://bugs.webkit.org/show_bug.cgi?id=155063
+
+ Reviewed by Geoffrey Garen.
+
+ The only integer that overflow abs(int32) is INT_MIN.
+ For some reason, our code testing for that case
+ was checking the top bit of the result specifically.
+
+ The code required a large immediate on x86 and an extra
+ register on ARM64.
+
+ This patch turns the overflow check into a branch on
+ the sign of the result.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileArithAbs):
+ * jit/ThunkGenerators.cpp:
+ (JSC::absThunkGenerator):
+ * tests/stress/arith-abs-overflow.js: Added.
+ (opaqueAbs):
+
2016-03-07 Csaba Osztrogonác <[email protected]>
Fix the ARM build after r197687
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (198017 => 198018)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-03-11 14:37:34 UTC (rev 198017)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-03-11 14:45:14 UTC (rev 198018)
@@ -2187,7 +2187,7 @@
m_jit.rshift32(result.gpr(), MacroAssembler::TrustedImm32(31), scratch.gpr());
m_jit.add32(scratch.gpr(), result.gpr());
m_jit.xor32(scratch.gpr(), result.gpr());
- speculationCheck(Overflow, JSValueRegs(), 0, m_jit.branch32(MacroAssembler::Equal, result.gpr(), MacroAssembler::TrustedImm32(1 << 31)));
+ speculationCheck(Overflow, JSValueRegs(), 0, m_jit.branchTest32(MacroAssembler::Signed, result.gpr()));
int32Result(result.gpr(), node);
break;
}
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (198017 => 198018)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-03-11 14:37:34 UTC (rev 198017)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2016-03-11 14:45:14 UTC (rev 198018)
@@ -2335,7 +2335,7 @@
m_jit.add32(scratch.gpr(), result.gpr());
m_jit.xor32(scratch.gpr(), result.gpr());
if (shouldCheckOverflow(node->arithMode()))
- speculationCheck(Overflow, JSValueRegs(), 0, m_jit.branch32(MacroAssembler::Equal, result.gpr(), MacroAssembler::TrustedImm32(1 << 31)));
+ speculationCheck(Overflow, JSValueRegs(), 0, m_jit.branchTest32(MacroAssembler::Signed, result.gpr()));
int32Result(result.gpr(), node);
break;
}
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (198017 => 198018)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-03-11 14:37:34 UTC (rev 198017)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2016-03-11 14:45:14 UTC (rev 198018)
@@ -1774,7 +1774,7 @@
LValue result = m_out.bitXor(mask, m_out.add(mask, value));
if (shouldCheckOverflow(m_node->arithMode()))
- speculate(Overflow, noValue(), 0, m_out.equal(result, m_out.constInt32(1 << 31)));
+ speculate(Overflow, noValue(), 0, m_out.lessThan(result, m_out.int32Zero));
setInt32(result);
break;
Modified: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/jit/ThunkGenerators.cpp (198017 => 198018)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/jit/ThunkGenerators.cpp 2016-03-11 14:37:34 UTC (rev 198017)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/jit/ThunkGenerators.cpp 2016-03-11 14:45:14 UTC (rev 198018)
@@ -910,7 +910,7 @@
jit.rshift32(SpecializedThunkJIT::regT0, MacroAssembler::TrustedImm32(31), SpecializedThunkJIT::regT1);
jit.add32(SpecializedThunkJIT::regT1, SpecializedThunkJIT::regT0);
jit.xor32(SpecializedThunkJIT::regT1, SpecializedThunkJIT::regT0);
- jit.appendFailure(jit.branch32(MacroAssembler::Equal, SpecializedThunkJIT::regT0, MacroAssembler::TrustedImm32(1 << 31)));
+ jit.appendFailure(jit.branchTest32(MacroAssembler::Signed, SpecializedThunkJIT::regT0));
jit.returnInt32(SpecializedThunkJIT::regT0);
nonIntJump.link(&jit);
// Shame about the double int conversion here.
Added: releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/arith-abs-overflow.js (0 => 198018)
--- releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/arith-abs-overflow.js (rev 0)
+++ releases/WebKitGTK/webkit-2.12/Source/_javascript_Core/tests/stress/arith-abs-overflow.js 2016-03-11 14:45:14 UTC (rev 198018)
@@ -0,0 +1,22 @@
+function opaqueAbs(value)
+{
+ return Math.abs(value);
+}
+noInline(opaqueAbs);
+
+// Warmup.
+for (let i = 0; i < 1e4; ++i) {
+ var positiveResult = opaqueAbs(i);
+ if (positiveResult !== i)
+ throw "Incorrect positive result at i = " + i + " result = " + positiveResult;
+ var negativeResult = opaqueAbs(-i);
+ if (negativeResult !== i)
+ throw "Incorrect negative result at -i = " + -i + " result = " + negativeResult;
+}
+
+// Overflow.
+for (let i = 0; i < 1e4; ++i) {
+ var overflowResult = opaqueAbs(-2147483648);
+ if (overflowResult !== 2147483648)
+ throw "Incorrect overflow result at i = " + i + " result = " + overflowResult;
+}
