Changeset 230568 in webkit

Timestamp:

Apr 12, 2018 6:41:06 AM (6 years ago)

Author:

Kocsen Chung

Message:

Cherry-pick r230488. rdar://problem/39337455

DFG AI and clobberize should agree with each other
​https://bugs.webkit.org/show_bug.cgi?id=184440

Reviewed by Saam Barati.

JSTests:

Add tests for all of the bugs I fixed.

• stress/direct-arguments-out-of-bounds-change-structure.js: Added. (foo):
• stress/new-typed-array-cse-effects.js: Added. (foo):
• stress/scoped-arguments-out-of-bounds-change-structure.js: Added. (foo.theO): (foo):
• stress/string-from-char-code-change-structure-not-dead.js: Added. (foo): (i.valueOf): (weirdValue.valueOf):
• stress/string-from-char-code-change-structure.js: Added. (foo): (i.valueOf): (weirdValue.valueOf):

Source/JavaScriptCore:

One way to fix bugs involving underapproximation in AI or clobberize is to assert that they
agree with each other. That's what this patch does: it adds an assertion that AI's structure
state tracking must be equivalent to JSCell_structureID being clobbered.

One subtlety is that AI sometimes folds away structure clobbering using information that
clobberize doesn't have. So, we track this wuth special kinds of AI states (FoldedClobber and
ObservedTransitions).

This fixes a bunch of cases of AI missing clobberStructures/clobberWorld and one case of
clobberize missing a write(Heap).

This also makes some cases more precise in order to appease the assertion. Making things more
precise might make things faster, but I didn't measure it because that wasn't the goal.

• JavaScriptCore.xcodeproj/project.pbxproj:
• Sources.txt:
• dfg/DFGAbstractInterpreter.h:
• dfg/DFGAbstractInterpreterClobberState.cpp: Added. (WTF::printInternal):
• dfg/DFGAbstractInterpreterClobberState.h: Added. (JSC::DFG::mergeClobberStates):
• dfg/DFGAbstractInterpreterInlines.h: (JSC::DFG::AbstractInterpreter<AbstractStateType>::startExecuting): (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects): (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberWorld): (JSC::DFG::AbstractInterpreter<AbstractStateType>::clobberStructures): (JSC::DFG::AbstractInterpreter<AbstractStateType>::didFoldClobberStructures): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransition): (JSC::DFG::AbstractInterpreter<AbstractStateType>::observeTransitions): (JSC::DFG::AbstractInterpreter<AbstractStateType>::setDidClobber): Deleted.
• dfg/DFGAtTailAbstractState.h: (JSC::DFG::AtTailAbstractState::setClobberState): (JSC::DFG::AtTailAbstractState::mergeClobberState): (JSC::DFG::AtTailAbstractState::setDidClobber): Deleted.
• dfg/DFGCFAPhase.cpp: (JSC::DFG::CFAPhase::performBlockCFA):
• dfg/DFGClobberSet.cpp: (JSC::DFG::writeSet):
• dfg/DFGClobberSet.h:
• dfg/DFGClobberize.h: (JSC::DFG::clobberize):
• dfg/DFGConstantFoldingPhase.cpp: (JSC::DFG::ConstantFoldingPhase::foldConstants):
• dfg/DFGInPlaceAbstractState.h: (JSC::DFG::InPlaceAbstractState::clobberState const): (JSC::DFG::InPlaceAbstractState::didClobberOrFolded const): (JSC::DFG::InPlaceAbstractState::didClobber const): (JSC::DFG::InPlaceAbstractState::setClobberState): (JSC::DFG::InPlaceAbstractState::mergeClobberState): (JSC::DFG::InPlaceAbstractState::setDidClobber): Deleted.

git-svn-id: ​https://svn.webkit.org/repository/webkit/trunk@230488 268f45cc-cd09-0410-ab3c-d52691b4dbfc

Location:

branches/safari-605-branch

Files:

• JSTests/stress/direct-arguments-out-of-bounds-change-structure.js (added)
• JSTests/stress/new-typed-array-cse-effects.js (added)
• JSTests/stress/scoped-arguments-out-of-bounds-change-structure.js (added)
• JSTests/stress/string-from-char-code-change-structure-not-dead.js (added)
• JSTests/stress/string-from-char-code-change-structure.js (added)
• Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (modified) (4 diffs)
• Source/JavaScriptCore/Sources.txt (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterClobberState.cpp (added)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterClobberState.h (added)
• Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (modified) (33 diffs)
• Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h (modified) (3 diffs)
• Source/JavaScriptCore/dfg/DFGCFAPhase.cpp (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGClobberSet.cpp (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGClobberSet.h (modified) (2 diffs)
• Source/JavaScriptCore/dfg/DFGClobberize.h (modified) (4 diffs)
• Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGFixupPhase.cpp (modified) (1 diff)
• Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h (modified) (5 diffs)
• Source/JavaScriptCore/dfg/DFGNodeType.h (modified) (1 diff)

branches/safari-605-branch/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj

@@ -343 +343 @@
                 0F5CF9841E9D537700C18692 /* AirLowerStackArgs.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5CF9831E9D537500C18692 /* AirLowerStackArgs.h */; };
                 0F5CF9891E9ED65200C18692 /* AirStackAllocation.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5CF9871E9ED64E00C18692 /* AirStackAllocation.h */; };
+                0F5E0FD8207C72730097F0DE /* DFGAbstractInterpreterClobberState.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5E0FD6207C72710097F0DE /* DFGAbstractInterpreterClobberState.h */; };
                 0F5EF91F16878F7D003E5C25 /* JITThunks.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5EF91C16878F78003E5C25 /* JITThunks.h */; settings = {ATTRIBUTES = (Private, ); }; };
                 0F5F08CF146C7633000472A9 /* UnconditionalFinalizer.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5F08CE146C762F000472A9 /* UnconditionalFinalizer.h */; settings = {ATTRIBUTES = (Private, ); }; };
@@ -2345 +2346 @@
                 0F5CF9871E9ED64E00C18692 /* AirStackAllocation.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = AirStackAllocation.h; path = b3/air/AirStackAllocation.h; sourceTree = "<group>"; };
                 0F5D085C1B8CF99D001143B4 /* DFGNodeOrigin.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGNodeOrigin.cpp; path = dfg/DFGNodeOrigin.cpp; sourceTree = "<group>"; };
+                0F5E0FD6207C72710097F0DE /* DFGAbstractInterpreterClobberState.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = DFGAbstractInterpreterClobberState.h; path = dfg/DFGAbstractInterpreterClobberState.h; sourceTree = "<group>"; };
+                0F5E0FD7207C72710097F0DE /* DFGAbstractInterpreterClobberState.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = DFGAbstractInterpreterClobberState.cpp; path = dfg/DFGAbstractInterpreterClobberState.cpp; sourceTree = "<group>"; };
                 0F5EF91B16878F78003E5C25 /* JITThunks.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITThunks.cpp; sourceTree = "<group>"; };
                 0F5EF91C16878F78003E5C25 /* JITThunks.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITThunks.h; sourceTree = "<group>"; };
@@ -7066 +7069 @@
                                 A77A423717A0BBFD00A8DB81 /* DFGAbstractHeap.h */,
                                 A704D8FE17A0BAA8006BA554 /* DFGAbstractInterpreter.h */,
+                                0F5E0FD7207C72710097F0DE /* DFGAbstractInterpreterClobberState.cpp */,
+                                0F5E0FD6207C72710097F0DE /* DFGAbstractInterpreterClobberState.h */,
                                 A704D8FF17A0BAA8006BA554 /* DFGAbstractInterpreterInlines.h */,
                                 0F55C19317276E4600CEABFD /* DFGAbstractValue.cpp */,
@@ -8160 +8165 @@
                                 8B3BF5E41E3D368B0076A87A /* AsyncGeneratorPrototype.lut.h in Headers */,
                                 8BC064961E1D845C00B2B8CA /* AsyncIteratorPrototype.h in Headers */,
+                                0F5E0FD8207C72730097F0DE /* DFGAbstractInterpreterClobberState.h in Headers */,
                                 6A38CFAA1E32B5AB0060206F /* AsyncStackTrace.h in Headers */,
                                 0F7CF9571DC125900098CC12 /* AtomicsObject.h in Headers */,

branches/safari-605-branch/Source/JavaScriptCore/Sources.txt

@@ -272 +272 @@
 
 dfg/DFGAbstractHeap.cpp
+dfg/DFGAbstractInterpreterClobberState.cpp
 dfg/DFGAbstractValue.cpp
 dfg/DFGAdaptiveInferredPropertyValueWatchpoint.cpp

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGAbstractInterpreter.h

@@ -151 +151 @@
 private:
     void clobberWorld(const CodeOrigin&, unsigned indexInBlock);
+    void didFoldClobberWorld();
     
     template<typename Functor>
@@ -156 +157 @@
     
     void clobberStructures(unsigned indexInBlock);
+    void didFoldClobberStructures();
+    
     void observeTransition(unsigned indexInBlock, RegisteredStructure from, RegisteredStructure to);
     void observeTransitions(unsigned indexInBlock, const TransitionVector&);
-    void setDidClobber();
     
     enum BooleanResult {

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -30 +30 @@
 #include "ArrayConstructor.h"
 #include "DFGAbstractInterpreter.h"
+#include "DFGAbstractInterpreterClobberState.h"
 #include "DOMJITGetterSetter.h"
 #include "DOMJITSignature.h"
@@ -97 +98 @@
     ASSERT(m_state.isValid());
     
-    m_state.setDidClobber(false);
+    m_state.setClobberState(AbstractInterpreterClobberState::NotClobbered);
 }
 
@@ -329 +330 @@
         // itself into a straight-line sequence of GetStack/PutStack.
         // https://bugs.webkit.org/show_bug.cgi?id=143071
-        clobberWorld(node->origin.semantic, clobberLimit);
+        switch (node->op()) {
+        case LoadVarargs:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        case ForwardVarargs:
+            break;
+        default:
+            DFG_CRASH(m_graph, node, "Bad opcode");
+            break;
+        }
         LoadVarargsData* data = node->loadVarargsData();
         m_state.variables().operand(data->count).setType(SpecInt32Only);
@@ -609 +619 @@
         JSValue operand = forNode(node->child1()).value();
         if (std::optional<double> number = operand.toNumberFromPrimitive()) {
+            switch (node->child1().useKind()) {
+            case Int32Use:
+            case KnownInt32Use:
+                break;
+            default:
+                didFoldClobberWorld();
+                break;
+            }
             uint32_t value = toUInt32(*number);
             setConstant(node, jsNumber(clz32(value)));
@@ -1016 +1034 @@
         JSValue operand = forNode(node->child1()).value();
         if (std::optional<double> number = operand.toNumberFromPrimitive()) {
+            if (node->child1().useKind() != DoubleRepUse)
+                didFoldClobberWorld();
+            
             double roundedValue = 0;
             if (node->op() == ArithRound)
@@ -1491 +1512 @@
     case CompareGreaterEq:
     case CompareEq: {
+        bool isClobbering = node->isBinaryUseKind(UntypedUse);
+        
+        if (isClobbering)
+            didFoldClobberWorld();
+        
         JSValue leftConst = forNode(node->child1()).value();
         JSValue rightConst = forNode(node->child2()).value();
@@ -1612 +1638 @@
         }
 
-        if (node->child1().useKind() == UntypedUse || node->child2().useKind() == UntypedUse)
+        if (isClobbering)
             clobberWorld(node->origin.semantic, clobberLimit);
         forNode(node).setType(SpecBoolean);
@@ -1699 +1725 @@
         
     case StringFromCharCode:
+        switch (node->child1().useKind()) {
+        case Int32Use:
+            break;
+        case UntypedUse:
+            clobberWorld(node->origin.semantic, clobberLimit);
+            break;
+        default:
+            DFG_CRASH(m_graph, node, "Bad use kind");
+            break;
+        }
         forNode(node).setType(m_graph, SpecString);
         break;
@@ -1759 +1795 @@
         case Array::DirectArguments:
         case Array::ScopedArguments:
+            if (node->arrayMode().isOutOfBounds())
+                clobberWorld(node->origin.semantic, clobberLimit);
             forNode(node).makeHeapTop();
             break;
@@ -2030 +2068 @@
         JSValue childConst = forNode(node->child1()).value();
         if (childConst && childConst.isNumber()) {
+            didFoldClobberWorld();
             setConstant(node, childConst);
             break;
@@ -2038 +2077 @@
         if (!(forNode(node->child1()).m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))) {
             m_state.setFoundConstants(true);
+            didFoldClobberWorld();
             forNode(node) = forNode(node->child1());
             break;
@@ -2043 +2083 @@
         
         clobberWorld(node->origin.semantic, clobberLimit);
-        
         forNode(node).setType(m_graph, SpecHeapTop & ~SpecObject);
         break;
@@ -2051 +2090 @@
         JSValue childConst = forNode(node->child1()).value();
         if (childConst && childConst.isNumber()) {
+            didFoldClobberWorld();
             setConstant(node, childConst);
             break;
@@ -2059 +2099 @@
         if (!(forNode(node->child1()).m_type & ~SpecBytecodeNumber)) {
             m_state.setFoundConstants(true);
+            didFoldClobberWorld();
             forNode(node) = forNode(node->child1());
             break;
@@ -2102 +2143 @@
             if (2 <= radix && radix <= 36) {
                 m_state.setFoundConstants(true);
+                didFoldClobberWorld();
                 forNode(node).set(m_graph, m_graph.m_vm.stringStructure.get());
                 break;
@@ -2145 +2187 @@
 
     case Spread:
-        if (!m_graph.canDoFastSpread(node, forNode(node->child1())))
-            clobberWorld(node->origin.semantic, clobberLimit);
+        switch (node->child1()->op()) {
+        case PhantomNewArrayBuffer:
+        case PhantomCreateRest:
+            break;
+        default:
+            if (!m_graph.canDoFastSpread(node, forNode(node->child1())))
+                clobberWorld(node->origin.semantic, clobberLimit);
+            else
+                didFoldClobberWorld();
+            break;
+        }
 
         forNode(node).set(
@@ -2236 +2287 @@
         if (!(source.m_type & ~SpecObject)) {
             m_state.setFoundConstants(true);
+            if (node->op() == ToObject)
+                didFoldClobberWorld();
             destination = source;
             break;
@@ -2259 +2312 @@
     case PhantomNewArrayBuffer:
     case BottomValue:
-        m_state.setDidClobber(true); // Prevent constant folding.
         // This claims to return bottom.
         break;
@@ -2464 +2516 @@
     case GetById:
     case GetByIdFlush: {
-        if (!node->prediction()) {
-            m_state.setIsValid(false);
-            break;
-        }
-        
         AbstractValue& value = forNode(node->child1());
         if (value.m_structure.isFinite()
@@ -2488 +2535 @@
                 }
                 m_state.setFoundConstants(true);
+                didFoldClobberWorld();
                 forNode(node) = result;
                 break;
@@ -2627 +2675 @@
     case PutStructure:
         if (!forNode(node->child1()).m_structure.isClear()) {
-            if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next)
+            if (forNode(node->child1()).m_structure.onlyStructure() == node->transition()->next) {
+                didFoldClobberStructures();
                 m_state.setFoundConstants(true);
-            else {
+            } else {
                 observeTransition(
                     clobberLimit, node->transition()->previous, node->transition()->next);
@@ -2642 +2691 @@
         // FIXME: We don't model the fact that the structureID is nuked, simply because currently
         // nobody would currently benefit from having that information. But it's a bug nonetheless.
+        if (node->op() == NukeStructureAndSetButterfly)
+            didFoldClobberStructures();
         forNode(node).clear(); // The result is not a JS value.
         break;
@@ -2741 +2792 @@
     case Arrayify: {
         if (node->arrayMode().alreadyChecked(m_graph, node, forNode(node->child1()))) {
+            didFoldClobberStructures();
             m_state.setFoundConstants(true);
             break;
@@ -2832 +2884 @@
 
             if (prototype && canFold) {
+                switch (node->child1().useKind()) {
+                case ArrayUse:
+                case FunctionUse:
+                case FinalObjectUse:
+                    break;
+                default:
+                    didFoldClobberWorld();
+                    break;
+                }
                 setConstant(node, *m_graph.freeze(prototype));
                 break;
@@ -2963 +3024 @@
         AbstractValue resultingValue;
         
+        if (node->multiPutByOffsetData().writesStructures())
+            didFoldClobberStructures();
+            
         for (unsigned i = node->multiPutByOffsetData().variants.size(); i--;) {
             const PutByIdVariant& variant = node->multiPutByOffsetData().variants[i];
@@ -3093 +3157 @@
                     m_state.setFoundConstants(true);
                 
+                didFoldClobberWorld();
                 observeTransitions(clobberLimit, transitions);
                 if (forNode(node->child1()).changeStructure(m_graph, newSet) == Contradiction)
@@ -3320 +3385 @@
                 && (radix.asNumber() == 0 || radix.asNumber() == 10)) {
                 m_state.setFoundConstants(true);
+                if (node->child1().useKind() == UntypedUse)
+                    didFoldClobberWorld();
                 forNode(node).setType(SpecInt32Only);
                 break;
@@ -3420 +3487 @@
 {
     clobberStructures(clobberLimit);
+}
+
+template<typename AbstractStateType>
+void AbstractInterpreter<AbstractStateType>::didFoldClobberWorld()
+{
+    didFoldClobberStructures();
 }
 
@@ -3455 +3528 @@
 {
     forAllValues(clobberLimit, AbstractValue::clobberStructuresFor);
-    setDidClobber();
+    m_state.mergeClobberState(AbstractInterpreterClobberState::ClobberedStructures);
+    m_state.setStructureClobberState(StructuresAreClobbered);
+}
+
+template<typename AbstractStateType>
+void AbstractInterpreter<AbstractStateType>::didFoldClobberStructures()
+{
+    m_state.mergeClobberState(AbstractInterpreterClobberState::FoldedClobber);
 }
 
@@ -3466 +3546 @@
     
     ASSERT(!from->dfgShouldWatch()); // We don't need to claim to be in a clobbered state because 'from' was never watchable (during the time we were compiling), hence no constants ever introduced into the DFG IR that ever had a watchable structure would ever have the same structure as from.
+    
+    m_state.mergeClobberState(AbstractInterpreterClobberState::ObservedTransitions);
 }
 
@@ -3472 +3554 @@
     unsigned clobberLimit, const TransitionVector& vector)
 {
+    if (vector.isEmpty())
+        return;
+    
     AbstractValue::TransitionsObserver transitionsObserver(vector);
     forAllValues(clobberLimit, transitionsObserver);
@@ -3480 +3565 @@
             ASSERT(!vector[i].previous->dfgShouldWatch());
     }
-}
-
-template<typename AbstractStateType>
-void AbstractInterpreter<AbstractStateType>::setDidClobber()
-{
-    m_state.setDidClobber(true);
-    m_state.setStructureClobberState(StructuresAreClobbered);
+
+    m_state.mergeClobberState(AbstractInterpreterClobberState::ObservedTransitions);
 }
 
@@ -3586 +3666 @@
     JSValue child = forNode(node->child1()).value();
     if (std::optional<double> number = child.toNumberFromPrimitive()) {
+        if (node->child1().useKind() != DoubleRepUse)
+            didFoldClobberWorld();
         setConstant(node, jsDoubleNumber(equivalentFunction(*number)));
         return;

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGAtTailAbstractState.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(DFG_JIT)
 
+#include "DFGAbstractInterpreterClobberState.h"
 #include "DFGAbstractValue.h"
 #include "DFGBasicBlock.h"
@@ -60 +61 @@
     StructureClobberState structureClobberState() const { return m_block->cfaStructureClobberStateAtTail; }
     
-    void setDidClobber(bool) { }
+    void setClobberState(AbstractInterpreterClobberState) { }
+    void mergeClobberState(AbstractInterpreterClobberState) { }
     void setStructureClobberState(StructureClobberState state) { RELEASE_ASSERT(state == m_block->cfaStructureClobberStateAtTail); }
     void setIsValid(bool isValid) { m_block->cfaDidFinish = isValid; }

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGCFAPhase.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2011, 2013-2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2011-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -30 +30 @@
 
 #include "DFGAbstractInterpreterInlines.h"
+#include "DFGClobberSet.h"
 #include "DFGGraph.h"
 #include "DFGInPlaceAbstractState.h"
@@ -164 +165 @@
         }
         for (unsigned i = 0; i < block->size(); ++i) {
+            Node* node = block->at(i);
             if (m_verbose) {
-                Node* node = block->at(i);
                 dataLogF("      %s @%u: ", Graph::opName(node->op()), node->index());
                 
@@ -180 +181 @@
                 break;
             }
+            
+            if (m_state.didClobberOrFolded() != writesOverlap(m_graph, node, JSCell_structureID))
+                DFG_CRASH(m_graph, node, toCString("AI-clobberize disagreement; AI says ", m_state.clobberState(), " while clobberize says ", writeSet(m_graph, node)).data());
         }
         if (m_verbose) {

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGClobberSet.cpp

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -159 +159 @@
 }
 
+ClobberSet writeSet(Graph& graph, Node* node)
+{
+    ClobberSet result;
+    addWrites(graph, node, result);
+    return result;
+}
+
 bool readsOverlap(Graph& graph, Node* node, ClobberSet& readSet)
 {

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGClobberSet.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -114 +114 @@
 void addReadsAndWrites(Graph&, Node*, ClobberSet& reads, ClobberSet& writes);
 
+ClobberSet writeSet(Graph&, Node*);
+
 bool readsOverlap(Graph&, Node*, ClobberSet&);
 bool writesOverlap(Graph&, Node*, ClobberSet&);

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGClobberize.h

@@ -954 +954 @@
             
         case Array::ArrayStorage:
+            if (node->arrayMode().isOutOfBounds()) {
+                read(World);
+                write(Heap);
+                return;
+            }
+            read(Butterfly_publicLength);
+            read(Butterfly_vectorLength);
+            read(ArrayStorageProperties);
+            write(ArrayStorageProperties);
+            if (node->arrayMode().mayStoreToHole())
+                write(Butterfly_publicLength);
+            return;
+
         case Array::SlowPutArrayStorage:
-            // Give up on life for now.
-            read(World);
-            write(Heap);
+            if (node->arrayMode().mayStoreToHole()) {
+                read(World);
+                write(Heap);
+                return;
+            }
+            read(Butterfly_publicLength);
+            read(Butterfly_vectorLength);
+            read(ArrayStorageProperties);
+            write(ArrayStorageProperties);
             return;
 
@@ -1301 +1320 @@
 
     case NewArrayWithSize:
-    case NewTypedArray:
         read(HeapObjectCount);
         write(HeapObjectCount);
         return;
+
+    case NewTypedArray:
+        switch (node->child1().useKind()) {
+        case Int32Use:
+            read(HeapObjectCount);
+            write(HeapObjectCount);
+            return;
+        case UntypedUse:
+            read(World);
+            write(Heap);
+            return;
+        default:
+            DFG_CRASH(graph, node, "Bad use kind");
+        }
+        break;
 
     case NewArrayWithSpread: {
@@ -1523 +1556 @@
         def(PureValue(node));
         return;
-        
+
     case CompareEq:
     case CompareLess:
@@ -1535 +1568 @@
         }
 
-        if (node->op() == CompareEq && node->isBinaryUseKind(ObjectUse)) {
-            def(PureValue(node));
-            return;
-        }
-        if (node->child1().useKind() == UntypedUse || node->child1().useKind() == ObjectUse
-            || node->child2().useKind() == UntypedUse || node->child2().useKind() == ObjectUse) {
+        if (node->isBinaryUseKind(UntypedUse)) {
             read(World);
             write(Heap);

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -762 +762 @@
             }
                 
+            case PhantomNewObject:
+            case PhantomNewFunction:
+            case PhantomNewGeneratorFunction:
+            case PhantomNewAsyncGeneratorFunction:
+            case PhantomNewAsyncFunction:
+            case PhantomCreateActivation:
+            case PhantomDirectArguments:
+            case PhantomClonedArguments:
+            case PhantomCreateRest:
+            case PhantomSpread:
+            case PhantomNewArrayWithSpread:
+            case PhantomNewArrayBuffer:
+            case BottomValue:
+                alreadyHandled = true;
+                break;
+
             default:
                 break;

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -686 +686 @@
             
         case StringFromCharCode:
-            if (node->child1()->shouldSpeculateInt32())
+            if (node->child1()->shouldSpeculateInt32()) {
                 fixEdge<Int32Use>(node->child1());
-            else
+                node->clearFlags(NodeMustGenerate);
+            } else
                 fixEdge<UntypedUse>(node->child1());
             break;

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGInPlaceAbstractState.h

@@ -1 +1 @@
 /*
- * Copyright (C) 2013, 2016 Apple Inc. All rights reserved.
+ * Copyright (C) 2013-2018 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28 +28 @@
 #if ENABLE(DFG_JIT)
 
+#include "DFGAbstractInterpreterClobberState.h"
 #include "DFGAbstractValue.h"
 #include "DFGBranchDirection.h"
@@ -91 +92 @@
     void reset();
     
+    AbstractInterpreterClobberState clobberState() const { return m_clobberState; }
+    
+    // Would have the last executed node clobbered things had we not found a way to fold it?
+    bool didClobberOrFolded() const { return clobberState() != AbstractInterpreterClobberState::NotClobbered; }
+    
     // Did the last executed node clobber the world?
-    bool didClobber() const { return m_didClobber; }
+    bool didClobber() const { return clobberState() == AbstractInterpreterClobberState::ClobberedStructures; }
     
     // Are structures currently clobbered?
@@ -115 +121 @@
     
     // Methods intended to be called from AbstractInterpreter.
-    void setDidClobber(bool didClobber) { m_didClobber = didClobber; }
+    void setClobberState(AbstractInterpreterClobberState state) { m_clobberState = state; }
+    void mergeClobberState(AbstractInterpreterClobberState state) { m_clobberState = mergeClobberStates(m_clobberState, state); }
     void setStructureClobberState(StructureClobberState value) { m_structureClobberState = value; }
     void setIsValid(bool isValid) { m_isValid = isValid; }
@@ -146 +153 @@
     
     bool m_isValid;
-    bool m_didClobber;
+    AbstractInterpreterClobberState m_clobberState;
     StructureClobberState m_structureClobberState;
     

branches/safari-605-branch/Source/JavaScriptCore/dfg/DFGNodeType.h

@@ -281 +281 @@
     macro(StringCharCodeAt, NodeResultInt32) \
     macro(StringCharAt, NodeResultJS) \
-    macro(StringFromCharCode, NodeResultJS) \
+    macro(StringFromCharCode, NodeResultJS | NodeMustGenerate) \
     \
     /* Nodes for comparison operations. */\