Changeset 195488 in webkit

Timestamp:

Jan 22, 2016 3:30:07 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

We should OSR exit with Int52Overflow when we fail to make an Int52 where we expect one.
​https://bugs.webkit.org/show_bug.cgi?id=153379

Reviewed by Filip Pizlo.

In DFG::Graph::addShouldSpeculateMachineInt(), we check
!hasExitSite(add, Int52Overflow) when determining whether it's ok to speculate
that an operand is of type Int52 or not. However, the Int52Rep code that
converts a double to Int52 will OSR exit with exit kind BadType instead.
This renders the hasExitSite() check in addShouldSpeculateMachineInt() useless.
This patch fixes this by changing Int52Rep to OSR exit with exit kind
Int52Overflow instead when it fails to convert a double to an Int52.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
(JSC::DFG::SpeculativeJIT::typeCheck):
(JSC::DFG::SpeculativeJIT::usedRegisters):

• dfg/DFGSpeculativeJIT.h:

(JSC::DFG::SpeculativeJIT::needsTypeCheck):
(JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::typeCheck):
(JSC::FTL::DFG::LowerDFGToLLVM::appendTypeCheck):
(JSC::FTL::DFG::LowerDFGToLLVM::doubleToStrictInt52):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (1 diff)
• dfg/DFGSpeculativeJIT.h (modified) (3 diffs)
• dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-01-22  Mark Lam  <mark.lam@apple.com>
+
+        We should OSR exit with Int52Overflow when we fail to make an Int52 where we expect one.
+        https://bugs.webkit.org/show_bug.cgi?id=153379
+
+        Reviewed by Filip Pizlo.
+
+        In DFG::Graph::addShouldSpeculateMachineInt(), we check
+        !hasExitSite(add, Int52Overflow) when determining whether it's ok to speculate
+        that an operand is of type Int52 or not.  However, the Int52Rep code that
+        converts a double to Int52 will OSR exit with exit kind BadType instead.
+        This renders the hasExitSite() check in addShouldSpeculateMachineInt() useless.
+        This patch fixes this by changing Int52Rep to OSR exit with exit kind
+        Int52Overflow instead when it fails to convert a double to an Int52.
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::terminateSpeculativeExecution):
+        (JSC::DFG::SpeculativeJIT::typeCheck):
+        (JSC::DFG::SpeculativeJIT::usedRegisters):
+        * dfg/DFGSpeculativeJIT.h:
+        (JSC::DFG::SpeculativeJIT::needsTypeCheck):
+        (JSC::DFG::SpeculativeJIT::speculateStringObjectForStructure):
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::compile):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::typeCheck):
+        (JSC::FTL::DFG::LowerDFGToLLVM::appendTypeCheck):
+        (JSC::FTL::DFG::LowerDFGToLLVM::doubleToStrictInt52):
+
 2016-01-22  Saam barati  <sbarati@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -299 +299 @@
 }
 
-void SpeculativeJIT::typeCheck(JSValueSource source, Edge edge, SpeculatedType typesPassedThrough, MacroAssembler::Jump jumpToFail)
+void SpeculativeJIT::typeCheck(JSValueSource source, Edge edge, SpeculatedType typesPassedThrough, MacroAssembler::Jump jumpToFail, ExitKind exitKind)
 {
     ASSERT(needsTypeCheck(edge, typesPassedThrough));
     m_interpreter.filter(edge, typesPassedThrough);
-    speculationCheck(BadType, source, edge.node(), jumpToFail);
+    speculationCheck(exitKind, source, edge.node(), jumpToFail);
 }
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h

@@ -2448 +2448 @@
     // Helpers for performing type checks on an edge stored in the given registers.
     bool needsTypeCheck(Edge edge, SpeculatedType typesPassedThrough) { return m_interpreter.needsTypeCheck(edge, typesPassedThrough); }
-    void typeCheck(JSValueSource, Edge, SpeculatedType typesPassedThrough, MacroAssembler::Jump jumpToFail);
+    void typeCheck(JSValueSource, Edge, SpeculatedType typesPassedThrough, MacroAssembler::Jump jumpToFail, ExitKind = BadType);
     
     void speculateCellTypeWithoutTypeFiltering(Edge, GPRReg cellGPR, JSType);
@@ -3380 +3380 @@
 }
 
-#define DFG_TYPE_CHECK(source, edge, typesPassedThrough, jumpToFail) do { \
+#define DFG_TYPE_CHECK_WITH_EXIT_KIND(exitKind, source, edge, typesPassedThrough, jumpToFail) do { \
         JSValueSource _dtc_source = (source);                           \
         Edge _dtc_edge = (edge);                                        \
@@ -3386 +3386 @@
         if (!needsTypeCheck(_dtc_edge, _dtc_typesPassedThrough))        \
             break;                                                      \
-        typeCheck(_dtc_source, _dtc_edge, _dtc_typesPassedThrough, (jumpToFail)); \
+        typeCheck(_dtc_source, _dtc_edge, _dtc_typesPassedThrough, (jumpToFail), exitKind); \
     } while (0)
 
+#define DFG_TYPE_CHECK(source, edge, typesPassedThrough, jumpToFail) \
+    DFG_TYPE_CHECK_WITH_EXIT_KIND(BadType, source, edge, typesPassedThrough, jumpToFail)
+
 } } // namespace JSC::DFG
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

@@ -2212 +2212 @@
             callOperation(operationConvertDoubleToInt52, resultGPR, valueFPR);
             
-            DFG_TYPE_CHECK(
+            DFG_TYPE_CHECK_WITH_EXIT_KIND(Int52Overflow,
                 JSValueRegs(), node->child1(), SpecInt52AsDouble,
                 m_jit.branch64(

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -110 +110 @@
 // Using this instead of typeCheck() helps to reduce the load on LLVM, by creating
 // significantly less dead code.
-#define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) do { \
+#define FTL_TYPE_CHECK_WITH_EXIT_KIND(exitKind, lowValue, highValue, typesPassedThrough, failCondition) do { \
         FormattedValue _ftc_lowValue = (lowValue);                      \
         Edge _ftc_highValue = (highValue);                              \
@@ -116 +116 @@
         if (!m_interpreter.needsTypeCheck(_ftc_highValue, _ftc_typesPassedThrough)) \
             break;                                                      \
-        typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition)); \
+        typeCheck(_ftc_lowValue, _ftc_highValue, _ftc_typesPassedThrough, (failCondition), exitKind); \
     } while (false)
+
+#define FTL_TYPE_CHECK(lowValue, highValue, typesPassedThrough, failCondition) \
+    FTL_TYPE_CHECK_WITH_EXIT_KIND(BadType, lowValue, highValue, typesPassedThrough, failCondition)
 
 class LowerDFGToLLVM {
@@ -8975 +8978 @@
     void typeCheck(
         FormattedValue lowValue, Edge highValue, SpeculatedType typesPassedThrough,
-        LValue failCondition)
-    {
-        appendTypeCheck(lowValue, highValue, typesPassedThrough, failCondition);
+        LValue failCondition, ExitKind exitKind = BadType)
+    {
+        appendTypeCheck(lowValue, highValue, typesPassedThrough, failCondition, exitKind);
     }
     
     void appendTypeCheck(
         FormattedValue lowValue, Edge highValue, SpeculatedType typesPassedThrough,
-        LValue failCondition)
+        LValue failCondition, ExitKind exitKind)
     {
         if (!m_interpreter.needsTypeCheck(highValue, typesPassedThrough))
             return;
         ASSERT(mayHaveTypeCheck(highValue.useKind()));
-        appendOSRExit(BadType, lowValue, highValue.node(), failCondition, m_origin);
+        appendOSRExit(exitKind, lowValue, highValue.node(), failCondition, m_origin);
         m_interpreter.filter(highValue, typesPassedThrough);
     }
@@ -9400 +9403 @@
         LValue possibleResult = m_out.call(
             m_out.int64, m_out.operation(operationConvertDoubleToInt52), value);
-        FTL_TYPE_CHECK(
+        FTL_TYPE_CHECK_WITH_EXIT_KIND(Int52Overflow,
             doubleValue(value), edge, SpecInt52AsDouble,
             m_out.equal(possibleResult, m_out.constInt64(JSValue::notInt52)));