Changeset 240998 in webkit


Ignore:
Timestamp:
Feb 5, 2019, 3:34:05 PM (6 years ago)
Author:
mark.lam@apple.com
Message:

Fix DFG's doesGC() for a few more nodes.
https://bugs.webkit.org/show_bug.cgi?id=194307
<rdar://problem/47832956>

Reviewed by Yusuke Suzuki.

Fix doesGC() for the following nodes:

NumberToStringWithValidRadixConstant:

Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
which can allocate a string.
Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
which can allocate a string.
Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
which can allocate a string.

RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates

memory for all kinds of objects.

RegExpMatchFast: calls operationRegExpMatchFastString(), which calls

RegExpObject::execInline() and RegExpObject::matchGlobal(). Both of
these allocates memory for the match result.

RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which

calls RegExpObject's collectMatches(), which allocates an array amongst
other objects.

StringFromCharCode:

If the uint32 code to convert is greater than maxSingleCharacterString,
we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
which allocates a new string if the code is greater than maxSingleCharacterString.

Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
to use maxSingleCharacterString instead of a literal constant.

  • dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileFromCharCode):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):

Location:
trunk/Source/JavaScriptCore
Files:
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r240994 r240998  
     12019-02-05  Mark Lam  <mark.lam@apple.com>
     2
     3        Fix DFG's doesGC() for a few more nodes.
     4        https://bugs.webkit.org/show_bug.cgi?id=194307
     5        <rdar://problem/47832956>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        Fix doesGC() for the following nodes:
     10
     11            NumberToStringWithValidRadixConstant:
     12                Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
     13                which can allocate a string.
     14                Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
     15                which can allocate a string.
     16                Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
     17                which can allocate a string.
     18
     19            RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
     20                memory for all kinds of objects.
     21            RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
     22                RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
     23                these allocates memory for the match result.
     24            RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
     25                calls RegExpObject's collectMatches(), which allocates an array amongst
     26                other objects.
     27
     28            StringFromCharCode:
     29                If the uint32 code to convert is greater than maxSingleCharacterString,
     30                we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
     31                which allocates a new string if the code is greater than maxSingleCharacterString.
     32
     33        Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
     34        to use maxSingleCharacterString instead of a literal constant.
     35
     36        * dfg/DFGDoesGC.cpp:
     37        (JSC::DFG::doesGC):
     38        * dfg/DFGSpeculativeJIT.cpp:
     39        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
     40        * ftl/FTLLowerDFGToB3.cpp:
     41        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
     42
    1432019-02-05  Keith Rollin  <krollin@apple.com>
    244

  • trunk/Source/JavaScriptCore/dfg/DFGDoesGC.cpp

    r240991 r240998  
    122122    case AssertNotEmpty:
    123123    case CheckStringIdent:
    124     case RegExpExecNonGlobalOrSticky:
    125     case RegExpMatchFast:
    126     case RegExpMatchFastGlobal:
    127124    case CompareLess:
    128125    case CompareLessEq:
     
    151148    case TypeOf:
    152149    case LogicalNot:
    153     case NumberToStringWithValidRadixConstant:
    154150    case Jump:
    155151    case Branch:
     
    166162    case CPUIntrinsic:
    167163    case CheckTraps:
    168     case StringFromCharCode:
    169164    case NormalizeMapKey:
    170165    case GetMapBucket:
     
    302297    case LoadVarargs:
    303298    case NumberToStringWithRadix:
     299    case NumberToStringWithValidRadixConstant:
    304300    case PutById:
    305301    case PutByIdDirect:
     
    317313    case PutToArguments:
    318314    case RegExpExec:
     315    case RegExpExecNonGlobalOrSticky:
     316    case RegExpMatchFast:
     317    case RegExpMatchFastGlobal:
    319318    case RegExpTest:
    320319    case ResolveScope:
     
    418417        return true;
    419418
     419    case StringFromCharCode:
     420        // FIXME: Should we constant fold this case?
     421        // https://bugs.webkit.org/show_bug.cgi?id=194308
     422        if (node->child1()->isInt32Constant() && (node->child1()->asUInt32() <= maxSingleCharacterString))
     423            return false;
     424        return true;
     425
    420426    case LastNodeType:
    421427        RELEASE_ASSERT_NOT_REACHED();

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r240965 r240998  
    22832283
    22842284    JITCompiler::JumpList slowCases;
    2285     slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(0xff)));
     2285    slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(maxSingleCharacterString)));
    22862286    m_jit.move(TrustedImmPtr(m_jit.vm()->smallStrings.singleCharacterStrings()), smallStringsReg);
    22872287    m_jit.loadPtr(MacroAssembler::BaseIndex(smallStringsReg, propertyReg, MacroAssembler::ScalePtr, 0), scratchReg);

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r240965 r240998  
    67096709
    67106710        m_out.branch(
    6711             m_out.aboveOrEqual(value, m_out.constInt32(0xff)),
     6711            m_out.aboveOrEqual(value, m_out.constInt32(maxSingleCharacterString)),
    67126712            rarely(slowCase), usually(smallIntCase));
    67136713
Note: See TracChangeset for help on using the changeset viewer.