Changeset 184288 in webkit
- Timestamp:
- May 13, 2015, 10:39:02 AM (10 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 7 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGArgumentsEliminationPhase.cpp (modified) (2 diffs)
-
dfg/DFGMayExit.cpp (modified) (1 diff)
-
dfg/DFGObjectAllocationSinkingPhase.cpp (modified) (1 diff)
-
dfg/DFGSSAConversionPhase.cpp (modified) (2 diffs)
-
dfg/DFGUseKind.h (modified) (1 diff)
-
dfg/DFGVarargsForwardingPhase.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r184287 r184288 1 2015-05-13 Filip Pizlo <fpizlo@apple.com> 2 3 REGRESSION(r184260): arguments elimination has stopped working because of Check(UntypedUse:) from SSAConversionPhase 4 https://bugs.webkit.org/show_bug.cgi?id=144951 5 6 Reviewed by Michael Saboff. 7 8 There were two issues here: 9 10 - In r184260 we expected a small number of possible use kinds in Check nodes, and 11 UntypedUse was not one of them. That seemed like a sensible assumption because we don't 12 create Check nodes unless it's to have a check. But, SSAConversionPhase was creating a 13 Check that could have UntypedUse. I fixed this. It's cleaner for SSAConversionPhase to 14 follow the same idiom as everyone else and not create tautological checks. 15 16 - It's clearly not very robust to assume that Checks will not be used tautologically. So, 17 this changes how we validate Checks in the escape analyses. We now use willHaveCheck, 18 which catches cases that AI would have already marked as unnecessary. It then also uses 19 a new helper called alreadyChecked(), which allows us to just ask if the check is 20 unnecessary for objects. That's a good fall-back in case AI hadn't run yet. 21 22 * dfg/DFGArgumentsEliminationPhase.cpp: 23 * dfg/DFGMayExit.cpp: 24 * dfg/DFGObjectAllocationSinkingPhase.cpp: 25 (JSC::DFG::ObjectAllocationSinkingPhase::handleNode): 26 * dfg/DFGSSAConversionPhase.cpp: 27 (JSC::DFG::SSAConversionPhase::run): 28 * dfg/DFGUseKind.h: 29 (JSC::DFG::alreadyChecked): 30 * dfg/DFGVarargsForwardingPhase.cpp: 31 32 k 1 33 2015-05-13 Yusuke Suzuki <utatane.tea@gmail.com> 2 34 -
trunk/Source/JavaScriptCore/dfg/DFGArgumentsEliminationPhase.cpp
r184260 r184288 64 64 DFG_ASSERT(m_graph, nullptr, m_graph.m_form == SSA); 65 65 66 if (verbose) { 67 dataLog("Graph before arguments elimination:\n"); 68 m_graph.dump(); 69 } 70 66 71 identifyCandidates(); 67 72 if (m_candidates.isEmpty()) … … 170 175 node, 171 176 [&] (Edge edge) { 172 switch (edge.useKind()) { 173 case CellUse: 174 case ObjectUse: 175 break; 176 177 default: 178 escape(edge); 179 break; 180 } 177 if (edge.willNotHaveCheck()) 178 return; 179 180 if (alreadyChecked(edge.useKind(), SpecObject)) 181 return; 182 183 escape(edge); 181 184 }); 182 185 break; -
trunk/Source/JavaScriptCore/dfg/DFGMayExit.cpp
r183401 r184288 52 52 53 53 switch (edge.useKind()) { 54 // These are shady because nodes that have these use kinds will typically exit for 55 // unrelated reasons. For example CompareEq doesn't usually exit, but if it uses ObjectUse 56 // then it will. 54 57 case ObjectUse: 55 58 case ObjectOrOtherUse: 59 m_result = true; 60 break; 61 62 // These are shady because they check the structure even if the type of the child node 63 // passes the StringObject type filter. 56 64 case StringObjectUse: 57 65 case StringOrStringObjectUse: 58 66 m_result = true; 59 67 break; 68 60 69 default: 61 70 break; -
trunk/Source/JavaScriptCore/dfg/DFGObjectAllocationSinkingPhase.cpp
r184260 r184288 842 842 node, 843 843 [&] (Edge edge) { 844 bool ok = true; 845 846 switch (edge.useKind()) { 847 case KnownCellUse: 848 case CellUse: 849 case ObjectUse: 850 // All of our allocations will pass this. 851 break; 852 853 case FunctionUse: 854 // Function allocations will pass this. 855 if (edge->op() != NewFunction) 856 ok = false; 857 break; 858 859 default: 860 ok = false; 861 break; 862 } 863 864 if (!ok) 865 escape(edge.node()); 844 if (edge.willNotHaveCheck()) 845 return; 846 847 if (alreadyChecked(edge.useKind(), SpecObject)) 848 return; 849 850 escape(edge.node()); 866 851 }); 867 852 break; -
trunk/Source/JavaScriptCore/dfg/DFGSSAConversionPhase.cpp
r183497 r184288 277 277 case SetLocal: { 278 278 VariableAccessData* variable = node->variableAccessData(); 279 Node* child = node->child1().node(); 279 280 280 281 if (!!(node->flags() & NodeIsFlushed)) { … … 283 284 variable->local(), variable->flushFormat())); 284 285 } else 285 node-> setOpAndDefaultFlags(Check);286 node->remove(); 286 287 287 288 if (verbose) 288 dataLog("Mapping: ", variable->local(), " -> ", node->child1().node(), "\n");289 valueForOperand.operand(variable->local()) = node->child1().node();289 dataLog("Mapping: ", variable->local(), " -> ", child, "\n"); 290 valueForOperand.operand(variable->local()) = child; 290 291 break; 291 292 } -
trunk/Source/JavaScriptCore/dfg/DFGUseKind.h
r176425 r184288 214 214 } 215 215 216 // Returns true if we've already guaranteed the type 217 inline bool alreadyChecked(UseKind kind, SpeculatedType type) 218 { 219 // If the check involves the structure then we need to know more than just the type to be sure 220 // that the check is done. 221 if (usesStructure(kind)) 222 return false; 223 224 return !(type & ~typeFilterFor(kind)); 225 } 226 216 227 inline UseKind useKindForResult(NodeFlags result) 217 228 { -
trunk/Source/JavaScriptCore/dfg/DFGVarargsForwardingPhase.cpp
r184260 r184288 110 110 node, 111 111 [&] (Edge edge) { 112 switch (edge.useKind()) {113 case CellUse:114 case ObjectUse:115 if (edge == candidate)116 lastUserIndex = nodeIndex;117 break;118 default:119 sawEscape = true;120 break;121 }112 if (edge == candidate) 113 lastUserIndex = nodeIndex; 114 115 if (edge.willNotHaveCheck()) 116 return; 117 118 if (alreadyChecked(edge.useKind(), SpecObject)) 119 return; 120 121 sawEscape = true; 122 122 }); 123 123 if (sawEscape) {
Note:
See TracChangeset
for help on using the changeset viewer.
