Changeset 185941 in webkit
- Timestamp:
- Jun 24, 2015, 9:06:08 PM (10 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 4 edited
-
ChangeLog (modified) (1 diff)
-
dfg/DFGFiltrationResult.h (modified) (2 diffs)
-
dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
-
dfg/DFGSpeculativeJIT64.cpp (modified) (4 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r185932 r185941 1 2015-06-24 Filip Pizlo <fpizlo@apple.com> 2 3 DFG::SpeculativeJIT shouldn't use filter==Contradiction when it meant isClear 4 https://bugs.webkit.org/show_bug.cgi?id=146291 5 rdar://problem/21435366 6 7 Reviewed by Michael Saboff. 8 9 The filter() method returns Contradiction only when a value *becomes* clear. This is 10 necessary for supporting the convention that non-JSValue nodes have a bottom proved 11 type. (We should fix that convention eventually, but for now let's just be consistent 12 about it.) 13 14 * dfg/DFGFiltrationResult.h: Document the issue. 15 * dfg/DFGSpeculativeJIT32_64.cpp: Work around the issue. 16 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 17 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 18 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 19 * dfg/DFGSpeculativeJIT64.cpp: Work around the issue. 20 (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal): 21 (JSC::DFG::SpeculativeJIT::fillSpeculateInt52): 22 (JSC::DFG::SpeculativeJIT::fillSpeculateCell): 23 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean): 24 1 25 2015-06-24 Michael Saboff <msaboff@apple.com> 2 26 -
trunk/Source/JavaScriptCore/dfg/DFGFiltrationResult.h
r164424 r185941 1 1 /* 2 * Copyright (C) 2013 Apple Inc. All rights reserved.2 * Copyright (C) 2013, 2015 Apple Inc. All rights reserved. 3 3 * 4 4 * Redistribution and use in source and binary forms, with or without … … 31 31 namespace JSC { namespace DFG { 32 32 33 // Tells you if an operation that filters type (i.e. does a type check/speculation) will always 34 // exit. Formally, this means that the proven type of a value prior to the filter was not 35 // bottom (i.e. not "clear" or "SpecEmpty") but becomes bottom as a result of executing the 36 // filter. 37 // 38 // Note that per this definition, a filter will not return Contradiction if the node's proven 39 // type was already bottom. This is necessary because we have this yucky convention of using 40 // a proven type of bottom for nodes that don't hold JS values, like Phi nodes in ThreadedCPS 41 // and storage nodes. 33 42 enum FiltrationResult { 43 // Means that this operation may not always exit. 34 44 FiltrationOK, 45 46 // Means taht this operation will always exit. 35 47 Contradiction 36 48 }; -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r185930 r185941 845 845 ASSERT(edge.useKind() != KnownInt32Use || !(value.m_type & ~SpecInt32)); 846 846 847 if (m_interpreter.filter(value, SpecInt32) == Contradiction) { 847 m_interpreter.filter(value, SpecInt32); 848 if (value.isClear()) { 848 849 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 849 850 returnFormat = DataFormatInt32; … … 972 973 ASSERT((edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)); 973 974 974 if (m_interpreter.filter(value, SpecCell) == Contradiction) { 975 m_interpreter.filter(value, SpecCell); 976 if (value.isClear()) { 975 977 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 976 978 return allocate(); … … 1054 1056 SpeculatedType type = value.m_type; 1055 1057 1056 if (m_interpreter.filter(value, SpecBoolean) == Contradiction) { 1058 m_interpreter.filter(value, SpecBoolean); 1059 if (value.isClear()) { 1057 1060 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1058 1061 return allocate(); -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r185930 r185941 816 816 ASSERT(edge.useKind() != KnownInt32Use || !(value.m_type & ~SpecInt32)); 817 817 818 if (m_interpreter.filter(value, SpecInt32) == Contradiction) { 818 m_interpreter.filter(value, SpecInt32); 819 if (value.isClear()) { 819 820 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 820 821 returnFormat = DataFormatInt32; … … 957 958 AbstractValue& value = m_state.forNode(edge); 958 959 959 if (m_interpreter.filter(value, SpecMachineInt) == Contradiction) { 960 m_interpreter.filter(value, SpecMachineInt); 961 if (value.isClear()) { 960 962 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 961 963 return allocate(); … … 1092 1094 ASSERT((edge.useKind() != KnownCellUse && edge.useKind() != KnownStringUse) || !(value.m_type & ~SpecCell)); 1093 1095 1094 if (m_interpreter.filter(value, SpecCell) == Contradiction) { 1096 m_interpreter.filter(value, SpecCell); 1097 if (value.isClear()) { 1095 1098 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1096 1099 return allocate(); … … 1165 1168 SpeculatedType type = value.m_type; 1166 1169 1167 if (m_interpreter.filter(value, SpecBoolean) == Contradiction) { 1170 m_interpreter.filter(value, SpecBoolean); 1171 if (value.isClear()) { 1168 1172 terminateSpeculativeExecution(Uncountable, JSValueRegs(), 0); 1169 1173 return allocate();
Note:
See TracChangeset
for help on using the changeset viewer.
