Changeset 121243 in webkit


Ignore:
Timestamp:
Jun 26, 2012 2:22:45 AM (12 years ago)
Author:
fpizlo@apple.com
Message:

New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
https://bugs.webkit.org/show_bug.cgi?id=89953

Reviewed by Zoltan Herczeg.

DFG 32-bit JIT was confused about the difference between a predicted type and a
proven type. This is easy to get confused about, since a local that is predicted int32
almost always means that the local must be an int32 since speculations are hoisted to
stores to locals. But that is less likely to be the case for arguments, where there is
an additional least-upper-bounding step: any store to an argument with a weird type
may force the argument to be any type.

This patch basically duplicates the functionality in DFGSpeculativeJIT64.cpp for
GetLocal: the decision of whether to load a local as an int32 (or as an array, or as
a boolean) is made based on the AbstractValue::m_type, which is a type proof, rather
than the VariableAccessData::prediction(), which is a predicted type.

  • dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r121218 r121243  
     12012-06-26  Filip Pizlo  <fpizlo@apple.com>
     2
     3        New fast/js/dfg-store-unexpected-value-into-argument-and-osr-exit.html fails on 32 bit
     4        https://bugs.webkit.org/show_bug.cgi?id=89953
     5
     6        Reviewed by Zoltan Herczeg.
     7       
     8        DFG 32-bit JIT was confused about the difference between a predicted type and a
     9        proven type. This is easy to get confused about, since a local that is predicted int32
     10        almost always means that the local must be an int32 since speculations are hoisted to
     11        stores to locals. But that is less likely to be the case for arguments, where there is
     12        an additional least-upper-bounding step: any store to an argument with a weird type
     13        may force the argument to be any type.
     14       
     15        This patch basically duplicates the functionality in DFGSpeculativeJIT64.cpp for
     16        GetLocal: the decision of whether to load a local as an int32 (or as an array, or as
     17        a boolean) is made based on the AbstractValue::m_type, which is a type proof, rather
     18        than the VariableAccessData::prediction(), which is a predicted type.
     19
     20        * dfg/DFGSpeculativeJIT32_64.cpp:
     21        (JSC::DFG::SpeculativeJIT::compile):
     22
    1232012-06-25  Filip Pizlo  <fpizlo@apple.com>
    224

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp

    r120989 r121243  
    18921892            }
    18931893       
    1894             if (isInt32Speculation(prediction)) {
     1894            if (isInt32Speculation(value.m_type)) {
    18951895                GPRTemporary result(this);
    18961896                m_jit.load32(JITCompiler::payloadFor(node.local()), result.gpr());
     
    19041904            }
    19051905
    1906             if (isArraySpeculation(prediction)) {
     1906            if (isArraySpeculation(value.m_type)) {
    19071907                GPRTemporary result(this);
    19081908                m_jit.load32(JITCompiler::payloadFor(node.local()), result.gpr());
     
    19161916            }
    19171917
    1918             if (isBooleanSpeculation(prediction)) {
     1918            if (isBooleanSpeculation(value.m_type)) {
    19191919                GPRTemporary result(this);
    19201920                m_jit.load32(JITCompiler::payloadFor(node.local()), result.gpr());
Note: See TracChangeset for help on using the changeset viewer.