Changeset 127516 in webkit
- Timestamp:
- Sep 4, 2012 3:34:03 PM (12 years ago)
- Location:
- trunk/Source/JavaScriptCore
- Files:
-
- 8 edited
-
ChangeLog (modified) (1 diff)
-
bytecode/DFGExitProfile.h (modified) (1 diff)
-
dfg/DFGAbstractState.cpp (modified) (1 diff)
-
dfg/DFGOperations.cpp (modified) (1 diff)
-
dfg/DFGOperations.h (modified) (2 diffs)
-
dfg/DFGSpeculativeJIT.h (modified) (2 diffs)
-
dfg/DFGSpeculativeJIT32_64.cpp (modified) (3 diffs)
-
dfg/DFGSpeculativeJIT64.cpp (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
-
trunk/Source/JavaScriptCore/ChangeLog
r127505 r127516 1 2012-09-04 Sheriff Bot <webkit.review.bot@gmail.com> 2 3 Unreviewed, rolling out r127503. 4 http://trac.webkit.org/changeset/127503 5 https://bugs.webkit.org/show_bug.cgi?id=95788 6 7 broke some tests (fast/js/dfg-negative-array-index, fast/js 8 /dfg-put-by-val-setter-then-get-by-val) (Requested by thorton 9 on #webkit). 10 11 * bytecode/DFGExitProfile.h: 12 (JSC::DFG::exitKindToString): 13 * dfg/DFGAbstractState.cpp: 14 (JSC::DFG::AbstractState::execute): 15 * dfg/DFGOperations.cpp: 16 * dfg/DFGOperations.h: 17 * dfg/DFGSpeculativeJIT.h: 18 (JSC::DFG::SpeculativeJIT::callOperation): 19 * dfg/DFGSpeculativeJIT32_64.cpp: 20 (JSC::DFG::SpeculativeJIT::compile): 21 * dfg/DFGSpeculativeJIT64.cpp: 22 (JSC::DFG::SpeculativeJIT::compile): 23 1 24 2012-09-04 Benjamin Poulain <bpoulain@apple.com> 2 25 -
trunk/Source/JavaScriptCore/bytecode/DFGExitProfile.h
r127503 r127516 59 59 case NegativeZero: 60 60 return "NegativeZero"; 61 case OutOfBounds:62 return "OutOfBounds";63 61 case InadequateCoverage: 64 62 return "InadequateCoverage"; -
trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp
r127503 r127516 854 854 break; 855 855 case Array::JSArray: 856 case Array::JSArrayOutOfBounds: 857 // FIXME: We should have more conservative handling of the out-of-bounds 858 // case. 856 859 forNode(node.child2()).filter(SpecInt32); 857 forNode(nodeIndex).makeTop();858 break;859 case Array::JSArrayOutOfBounds:860 forNode(node.child2()).filter(SpecInt32);861 clobberWorld(node.codeOrigin, indexInBlock);862 860 forNode(nodeIndex).makeTop(); 863 861 break; -
trunk/Source/JavaScriptCore/dfg/DFGOperations.cpp
r127503 r127516 408 408 Identifier ident(exec, property.toString(exec)->value(exec)); 409 409 return JSValue::encode(JSValue(base).get(exec, ident)); 410 }411 412 EncodedJSValue DFG_OPERATION operationGetByValArrayInt(ExecState* exec, JSArray* base, int32_t index)413 {414 JSGlobalData* globalData = &exec->globalData();415 NativeCallFrameTracer tracer(globalData, exec);416 417 // Use this since we know that the value is out of bounds.418 return JSValue::encode(JSValue(base).get(exec, index));419 410 } 420 411 -
trunk/Source/JavaScriptCore/dfg/DFGOperations.h
r127503 r127516 63 63 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_E)(ExecState*); 64 64 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EA)(ExecState*, JSArray*); 65 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_EAZ)(ExecState*, JSArray*, int32_t);66 65 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ECC)(ExecState*, JSCell*, JSCell*); 67 66 typedef EncodedJSValue DFG_OPERATION (*J_DFGOperation_ECI)(ExecState*, JSCell*, Identifier*); … … 118 117 EncodedJSValue DFG_OPERATION operationGetByVal(ExecState*, EncodedJSValue encodedBase, EncodedJSValue encodedProperty) WTF_INTERNAL; 119 118 EncodedJSValue DFG_OPERATION operationGetByValCell(ExecState*, JSCell*, EncodedJSValue encodedProperty) WTF_INTERNAL; 120 EncodedJSValue DFG_OPERATION operationGetByValArrayInt(ExecState*, JSArray*, int32_t) WTF_INTERNAL;121 119 EncodedJSValue DFG_OPERATION operationGetById(ExecState*, EncodedJSValue, Identifier*) WTF_INTERNAL; 122 120 EncodedJSValue DFG_OPERATION operationGetByIdBuildList(ExecState*, EncodedJSValue, Identifier*) WTF_INTERNAL; -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.h
r127503 r127516 1199 1199 return appendCallWithExceptionCheckSetResult(operation, result); 1200 1200 } 1201 JITCompiler::Call callOperation(J_DFGOperation_EAZ operation, GPRReg result, GPRReg arg1, GPRReg arg2)1202 {1203 m_jit.setupArgumentsWithExecState(arg1, arg2);1204 return appendCallWithExceptionCheckSetResult(operation, result);1205 }1206 1201 JITCompiler::Call callOperation(J_DFGOperation_ESt operation, GPRReg result, Structure* structure) 1207 1202 { … … 1485 1480 { 1486 1481 m_jit.setupArgumentsWithExecState(arg1); 1487 return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag);1488 }1489 JITCompiler::Call callOperation(J_DFGOperation_EAZ operation, GPRReg resultTag, GPRReg resultPayload, GPRReg arg1, GPRReg arg2)1490 {1491 m_jit.setupArgumentsWithExecState(arg1, arg2);1492 1482 return appendCallWithExceptionCheckSetResult(operation, resultPayload, resultTag); 1493 1483 } -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp
r127503 r127516 2555 2555 break; 2556 2556 } 2557 case Array::JSArray: { 2557 case Array::JSArray: 2558 case Array::JSArrayOutOfBounds: { 2558 2559 SpeculateStrictInt32Operand property(this, node.child2()); 2559 2560 StorageOperand storage(this, node.child3()); … … 2570 2571 GPRReg baseReg = base.gpr(); 2571 2572 // We've already speculated that it's some kind of array, at this point. 2572 speculationCheck( OutOfBounds, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())));2573 speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()))); 2573 2574 } 2574 2575 … … 2577 2578 2578 2579 m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTag.gpr()); 2579 speculationCheck( OutOfBounds, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag)));2580 speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag))); 2580 2581 m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayload.gpr()); 2581 2582 2582 2583 jsValueResult(resultTag.gpr(), resultPayload.gpr(), m_compileIndex); 2583 break;2584 }2585 case Array::JSArrayOutOfBounds: {2586 SpeculateCellOperand base(this, node.child1());2587 SpeculateStrictInt32Operand property(this, node.child2());2588 StorageOperand storage(this, node.child3());2589 GPRReg propertyReg = property.gpr();2590 GPRReg storageReg = storage.gpr();2591 2592 if (!m_compileOkay)2593 return;2594 2595 GPRTemporary resultTag(this);2596 GPRTemporary resultPayload(this);2597 GPRReg resultTagReg = resultTag.gpr();2598 GPRReg resultPayloadReg = resultPayload.gpr();2599 2600 // Check that base is an array, and that property is contained within m_vector (< m_vectorLength).2601 // If we have predicted the base to be type array, we can skip the check.2602 GPRReg baseReg = base.gpr();2603 // We've already speculated that it's some kind of array, at this point.2604 JITCompiler::Jump outOfBounds = m_jit.branch32(2605 MacroAssembler::AboveOrEqual, propertyReg,2606 MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()));2607 2608 m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.tag)), resultTagReg);2609 JITCompiler::Jump hole = m_jit.branch32(2610 MacroAssembler::Equal, resultTag.gpr(), TrustedImm32(JSValue::EmptyValueTag));2611 m_jit.load32(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight, OBJECT_OFFSETOF(ArrayStorage, m_vector[0]) + OBJECT_OFFSETOF(JSValue, u.asBits.payload)), resultPayloadReg);2612 2613 JITCompiler::JumpList slowCases;2614 slowCases.append(outOfBounds);2615 slowCases.append(hole);2616 addSlowPathGenerator(2617 slowPathCall(2618 slowCases, this, operationGetByValArrayInt,2619 JSValueRegs(resultTagReg, resultPayloadReg),2620 baseReg, propertyReg));2621 2622 jsValueResult(resultTagReg, resultPayloadReg, m_compileIndex);2623 2584 break; 2624 2585 } -
trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp
r127503 r127516 2601 2601 // at this point. 2602 2602 2603 MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset())); 2604 if (node.arrayMode() == Array::JSArray) 2605 speculationCheck(OutOfBounds, JSValueRegs(), NoNode, outOfBounds); 2603 speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, JSArray::vectorLengthOffset()))); 2606 2604 2607 2605 GPRTemporary result(this); 2608 2606 m_jit.loadPtr(MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::ScalePtr, OBJECT_OFFSETOF(ArrayStorage, m_vector[0])), result.gpr()); 2609 MacroAssembler::Jump hole = m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr()); 2610 if (node.arrayMode() == Array::JSArray) 2611 speculationCheck(OutOfBounds, JSValueRegs(), NoNode, hole); 2612 else { 2613 MacroAssembler::JumpList slowCases; 2614 slowCases.append(outOfBounds); 2615 slowCases.append(hole); 2616 addSlowPathGenerator( 2617 slowPathCall( 2618 slowCases, this, operationGetByValArrayInt, 2619 result.gpr(), baseReg, propertyReg)); 2620 } 2607 speculationCheck(Uncountable, JSValueRegs(), NoNode, m_jit.branchTestPtr(MacroAssembler::Zero, result.gpr())); 2621 2608 2622 2609 jsValueResult(result.gpr(), m_compileIndex);
Note: See TracChangeset
for help on using the changeset viewer.
