Changeset 193793 in webkit

Timestamp:

Dec 8, 2015 4:12:48 PM (8 years ago)

Author:

mark.lam@apple.com

Message:

DFG and FTL should be resilient against cases where both snippet operands are constant.
​https://bugs.webkit.org/show_bug.cgi?id=152017

Reviewed by Michael Saboff.

The DFG front end may not always constant fold cases where both operands are
constant. As a result, the DFG and FTL back ends needs to be resilient against
this when using snippet generators since the generators do not support the case
where both operands are constant. The strategy for handling this 2 const operands
case is to treat at least one of them as a variable if both are constant.

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValueAdd):

• Also remove the case for folding 2 constant operands. It is the front end's job to do so, not the back end here.

(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithMul):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
(JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGSpeculativeJIT.cpp (modified) (8 diffs)
• ftl/FTLLowerDFGToLLVM.cpp (modified) (2 diffs)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2015-12-08  Mark Lam  <mark.lam@apple.com>
+
+        DFG and FTL should be resilient against cases where both snippet operands are constant.
+        https://bugs.webkit.org/show_bug.cgi?id=152017
+
+        Reviewed by Michael Saboff.
+
+        The DFG front end may not always constant fold cases where both operands are
+        constant.  As a result, the DFG and FTL back ends needs to be resilient against
+        this when using snippet generators since the generators do not support the case
+        where both operands are constant.  The strategy for handling this 2 const operands
+        case is to treat at least one of them as a variable if both are constant. 
+
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileValueAdd):
+        - Also remove the case for folding 2 constant operands.  It is the front end's
+          job to do so, not the back end here.
+
+        (JSC::DFG::SpeculativeJIT::compileArithSub):
+        (JSC::DFG::SpeculativeJIT::compileArithMul):
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileValueAdd):
+        (JSC::FTL::DFG::LowerDFGToLLVM::compileArithMul):
+
 2015-12-08  Mark Lam  <mark.lam@apple.com>
 

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

@@ -2789 +2789 @@
 void SpeculativeJIT::compileValueAdd(Node* node)
 {
-    if (isKnownNotNumber(node->child1().node()) || isKnownNotNumber(node->child2().node())) {
-        JSValueOperand left(this, node->child1());
-        JSValueOperand right(this, node->child2());
+    Edge& leftChild = node->child1();
+    Edge& rightChild = node->child2();
+
+    if (isKnownNotNumber(leftChild.node()) || isKnownNotNumber(rightChild.node())) {
+        JSValueOperand left(this, leftChild);
+        JSValueOperand right(this, rightChild);
         JSValueRegs leftRegs = left.jsValueRegs();
         JSValueRegs rightRegs = right.jsValueRegs();
@@ -2806 +2809 @@
         m_jit.exceptionCheck();
     
-        jsValueResult(resultRegs, node);
-        return;
-    }
-
-    bool leftIsConstInt32 = node->child1()->isInt32Constant();
-    bool rightIsConstInt32 = node->child2()->isInt32Constant();
-
-    // The DFG does not always fold the sum of 2 constant int operands together.
-    if (leftIsConstInt32 && rightIsConstInt32) {
-#if USE(JSVALUE64)
-        GPRTemporary result(this);
-        JSValueRegs resultRegs = JSValueRegs(result.gpr());
-#else
-        GPRTemporary resultTag(this);
-        GPRTemporary resultPayload(this);
-        JSValueRegs resultRegs = JSValueRegs(resultPayload.gpr(), resultTag.gpr());
-#endif
-        int64_t leftConst = node->child1()->asInt32();
-        int64_t rightConst = node->child2()->asInt32();
-        int64_t resultConst = leftConst + rightConst;
-        m_jit.moveValue(JSValue(resultConst), resultRegs);
         jsValueResult(resultRegs, node);
         return;
@@ -2857 +2839 @@
 #endif
 
-    SnippetOperand leftOperand(m_state.forNode(node->child1()).resultType());
-    SnippetOperand rightOperand(m_state.forNode(node->child2()).resultType());
-
-    if (leftIsConstInt32)
-        leftOperand.setConstInt32(node->child1()->asInt32());
-    if (rightIsConstInt32)
-        rightOperand.setConstInt32(node->child2()->asInt32());
+    SnippetOperand leftOperand(m_state.forNode(leftChild).resultType());
+    SnippetOperand rightOperand(m_state.forNode(rightChild).resultType());
+
+    // The snippet generator does not support both operands being constant. If the left
+    // operand is already const, we'll ignore the right operand's constness.
+    if (leftChild->isInt32Constant())
+        leftOperand.setConstInt32(leftChild->asInt32());
+    else if (rightChild->isInt32Constant())
+        rightOperand.setConstInt32(rightChild->asInt32());
 
     ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
 
     if (!leftOperand.isConst()) {
-        left = JSValueOperand(this, node->child1());
+        left = JSValueOperand(this, leftChild);
         leftRegs = left->jsValueRegs();
     }
     if (!rightOperand.isConst()) {
-        right = JSValueOperand(this, node->child2());
+        right = JSValueOperand(this, rightChild);
         rightRegs = right->jsValueRegs();
     }
@@ -2887 +2871 @@
     silentSpillAllRegisters(resultRegs);
 
-    if (leftIsConstInt32) {
+    if (leftOperand.isConst()) {
         leftRegs = resultRegs;
-        int64_t leftConst = node->child1()->asInt32();
-        m_jit.moveValue(JSValue(leftConst), leftRegs);
-    } else if (rightIsConstInt32) {
+        m_jit.moveValue(leftChild->asJSValue(), leftRegs);
+    } else if (rightOperand.isConst()) {
         rightRegs = resultRegs;
-        int64_t rightConst = node->child2()->asInt32();
-        m_jit.moveValue(JSValue(rightConst), rightRegs);
+        m_jit.moveValue(rightChild->asJSValue(), rightRegs);
     }
 
@@ -3210 +3192 @@
 
     case UntypedUse: {
-        JSValueOperand left(this, node->child1());
-        JSValueOperand right(this, node->child2());
+        Edge& leftChild = node->child1();
+        Edge& rightChild = node->child2();
+
+        JSValueOperand left(this, leftChild);
+        JSValueOperand right(this, rightChild);
 
         JSValueRegs leftRegs = left.jsValueRegs();
@@ -3236 +3221 @@
 #endif
 
-        SnippetOperand leftOperand(m_state.forNode(node->child1()).resultType());
-        SnippetOperand rightOperand(m_state.forNode(node->child2()).resultType());
+        SnippetOperand leftOperand(m_state.forNode(leftChild).resultType());
+        SnippetOperand rightOperand(m_state.forNode(rightChild).resultType());
 
         JITSubGenerator gen(leftOperand, rightOperand, resultRegs, leftRegs, rightRegs,
@@ -3502 +3487 @@
         SnippetOperand rightOperand(m_state.forNode(rightChild).resultType());
 
+        // The snippet generator does not support both operands being constant. If the left
+        // operand is already const, we'll ignore the right operand's constness.
         if (leftChild->isInt32Constant())
             leftOperand.setConstInt32(leftChild->asInt32());
-        if (rightChild->isInt32Constant())
+        else if (rightChild->isInt32Constant())
             rightOperand.setConstInt32(rightChild->asInt32());
 
-        RELEASE_ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
+        ASSERT(!leftOperand.isConst() || !rightOperand.isConst());
 
         if (!leftOperand.isPositiveConstInt32()) {
@@ -3532 +3519 @@
             int64_t leftConst = leftOperand.asConstInt32();
             m_jit.moveValue(JSValue(leftConst), leftRegs);
-        }
-        if (rightOperand.isPositiveConstInt32()) {
+        } else if (rightOperand.isPositiveConstInt32()) {
             rightRegs = resultRegs;
             int64_t rightConst = rightOperand.asConstInt32();

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

@@ -1528 +1528 @@
         SnippetOperand rightOperand(abstractValue(rightChild).resultType());
 
-        // The DFG does not always fold the sum of 2 constant int operands together.
         // Because the snippet does not support both operands being constant, if the left
         // operand is already a constant, we'll just pretend the right operand is not.
         if (leftChild->isInt32Constant())
             leftOperand.setConstInt32(leftChild->asInt32());
-        if (!leftOperand.isConst() && rightChild->isInt32Constant())
+        else if (rightChild->isInt32Constant())
             rightOperand.setConstInt32(rightChild->asInt32());
 
@@ -1853 +1852 @@
             SnippetOperand rightOperand(abstractValue(rightChild).resultType());
 
+            // Because the snippet does not support both operands being constant, if the left
+            // operand is already a constant, we'll just pretend the right operand is not.
             if (leftChild->isInt32Constant())
                 leftOperand.setConstInt32(leftChild->asInt32());
-            if (rightChild->isInt32Constant())
+            else if (rightChild->isInt32Constant())
                 rightOperand.setConstInt32(rightChild->asInt32());