Changeset 195938 in webkit

Timestamp:

Jan 31, 2016 3:05:10 PM (8 years ago)

Author:

Yusuke Suzuki

Message:

Should not predict OtherObj for ToThis with primitive types under strict mode
​https://bugs.webkit.org/show_bug.cgi?id=153544

Reviewed by Filip Pizlo.

Currently, ToThis predicates OtherObj for primitive values.
But it's not true in strict mode.
In strict mode, ToThis does nothing on primitive values.

In this patch, we

1. fix prediction. Handles primitive types in strict mode. And we also handles StringObject.
2. convert it to Identity if the argument should be predicted as primitive types.

This optimization is important to implement Primitive.prototype.methods[1].
Otherwise, we always got BadType OSR exits.

[1]: ​https://bugs.webkit.org/show_bug.cgi?id=143889

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupToThis):

• dfg/DFGPredictionPropagationPhase.cpp:

(JSC::DFG::PredictionPropagationPhase::propagate):

• tests/stress/to-this-boolean.js: Added.

(Boolean.prototype.negate):
(Boolean.prototype.negate2):

• tests/stress/to-this-double.js: Added.

(Number.prototype.negate):

• tests/stress/to-this-int32.js: Added.

(Number.prototype.negate):

• tests/stress/to-this-int52.js: Added.

(Number.prototype.negate):

• tests/stress/to-this-number.js: Added.

(Number.prototype.negate):

• tests/stress/to-this-string.js: Added.

(String.prototype.prefix):
(String.prototype.first):
(String.prototype.second):

• tests/stress/to-this-symbol.js: Added.

(Symbol.prototype.identity):
(Symbol.prototype.identity2):

Location:

trunk/Source/JavaScriptCore

Files:

• ChangeLog (modified) (1 diff)
• dfg/DFGAbstractInterpreterInlines.h (modified) (1 diff)
• dfg/DFGConstantFoldingPhase.cpp (modified) (1 diff)
• dfg/DFGFixupPhase.cpp (modified) (2 diffs)
• dfg/DFGPredictionPropagationPhase.cpp (modified) (1 diff)
• tests/stress/to-this-boolean.js (added)
• tests/stress/to-this-double.js (added)
• tests/stress/to-this-int32.js (added)
• tests/stress/to-this-int52.js (added)
• tests/stress/to-this-number.js (added)
• tests/stress/to-this-string.js (added)
• tests/stress/to-this-symbol.js (added)

trunk/Source/JavaScriptCore/ChangeLog

@@ +1 @@
+2016-01-31  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Should not predict OtherObj for ToThis with primitive types under strict mode
+        https://bugs.webkit.org/show_bug.cgi?id=153544
+
+        Reviewed by Filip Pizlo.
+
+        Currently, ToThis predicates OtherObj for primitive values.
+        But it's not true in strict mode.
+        In strict mode, ToThis does nothing on primitive values.
+
+        In this patch, we
+
+        1. fix prediction. Handles primitive types in strict mode. And we also handles StringObject.
+        2. convert it to Identity if the argument should be predicted as primitive types.
+
+        This optimization is important to implement Primitive.prototype.methods[1].
+        Otherwise, we always got BadType OSR exits.
+
+        [1]: https://bugs.webkit.org/show_bug.cgi?id=143889
+
+        * dfg/DFGAbstractInterpreterInlines.h:
+        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+        * dfg/DFGConstantFoldingPhase.cpp:
+        (JSC::DFG::ConstantFoldingPhase::foldConstants):
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        (JSC::DFG::FixupPhase::fixupToThis):
+        * dfg/DFGPredictionPropagationPhase.cpp:
+        (JSC::DFG::PredictionPropagationPhase::propagate):
+        * tests/stress/to-this-boolean.js: Added.
+        (Boolean.prototype.negate):
+        (Boolean.prototype.negate2):
+        * tests/stress/to-this-double.js: Added.
+        (Number.prototype.negate):
+        * tests/stress/to-this-int32.js: Added.
+        (Number.prototype.negate):
+        * tests/stress/to-this-int52.js: Added.
+        (Number.prototype.negate):
+        * tests/stress/to-this-number.js: Added.
+        (Number.prototype.negate):
+        * tests/stress/to-this-string.js: Added.
+        (String.prototype.prefix):
+        (String.prototype.first):
+        (String.prototype.second):
+        * tests/stress/to-this-symbol.js: Added.
+        (Symbol.prototype.identity):
+        (Symbol.prototype.identity2):
+
 2016-01-31  Guillaume Emont  <guijemont@igalia.com>
 

trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

@@ -1692 +1692 @@
         AbstractValue& source = forNode(node->child1());
         AbstractValue& destination = forNode(node);
-            
-        if (m_graph.executableFor(node->origin.semantic)->isStrictMode())
+
+        if (source.m_type == SpecStringObject) {
+            m_state.setFoundConstants(true);
+            destination = source;
+            break;
+        }
+
+        if (m_graph.executableFor(node->origin.semantic)->isStrictMode()) {
+            if (!(source.m_type & ~(SpecFullNumber | SpecBoolean | SpecString | SpecSymbol))) {
+                m_state.setFoundConstants(true);
+                destination = source;
+                break;
+            }
             destination.makeHeapTop();
-        else {
+        } else {
             destination = source;
             destination.merge(SpecObject);

trunk/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp

@@ -553 +553 @@
                 break;
             }
-                
+
             case Check: {
                 alreadyHandled = true;

trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

@@ -1004 +1004 @@
             
         case ToThis: {
-            ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
-
-            if (node->child1()->shouldSpeculateOther()) {
-                if (ecmaMode == StrictMode) {
-                    fixEdge<OtherUse>(node->child1());
-                    node->convertToIdentity();
-                    break;
-                }
-
-                m_insertionSet.insertNode(
-                    m_indexInBlock, SpecNone, Check, node->origin,
-                    Edge(node->child1().node(), OtherUse));
-                observeUseKindOnNode<OtherUse>(node->child1().node());
-                m_graph.convertToConstant(
-                    node, m_graph.globalThisObjectFor(node->origin.semantic));
-                break;
-            }
-            
-            if (isFinalObjectSpeculation(node->child1()->prediction())) {
-                fixEdge<FinalObjectUse>(node->child1());
-                node->convertToIdentity();
-                break;
-            }
-            
+            fixupToThis(node);
             break;
         }
@@ -1593 +1570 @@
         }
     }
+
+    void fixupToThis(Node* node)
+    {
+        ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
+
+        if (ecmaMode == StrictMode) {
+            if (node->child1()->shouldSpeculateBoolean()) {
+                fixEdge<BooleanUse>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
+
+            if (node->child1()->shouldSpeculateInt32()) {
+                fixEdge<Int32Use>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
+
+            if (enableInt52() && node->child1()->shouldSpeculateMachineInt()) {
+                fixEdge<Int52RepUse>(node->child1());
+                node->convertToIdentity();
+                node->setResult(NodeResultInt52);
+                return;
+            }
+
+            if (node->child1()->shouldSpeculateNumber()) {
+                fixEdge<DoubleRepUse>(node->child1());
+                node->convertToIdentity();
+                node->setResult(NodeResultDouble);
+                return;
+            }
+
+            if (node->child1()->shouldSpeculateSymbol()) {
+                fixEdge<SymbolUse>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
+
+            if (node->child1()->shouldSpeculateStringIdent()) {
+                fixEdge<StringIdentUse>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
+
+            if (node->child1()->shouldSpeculateString()) {
+                fixEdge<StringUse>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
+        }
+
+        if (node->child1()->shouldSpeculateOther()) {
+            if (ecmaMode == StrictMode) {
+                fixEdge<OtherUse>(node->child1());
+                node->convertToIdentity();
+                return;
+            }
+
+            m_insertionSet.insertNode(
+                m_indexInBlock, SpecNone, Check, node->origin,
+                Edge(node->child1().node(), OtherUse));
+            observeUseKindOnNode<OtherUse>(node->child1().node());
+            m_graph.convertToConstant(
+                node, m_graph.globalThisObjectFor(node->origin.semantic));
+            return;
+        }
+
+        if (node->child1()->shouldSpeculateStringObject()) {
+            fixEdge<StringObjectUse>(node->child1());
+            node->convertToIdentity();
+            return;
+        }
+
+        if (isFinalObjectSpeculation(node->child1()->prediction())) {
+            fixEdge<FinalObjectUse>(node->child1());
+            node->convertToIdentity();
+            return;
+        }
+    }
     
     void fixupToPrimitive(Node* node)

trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

@@ -490 +490 @@
 
         case ToThis: {
+            // ToThis in methods for primitive types should speculate primitive types in strict mode.
+            ECMAMode ecmaMode = m_graph.executableFor(node->origin.semantic)->isStrictMode() ? StrictMode : NotStrictMode;
+            if (ecmaMode == StrictMode) {
+                if (node->child1()->shouldSpeculateBoolean()) {
+                    changed |= mergePrediction(SpecBoolean);
+                    break;
+                }
+
+                if (node->child1()->shouldSpeculateInt32()) {
+                    changed |= mergePrediction(SpecInt32);
+                    break;
+                }
+
+                if (enableInt52() && node->child1()->shouldSpeculateMachineInt()) {
+                    changed |= mergePrediction(SpecMachineInt);
+                    break;
+                }
+
+                if (node->child1()->shouldSpeculateNumber()) {
+                    changed |= mergePrediction(SpecMachineInt);
+                    break;
+                }
+
+                if (node->child1()->shouldSpeculateSymbol()) {
+                    changed |= mergePrediction(SpecSymbol);
+                    break;
+                }
+
+                if (node->child1()->shouldSpeculateStringIdent()) {
+                    changed |= mergePrediction(SpecStringIdent);
+                    break;
+                }
+
+                if (node->child1()->shouldSpeculateString()) {
+                    changed |= mergePrediction(SpecString);
+                    break;
+                }
+            } else {
+                if (node->child1()->shouldSpeculateString()) {
+                    changed |= mergePrediction(SpecStringObject);
+                    break;
+                }
+            }
+
             SpeculatedType prediction = node->child1()->prediction();
             if (prediction) {
                 if (prediction & ~SpecObject) {
-                    prediction &= SpecObject;
-                    prediction = mergeSpeculations(prediction, SpecObjectOther);
+                    // Wrapper objects are created only in sloppy mode.
+                    if (ecmaMode != StrictMode) {
+                        prediction &= SpecObject;
+                        prediction = mergeSpeculations(prediction, SpecObjectOther);
+                    }
                 }
                 changed |= mergePrediction(prediction);