Changeset 214240 in webkit


Ignore:
Timestamp:
Mar 21, 2017 6:55:00 PM (7 years ago)
Author:
mark.lam@apple.com
Message:

The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
https://bugs.webkit.org/show_bug.cgi?id=169933
<rdar://problem/31105125>

Reviewed by Filip Pizlo and Geoffrey Garen.

Also fixed the bit-rotted RangeKey::dump() function.

  • dfg/DFGIntegerCheckCombiningPhase.cpp:

(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):

Location:
trunk/Source/JavaScriptCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ChangeLog

    r214220 r214240  
     12017-03-21  Mark Lam  <mark.lam@apple.com>
     2
     3        The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
     4        https://bugs.webkit.org/show_bug.cgi?id=169933
     5        <rdar://problem/31105125>
     6
     7        Reviewed by Filip Pizlo and Geoffrey Garen.
     8
     9        Also fixed the bit-rotted RangeKey::dump() function.
     10
     11        * dfg/DFGIntegerCheckCombiningPhase.cpp:
     12        (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
     13
    1142017-03-21  Csaba Osztrogonác  <ossy@webkit.org>
    215

  • trunk/Source/JavaScriptCore/dfg/DFGIntegerCheckCombiningPhase.cpp

    r210023 r214240  
    11/*
    2  * Copyright (C) 2014 Apple Inc. All rights reserved.
     2 * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    106106            break;
    107107        }
    108         out.print(m_source, ", ", m_key, ")");
     108        if (m_source)
     109            out.print(m_source);
     110        else
     111            out.print("null");
     112        out.print(", ");
     113        if (m_key)
     114            out.print(m_key);
     115        else
     116            out.print("null");
     117        out.print(")");
    109118    }
    110119   
     
    250259                   
    251260                    if (!data.m_key.m_source) {
    252                         minNode = 0;
     261                        // data.m_key.m_source being null means that we're comparing against int32 constants (see rangeKeyAndAddend()).
     262                        // Since CheckInBounds does an unsigned comparison, if the minBound >= 0, it is also covered by the
     263                        // maxBound comparison. However, if minBound < 0, then CheckInBounds should always fail its speculation check.
     264                        // We'll force an OSR exit in that case.
     265                        minNode = nullptr;
     266                        if (range.m_minBound < 0)
     267                            m_insertionSet.insertNode(nodeIndex, SpecNone, ForceOSRExit, node->origin);
    253268                        maxNode = m_insertionSet.insertConstant(
    254269                            nodeIndex, maxOrigin, jsNumber(range.m_maxBound));
Note: See TracChangeset for help on using the changeset viewer.