Changeset 244079 in webkit


Ignore:
Timestamp:
Apr 9, 2019 9:06:48 AM (5 years ago)
Author:
sbarati@apple.com
Message:

Clean up Int52 code and some bugs in it
https://bugs.webkit.org/show_bug.cgi?id=196639
<rdar://problem/49515757>

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.

Source/JavaScriptCore:

This patch fixes bugs in our Int52 code. The primary change in this patch is
adopting a segregated type lattice for Int52. Previously, for Int52 values,
we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
that the is outside of the int32 range.

However, this got confusing because we reused SpecInt32Only both for JSValue
representations and Int52 representations. This actually lead to some bugs.

  1. It's possible that roundtripping through Int52 representation would say

it produces the wrong type. For example, consider this program and how we
used to annotate types in AI:
a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
b: Int52Rep(@a) => m_type is SpecInt52Only
c: ValueRep(@b) => m_type is SpecAnyIntAsDouble

In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
However, the execution semantics are such that it'd actually produce a boxed
Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
mean an int value in either int32 or int52 range.

  1. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it

accepted Int52 values. It was wrong in two different ways:
a: If the AbstractValue's type was SpecInt52Only, and the incoming value
was a boxed double, but represented a value in int32 range, the incoming
value would incorrectly validate as being acceptable. However, we should
have rejected this value.
b: If the AbstractValue's type was SpecInt32Only, and the incoming value
was an Int32 boxed in a double, this would not validate, even though
it should have validated.

Solving 2 was easiest if we segregated out the Int52 type into its own
lattice. This patch makes a new Int52 lattice, which is composed of
SpecInt32AsInt52 and SpecNonInt32AsInt52.

The conversion rules are now really simple.

Int52 rep => JSValue rep
SpecInt32AsInt52 => SpecInt32Only
SpecNonInt32AsInt52 => SpecAnyIntAsDouble

JSValue rep => Int52 rep
SpecInt32Only => SpecInt32AsInt52
SpecAnyIntAsDouble => SpecInt52Any

With these rules, the program in (1) will now correctly report that @c
returns SpecInt32Only | SpecAnyIntAsDouble.

  • bytecode/SpeculatedType.cpp:

(JSC::dumpSpeculation):
(JSC::speculationToAbbreviatedString):
(JSC::int52AwareSpeculationFromValue):
(JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
(JSC::speculationFromString):

  • bytecode/SpeculatedType.h:

(JSC::isInt32SpeculationForArithmetic):
(JSC::isInt32OrBooleanSpeculationForArithmetic):
(JSC::isAnyInt52Speculation):
(JSC::isIntAnyFormat):
(JSC::isInt52Speculation): Deleted.
(JSC::isAnyIntSpeculation): Deleted.

  • dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

  • dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::fixTypeForRepresentation):
(JSC::DFG::AbstractValue::checkConsistency const):

  • dfg/DFGAbstractValue.h:

(JSC::DFG::AbstractValue::isInt52Any const):
(JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupArithMul):
(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixupGetPrototypeOf):
(JSC::DFG::FixupPhase::fixupToThis):
(JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
(JSC::DFG::FixupPhase::observeUseKindOnNode):
(JSC::DFG::FixupPhase::fixIntConvertingEdge):
(JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
(JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
(JSC::DFG::FixupPhase::fixupChecksInBlock):

  • dfg/DFGGraph.h:

(JSC::DFG::Graph::addShouldSpeculateInt52):
(JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
(JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
(JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
(JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
(JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.

  • dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateInt52):
(JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.

  • dfg/DFGPredictionPropagationPhase.cpp:
  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
(JSC::DFG::SpeculativeJIT::compileArithAdd):
(JSC::DFG::SpeculativeJIT::compileArithSub):
(JSC::DFG::SpeculativeJIT::compileArithNegate):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
(JSC::DFG::SpeculativeJIT::fillSpeculateInt52):

  • dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):

  • dfg/DFGVariableAccessData.cpp:

(JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
(JSC::DFG::VariableAccessData::couldRepresentInt52Impl):

  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
(JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
(JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):

Location:
trunk
Files:
1 added
16 edited

Legend:

Unmodified
Added
Removed
  • trunk/JSTests/ChangeLog

    r244069 r244079  
     12019-04-09  Saam barati  <sbarati@apple.com>
     2
     3        Clean up Int52 code and some bugs in it
     4        https://bugs.webkit.org/show_bug.cgi?id=196639
     5        <rdar://problem/49515757>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        * stress/spec-any-int-as-double-produces-any-int52-from-int52-rep.js: Added.
     10
    1112019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
    212
  • trunk/Source/JavaScriptCore/ChangeLog

    r244069 r244079  
     12019-04-09  Saam barati  <sbarati@apple.com>
     2
     3        Clean up Int52 code and some bugs in it
     4        https://bugs.webkit.org/show_bug.cgi?id=196639
     5        <rdar://problem/49515757>
     6
     7        Reviewed by Yusuke Suzuki.
     8
     9        This patch fixes bugs in our Int52 code. The primary change in this patch is
     10        adopting a segregated type lattice for Int52. Previously, for Int52 values,
     11        we represented them with SpecInt32Only and SpecInt52Only. For an Int52,
     12        SpecInt32Only meant that the value is in int32 range. And SpecInt52Only meant
     13        that the is outside of the int32 range.
     14       
     15        However, this got confusing because we reused SpecInt32Only both for JSValue
     16        representations and Int52 representations. This actually lead to some bugs.
     17       
     18        1. It's possible that roundtripping through Int52 representation would say
     19        it produces the wrong type. For example, consider this program and how we
     20        used to annotate types in AI:
     21        a: JSConstant(10.0) => m_type is SpecAnyIntAsDouble
     22        b: Int52Rep(@a) => m_type is SpecInt52Only
     23        c: ValueRep(@b) => m_type is SpecAnyIntAsDouble
     24       
     25        In AI, for the above program, we'd say that @c produces SpecAnyIntAsDouble.
     26        However, the execution semantics are such that it'd actually produce a boxed
     27        Int32. This patch fixes the bug where we'd say that Int52Rep over SpecAnyIntAsDouble
     28        would produce SpecInt52Only. This is clearly wrong, as SpecAnyIntAsDouble can
     29        mean an int value in either int32 or int52 range.
     30       
     31        2. AsbstractValue::validateTypeAcceptingBoxedInt52 was wrong in how it
     32        accepted Int52 values. It was wrong in two different ways:
     33        a: If the AbstractValue's type was SpecInt52Only, and the incoming value
     34        was a boxed double, but represented a value in int32 range, the incoming
     35        value would incorrectly validate as being acceptable. However, we should
     36        have rejected this value.
     37        b: If the AbstractValue's type was SpecInt32Only, and the incoming value
     38        was an Int32 boxed in a double, this would not validate, even though
     39        it should have validated.
     40       
     41        Solving 2 was easiest if we segregated out the Int52 type into its own
     42        lattice. This patch makes a new Int52 lattice, which is composed of
     43        SpecInt32AsInt52 and SpecNonInt32AsInt52.
     44       
     45        The conversion rules are now really simple.
     46       
     47        Int52 rep => JSValue rep
     48        SpecInt32AsInt52 => SpecInt32Only
     49        SpecNonInt32AsInt52 => SpecAnyIntAsDouble
     50       
     51        JSValue rep => Int52 rep
     52        SpecInt32Only => SpecInt32AsInt52
     53        SpecAnyIntAsDouble => SpecInt52Any
     54       
     55        With these rules, the program in (1) will now correctly report that @c
     56        returns SpecInt32Only | SpecAnyIntAsDouble.
     57
     58        * bytecode/SpeculatedType.cpp:
     59        (JSC::dumpSpeculation):
     60        (JSC::speculationToAbbreviatedString):
     61        (JSC::int52AwareSpeculationFromValue):
     62        (JSC::leastUpperBoundOfStrictlyEquivalentSpeculations):
     63        (JSC::speculationFromString):
     64        * bytecode/SpeculatedType.h:
     65        (JSC::isInt32SpeculationForArithmetic):
     66        (JSC::isInt32OrBooleanSpeculationForArithmetic):
     67        (JSC::isAnyInt52Speculation):
     68        (JSC::isIntAnyFormat):
     69        (JSC::isInt52Speculation): Deleted.
     70        (JSC::isAnyIntSpeculation): Deleted.
     71        * dfg/DFGAbstractInterpreterInlines.h:
     72        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
     73        * dfg/DFGAbstractValue.cpp:
     74        (JSC::DFG::AbstractValue::fixTypeForRepresentation):
     75        (JSC::DFG::AbstractValue::checkConsistency const):
     76        * dfg/DFGAbstractValue.h:
     77        (JSC::DFG::AbstractValue::isInt52Any const):
     78        (JSC::DFG::AbstractValue::validateTypeAcceptingBoxedInt52 const):
     79        * dfg/DFGFixupPhase.cpp:
     80        (JSC::DFG::FixupPhase::fixupArithMul):
     81        (JSC::DFG::FixupPhase::fixupNode):
     82        (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
     83        (JSC::DFG::FixupPhase::fixupToThis):
     84        (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
     85        (JSC::DFG::FixupPhase::observeUseKindOnNode):
     86        (JSC::DFG::FixupPhase::fixIntConvertingEdge):
     87        (JSC::DFG::FixupPhase::attemptToMakeIntegerAdd):
     88        (JSC::DFG::FixupPhase::fixupCompareStrictEqAndSameValue):
     89        (JSC::DFG::FixupPhase::fixupChecksInBlock):
     90        * dfg/DFGGraph.h:
     91        (JSC::DFG::Graph::addShouldSpeculateInt52):
     92        (JSC::DFG::Graph::binaryArithShouldSpeculateInt52):
     93        (JSC::DFG::Graph::unaryArithShouldSpeculateInt52):
     94        (JSC::DFG::Graph::addShouldSpeculateAnyInt): Deleted.
     95        (JSC::DFG::Graph::binaryArithShouldSpeculateAnyInt): Deleted.
     96        (JSC::DFG::Graph::unaryArithShouldSpeculateAnyInt): Deleted.
     97        * dfg/DFGNode.h:
     98        (JSC::DFG::Node::shouldSpeculateInt52):
     99        (JSC::DFG::Node::shouldSpeculateAnyInt): Deleted.
     100        * dfg/DFGPredictionPropagationPhase.cpp:
     101        * dfg/DFGSpeculativeJIT.cpp:
     102        (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
     103        (JSC::DFG::SpeculativeJIT::compileArithAdd):
     104        (JSC::DFG::SpeculativeJIT::compileArithSub):
     105        (JSC::DFG::SpeculativeJIT::compileArithNegate):
     106        * dfg/DFGSpeculativeJIT64.cpp:
     107        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
     108        (JSC::DFG::SpeculativeJIT::fillSpeculateInt52):
     109        * dfg/DFGUseKind.h:
     110        (JSC::DFG::typeFilterFor):
     111        * dfg/DFGVariableAccessData.cpp:
     112        (JSC::DFG::VariableAccessData::makePredictionForDoubleFormat):
     113        (JSC::DFG::VariableAccessData::couldRepresentInt52Impl):
     114        * ftl/FTLLowerDFGToB3.cpp:
     115        (JSC::FTL::DFG::LowerDFGToB3::compileArithAddOrSub):
     116        (JSC::FTL::DFG::LowerDFGToB3::compileArithNegate):
     117        (JSC::FTL::DFG::LowerDFGToB3::setIntTypedArrayLoadResult):
     118
    11192019-04-09  Tadeu Zagallo  <tzagallo@apple.com>
    2120
  • trunk/Source/JavaScriptCore/bytecode/SpeculatedType.cpp

    r243277 r244079  
    250250    }
    251251   
    252     if (value & SpecInt52Only)
    253         strOut.print("Int52");
     252    if (value & SpecInt32AsInt52)
     253        strOut.print("Int32AsInt52");
     254
     255    if (value & SpecNonInt32AsInt52)
     256        strOut.print("NonInt32AsInt52");
    254257       
    255258    if ((value & SpecBytecodeDouble) == SpecBytecodeDouble)
     
    344347    if (isAnyIntAsDoubleSpeculation(prediction))
    345348        return "<AnyIntAsDouble>";
    346     if (isInt52Speculation(prediction))
    347         return "<Int52>";
    348     if (isAnyIntSpeculation(prediction))
    349         return "<AnyInt>";
     349    if (prediction == SpecNonInt32AsInt52)
     350        return "<NonInt32AsInt52>";
     351    if (prediction == SpecInt32AsInt52)
     352        return "<Int32AsInt52>";
     353    if (isAnyInt52Speculation(prediction))
     354        return "<Int52Any>";
    350355    if (isDoubleSpeculation(prediction))
    351356        return "<Double>";
     
    509514    ASSERT(value.isUndefinedOrNull());
    510515    return SpecOther;
     516}
     517
     518SpeculatedType int52AwareSpeculationFromValue(JSValue value)
     519{
     520    if (!value.isAnyInt())
     521        return speculationFromValue(value);
     522
     523    int64_t intValue = value.asAnyInt();
     524    bool isI32 = static_cast<int64_t>(static_cast<int32_t>(intValue)) == intValue;
     525    if (isI32)
     526        return SpecInt32AsInt52;
     527    return SpecNonInt32AsInt52;
    511528}
    512529
     
    579596{
    580597    // SpecNonIntAsDouble includes negative zero (-0.0), which can be equal to 0 and 0.0 in the context of == and ===.
    581     if (type & (SpecAnyInt | SpecAnyIntAsDouble | SpecNonIntAsDouble))
    582         type |= (SpecAnyInt | SpecAnyIntAsDouble | SpecNonIntAsDouble);
     598    if (type & (SpecIntAnyFormat | SpecNonIntAsDouble))
     599        type |= (SpecIntAnyFormat | SpecNonIntAsDouble);
    583600
    584601    if (type & SpecString)
     
    804821    if (!strncmp(speculation, "SpecInt32Only", strlen("SpecInt32Only")))
    805822        return SpecInt32Only;
    806     if (!strncmp(speculation, "SpecInt52Only", strlen("SpecInt52Only")))
    807         return SpecInt52Only;
    808     if (!strncmp(speculation, "SpecAnyInt", strlen("SpecAnyInt")))
    809         return SpecAnyInt;
     823    if (!strncmp(speculation, "SpecInt32AsInt52", strlen("SpecInt32AsInt52")))
     824        return SpecInt32AsInt52;
     825    if (!strncmp(speculation, "SpecNonInt32AsInt52", strlen("SpecNonInt32AsInt52")))
     826        return SpecNonInt32AsInt52;
     827    if (!strncmp(speculation, "SpecInt52Any", strlen("SpecInt52Any")))
     828        return SpecInt52Any;
     829    if (!strncmp(speculation, "SpecIntAnyFormat", strlen("SpecIntAnyFormat")))
     830        return SpecIntAnyFormat;
    810831    if (!strncmp(speculation, "SpecAnyIntAsDouble", strlen("SpecAnyIntAsDouble")))
    811832        return SpecAnyIntAsDouble;
  • trunk/Source/JavaScriptCore/bytecode/SpeculatedType.h

    r243278 r244079  
    7474static const SpeculatedType SpecNonBoolInt32                      = 1ull << 29; // It's definitely an Int32 with value other than 0 or 1.
    7575static const SpeculatedType SpecInt32Only                         = SpecBoolInt32 | SpecNonBoolInt32; // It's definitely an Int32.
    76 static const SpeculatedType SpecInt52Only                         = 1ull << 30; // It's definitely an Int52 and we intend it to unbox it. It's also definitely not an Int32.
    77 static const SpeculatedType SpecAnyInt                            = SpecInt32Only | SpecInt52Only; // It's something that we can do machine int arithmetic on.
    78 static const SpeculatedType SpecAnyIntAsDouble                    = 1ull << 31; // It's definitely an Int52 and it's inside a double.
    79 static const SpeculatedType SpecNonIntAsDouble                    = 1ull << 32; // It's definitely not an Int52 but it's a real number and it's a double.
     76
     77static const SpeculatedType SpecInt32AsInt52                      = 1ull << 30; // It's an Int52 and it can fit in an int32.
     78static const SpeculatedType SpecNonInt32AsInt52                   = 1ull << 31; // It's an Int52 and it can't fit in an int32.
     79static const SpeculatedType SpecInt52Any                          = SpecInt32AsInt52 | SpecNonInt32AsInt52; // It's any kind of Int52.
     80
     81static const SpeculatedType SpecAnyIntAsDouble                    = 1ull << 32; // It's definitely an Int52 and it's inside a double.
     82static const SpeculatedType SpecNonIntAsDouble                    = 1ull << 33; // It's definitely not an Int52 but it's a real number and it's a double.
    8083static const SpeculatedType SpecDoubleReal                        = SpecNonIntAsDouble | SpecAnyIntAsDouble; // It's definitely a non-NaN double.
    81 static const SpeculatedType SpecDoublePureNaN                     = 1ull << 33; // It's definitely a NaN that is safe to tag (i.e. pure).
    82 static const SpeculatedType SpecDoubleImpureNaN                   = 1ull << 34; // It's definitely a NaN that is unsafe to tag (i.e. impure).
     84static const SpeculatedType SpecDoublePureNaN                     = 1ull << 34; // It's definitely a NaN that is safe to tag (i.e. pure).
     85static const SpeculatedType SpecDoubleImpureNaN                   = 1ull << 35; // It's definitely a NaN that is unsafe to tag (i.e. impure).
    8386static const SpeculatedType SpecDoubleNaN                         = SpecDoublePureNaN | SpecDoubleImpureNaN; // It's definitely some kind of NaN.
    8487static const SpeculatedType SpecBytecodeDouble                    = SpecDoubleReal | SpecDoublePureNaN; // It's either a non-NaN or a NaN double, but it's definitely not impure NaN.
    8588static const SpeculatedType SpecFullDouble                        = SpecDoubleReal | SpecDoubleNaN; // It's either a non-NaN or a NaN double.
    8689static const SpeculatedType SpecBytecodeRealNumber                = SpecInt32Only | SpecDoubleReal; // It's either an Int32 or a DoubleReal.
    87 static const SpeculatedType SpecFullRealNumber                    = SpecAnyInt | SpecDoubleReal; // It's either an Int32 or a DoubleReal, or a Int52.
     90static const SpeculatedType SpecFullRealNumber                    = SpecInt32Only | SpecInt52Any | SpecDoubleReal; // It's either an Int32 or a DoubleReal, or an Int52.
    8891static const SpeculatedType SpecBytecodeNumber                    = SpecInt32Only | SpecBytecodeDouble; // It's either an Int32 or a Double, and the Double cannot be an impure NaN.
    89 static const SpeculatedType SpecFullNumber                        = SpecAnyInt | SpecFullDouble; // It's either an Int32, Int52, or a Double, and the Double can be impure NaN.
    90 static const SpeculatedType SpecBoolean                           = 1ull << 35; // It's definitely a Boolean.
    91 static const SpeculatedType SpecOther                             = 1ull << 36; // It's definitely either Null or Undefined.
     92static const SpeculatedType SpecIntAnyFormat                      = SpecInt52Any | SpecInt32Only | SpecAnyIntAsDouble;
     93
     94static const SpeculatedType SpecFullNumber                        = SpecIntAnyFormat | SpecFullDouble; // It's either an Int32, Int52, or a Double, and the Double can be impure NaN.
     95static const SpeculatedType SpecBoolean                           = 1ull << 36; // It's definitely a Boolean.
     96static const SpeculatedType SpecOther                             = 1ull << 37; // It's definitely either Null or Undefined.
    9297static const SpeculatedType SpecMisc                              = SpecBoolean | SpecOther; // It's definitely either a boolean, Null, or Undefined.
    93 static const SpeculatedType SpecEmpty                             = 1ull << 37; // It's definitely an empty value marker.
    94 static const SpeculatedType SpecBigInt                            = 1ull << 38; // It's definitely a BigInt.
    95 static const SpeculatedType SpecDataViewObject                    = 1ull << 39; // It's definitely a JSDataView.
     98static const SpeculatedType SpecEmpty                             = 1ull << 38; // It's definitely an empty value marker.
     99static const SpeculatedType SpecBigInt                            = 1ull << 39; // It's definitely a BigInt.
     100static const SpeculatedType SpecDataViewObject                    = 1ull << 40; // It's definitely a JSDataView.
    96101static const SpeculatedType SpecPrimitive                         = SpecString | SpecSymbol | SpecBytecodeNumber | SpecMisc | SpecBigInt; // It's any non-Object JSValue.
    97102static const SpeculatedType SpecObject                            = SpecFinalObject | SpecArray | SpecFunction | SpecTypedArrayView | SpecDirectArguments | SpecScopedArguments | SpecStringObject | SpecRegExpObject | SpecMapObject | SpecSetObject | SpecWeakMapObject | SpecWeakSetObject | SpecProxyObject | SpecDerivedArray | SpecObjectOther | SpecDataViewObject; // Bitmask used for testing for any kind of object prediction.
     
    338343inline bool isInt32SpeculationForArithmetic(SpeculatedType value)
    339344{
    340     return !(value & (SpecFullDouble | SpecInt52Only));
     345    return !(value & (SpecFullDouble | SpecInt52Any));
    341346}
    342347
    343348inline bool isInt32OrBooleanSpeculationForArithmetic(SpeculatedType value)
    344349{
    345     return !(value & (SpecFullDouble | SpecInt52Only));
     350    return !(value & (SpecFullDouble | SpecInt52Any));
    346351}
    347352
     
    351356}
    352357
    353 inline bool isInt52Speculation(SpeculatedType value)
    354 {
    355     return value == SpecInt52Only;
    356 }
    357 
    358 inline bool isAnyIntSpeculation(SpeculatedType value)
    359 {
    360     return !!value && (value & SpecAnyInt) == value;
     358inline bool isAnyInt52Speculation(SpeculatedType value)
     359{
     360    return !!value && (value & SpecInt52Any) == value;
     361}
     362
     363inline bool isIntAnyFormat(SpeculatedType value)
     364{
     365    return !!value && (value & SpecIntAnyFormat) == value;
    361366}
    362367
     
    484489SpeculatedType speculationFromCell(JSCell*);
    485490JS_EXPORT_PRIVATE SpeculatedType speculationFromValue(JSValue);
     491// If it's an anyInt(), it'll return speculated types from the Int52 lattice.
     492// Otherwise, it'll return types from the JSValue lattice.
     493JS_EXPORT_PRIVATE SpeculatedType int52AwareSpeculationFromValue(JSValue);
    486494SpeculatedType speculationFromJSType(JSType);
    487495
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h

    r244067 r244079  
    482482                    break;
    483483                }
    484                 setNonCellTypeForNode(node, SpecAnyInt);
     484                setNonCellTypeForNode(node, SpecInt52Any);
    485485                break;
    486486            }
     
    608608            break;
    609609        }
    610        
    611         setNonCellTypeForNode(node, SpecAnyInt);
     610
     611        setTypeForNode(node, forNode(node->child1()).m_type);
     612        forNode(node).fixTypeForRepresentation(m_graph, node);
    612613        break;
    613614    }
     
    668669                }
    669670            }
    670             setNonCellTypeForNode(node, SpecAnyInt);
     671            setNonCellTypeForNode(node, SpecInt52Any);
    671672            break;
    672673        case DoubleRepUse:
     
    768769                }
    769770            }
    770             setNonCellTypeForNode(node, SpecAnyInt);
     771            setNonCellTypeForNode(node, SpecInt52Any);
    771772            break;
    772773        case DoubleRepUse:
     
    831832                }
    832833            }
    833             setNonCellTypeForNode(node, SpecAnyInt);
     834            setNonCellTypeForNode(node, SpecInt52Any);
    834835            break;
    835836        case DoubleRepUse:
     
    891892                }
    892893            }
    893             setNonCellTypeForNode(node, SpecAnyInt);
     894            setNonCellTypeForNode(node, SpecInt52Any);
    894895            break;
    895896        case DoubleRepUse:
     
    21312132            if (node->shouldSpeculateInt32())
    21322133                setNonCellTypeForNode(node, SpecInt32Only);
    2133             else if (enableInt52() && node->shouldSpeculateAnyInt())
    2134                 setNonCellTypeForNode(node, SpecAnyInt);
     2134            else if (node->shouldSpeculateInt52())
     2135                setNonCellTypeForNode(node, SpecInt52Any);
    21352136            else
    21362137                setNonCellTypeForNode(node, SpecAnyIntAsDouble);
     
    38763877                setNonCellTypeForNode(node, SpecInt32Only);
    38773878            else
    3878                 setNonCellTypeForNode(node, SpecAnyInt);
     3879                setNonCellTypeForNode(node, SpecInt52Any);
    38793880        }
    38803881        break;
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.cpp

    r242990 r244079  
    135135                m_value = jsDoubleNumber(m_value.asNumber());
    136136        }
    137         if (m_type & SpecAnyInt) {
    138             m_type &= ~SpecAnyInt;
     137        if (m_type & SpecIntAnyFormat) {
     138            m_type &= ~SpecIntAnyFormat;
    139139            m_type |= SpecAnyIntAsDouble;
    140140        }
     
    143143    } else if (representation == NodeResultInt52) {
    144144        if (m_type & SpecAnyIntAsDouble) {
     145            // AnyIntAsDouble can produce i32 or i52. SpecAnyIntAsDouble doesn't bound the magnitude of the value.
    145146            m_type &= ~SpecAnyIntAsDouble;
    146             m_type |= SpecInt52Only;
    147         }
    148         if (m_type & ~SpecAnyInt)
    149             DFG_CRASH(graph, node, toCString("Abstract value ", *this, " for int52 node has type outside SpecAnyInt.\n").data());
     147            m_type |= SpecInt52Any;
     148        }
     149
     150        if (m_type & SpecInt32Only) {
     151            m_type &= ~SpecInt32Only;
     152            m_type |= SpecInt32AsInt52;
     153        }
     154
     155        if (m_type & ~SpecInt52Any)
     156            DFG_CRASH(graph, node, toCString("Abstract value ", *this, " for int52 node has type outside SpecInt52Any.\n").data());
     157
     158        if (m_value) {
     159            DFG_ASSERT(graph, node, m_value.isAnyInt());
     160            m_type = int52AwareSpeculationFromValue(m_value);
     161        }
    150162    } else {
    151         if (m_type & SpecInt52Only) {
    152             m_type &= ~SpecInt52Only;
     163        if (m_type & SpecInt32AsInt52) {
     164            m_type &= ~SpecInt32AsInt52;
     165            m_type |= SpecInt32Only;
     166        }
     167        if (m_type & SpecNonInt32AsInt52) {
     168            m_type &= ~SpecNonInt32AsInt52;
    153169            m_type |= SpecAnyIntAsDouble;
    154170        }
     
    416432{
    417433    if (!(m_type & SpecCell)) {
    418         ASSERT(m_structure.isClear());
    419         ASSERT(!m_arrayModes);
     434        RELEASE_ASSERT(m_structure.isClear());
     435        RELEASE_ASSERT(!m_arrayModes);
    420436    }
    421437   
    422438    if (isClear())
    423         ASSERT(!m_value);
    424    
    425     if (!!m_value) {
    426         SpeculatedType type = m_type;
    427         // This relaxes the assertion below a bit, since we don't know the representation of the
    428         // node.
    429         if (type & SpecInt52Only)
    430             type |= SpecAnyIntAsDouble;
    431         ASSERT(mergeSpeculations(type, speculationFromValue(m_value)) == type);
    432     }
    433    
     439        RELEASE_ASSERT(!m_value);
     440   
     441    if (m_type & SpecInt52Any) {
     442        if (m_type != SpecFullTop)
     443            RELEASE_ASSERT(isAnyInt52Speculation(m_type));
     444    }
     445
     446    if (!!m_value)
     447        RELEASE_ASSERT(validateTypeAcceptingBoxedInt52(m_value));
     448
    434449    // Note that it's possible for a prediction like (Final, []). This really means that
    435450    // the value is bottom and that any code that uses the value is unreachable. But
     
    442457    m_structure.assertIsRegistered(graph);
    443458}
    444 #endif
     459#endif // !ASSERT_DISABLED
    445460
    446461ResultType AbstractValue::resultType() const
  • trunk/Source/JavaScriptCore/dfg/DFGAbstractValue.h

    r243278 r244079  
    202202        return !m_value && m_type;
    203203    }
     204
     205    bool isInt52Any() const
     206    {
     207        return !(m_type & ~SpecInt52Any);
     208    }
    204209   
    205210    JSValue value() const
     
    507512    bool validateTypeAcceptingBoxedInt52(JSValue value) const
    508513    {
    509         if (isHeapTop())
     514        if (isBytecodeTop())
    510515            return true;
    511516       
    512         // Constant folding always represents Int52's in a double (i.e. AnyIntAsDouble).
    513         // So speculationFromValue(value) for an Int52 value will return AnyIntAsDouble,
    514         // and that's fine - the type validates just fine.
    515         SpeculatedType type = m_type;
    516         if (type & SpecInt52Only)
    517             type |= SpecAnyIntAsDouble;
    518        
    519         if (mergeSpeculations(type, speculationFromValue(value)) != type)
     517        if (m_type & SpecInt52Any) {
     518            ASSERT(!(m_type & ~SpecInt52Any));
     519
     520            if (mergeSpeculations(m_type, int52AwareSpeculationFromValue(value)) != m_type)
     521                return false;
     522            return true;
     523        }
     524
     525        if (mergeSpeculations(m_type, speculationFromValue(value)) != m_type)
    520526            return false;
    521        
    522         if (value.isEmpty()) {
    523             ASSERT(m_type & SpecEmpty);
    524             return true;
    525         }
    526527       
    527528        return true;
  • trunk/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

    r244067 r244079  
    127127            return;
    128128        }
    129         if (m_graph.binaryArithShouldSpeculateAnyInt(node, FixupPass)) {
     129        if (m_graph.binaryArithShouldSpeculateInt52(node, FixupPass)) {
    130130            fixEdge<Int52RepUse>(leftChild);
    131131            fixEdge<Int52RepUse>(rightChild);
     
    327327            }
    328328           
    329             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
     329            if (m_graph.unaryArithShouldSpeculateInt52(node, FixupPass)) {
    330330                node->setOp(ArithNegate);
    331331                fixEdge<Int52RepUse>(node->child1());
     
    451451                break;
    452452            }
    453             if (m_graph.unaryArithShouldSpeculateAnyInt(node, FixupPass)) {
     453            if (m_graph.unaryArithShouldSpeculateInt52(node, FixupPass)) {
    454454                fixEdge<Int52RepUse>(node->child1());
    455455                if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
     
    682682                break;
    683683            }
    684             if (enableInt52()
    685                 && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
     684            if (Node::shouldSpeculateInt52(node->child1().node(), node->child2().node())) {
    686685                fixEdge<Int52RepUse>(node->child1());
    687686                fixEdge<Int52RepUse>(node->child2());
     
    937936                if (node->shouldSpeculateInt32())
    938937                    break;
    939                 if (node->shouldSpeculateAnyInt() && enableInt52())
     938                if (node->shouldSpeculateInt52())
    940939                    node->setResult(NodeResultInt52);
    941940                else
     
    10161015                if (child3->shouldSpeculateInt32())
    10171016                    fixIntOrBooleanEdge(child3);
    1018                 else if (child3->shouldSpeculateAnyInt())
     1017                else if (child3->shouldSpeculateInt52())
    10191018                    fixEdge<Int52RepUse>(child3);
    10201019                else
     
    10611060                // conversions.
    10621061                if (!child->shouldSpeculateInt32()
    1063                     && !child->shouldSpeculateAnyInt()
     1062                    && !child->shouldSpeculateInt52()
    10641063                    && !(child->shouldSpeculateNumberOrBoolean() && m_graph.m_plan.isFTL()))
    10651064                    badNews = true;
     
    10821081                if (child->shouldSpeculateInt32())
    10831082                    fixIntOrBooleanEdge(child);
    1084                 else if (child->shouldSpeculateAnyInt())
     1083                else if (child->shouldSpeculateInt52())
    10851084                    fixEdge<Int52RepUse>(child);
    10861085                else {
     
    10961095            if (node->arrayMode().type() == Array::Uint32Array) {
    10971096                // NOTE: This means basically always doing Int52.
    1098                 if (node->shouldSpeculateAnyInt() && enableInt52())
     1097                if (node->shouldSpeculateInt52())
    10991098                    node->setResult(NodeResultInt52);
    11001099                else
     
    15201519                        }
    15211520
    1522                         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
     1521                        if (node->child1()->shouldSpeculateInt52()) {
    15231522                            insertCheck<Int52RepUse>(node->child1().node());
    15241523                            m_graph.convertToConstant(node, m_graph.freeze(globalObject->numberProtoToStringFunction()));
     
    21812180            if (node->child1()->shouldSpeculateInt32())
    21822181                fixEdge<Int32Use>(node->child1());
    2183             else if (enableInt52() && node->child1()->shouldSpeculateAnyInt())
     2182            else if (node->child1()->shouldSpeculateInt52())
    21842183                fixEdge<Int52RepUse>(node->child1());
    21852184            else
     
    26152614                return;
    26162615            }
    2617             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
     2616            if (node->child1()->shouldSpeculateInt52()) {
    26182617                insertCheck<Int52RepUse>(node->child1().node());
    26192618                m_graph.convertToConstant(node, m_graph.freeze(m_graph.globalObjectFor(node->origin.semantic)->numberPrototype()));
     
    26712670            }
    26722671
    2673             if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
     2672            if (node->child1()->shouldSpeculateInt52()) {
    26742673                fixEdge<Int52RepUse>(node->child1());
    26752674                node->convertToIdentity();
     
    29052904        }
    29062905
    2907         if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
     2906        if (node->child1()->shouldSpeculateInt52()) {
    29082907            fixEdge<Int52RepUse>(node->child1());
    29092908            node->clearFlags(NodeMustGenerate);
     
    32263225            break;
    32273226        case Int52RepUse:
    3228             if (isAnyIntSpeculation(variable->prediction()))
     3227            if (isAnyInt52Speculation(variable->prediction()))
    32293228                m_profitabilityChanged |= variable->mergeIsProfitableToUnbox(true);
    32303229            break;
     
    33173316       
    33183317        UseKind useKind;
    3319         if (node->shouldSpeculateAnyInt())
     3318        if (node->shouldSpeculateInt52())
    33203319            useKind = Int52RepUse;
    33213320        else if (node->shouldSpeculateNumber())
     
    34143413        }
    34153414       
    3416         if (m_graph.addShouldSpeculateAnyInt(node)) {
     3415        if (m_graph.addShouldSpeculateInt52(node)) {
    34173416            fixEdge<Int52RepUse>(node->child1());
    34183417            fixEdge<Int52RepUse>(node->child2());
     
    37333732            return;
    37343733        }
    3735         if (enableInt52()
    3736             && Node::shouldSpeculateAnyInt(node->child1().node(), node->child2().node())) {
     3734        if (Node::shouldSpeculateInt52(node->child1().node(), node->child2().node())) {
    37373735            fixEdge<Int52RepUse>(node->child1());
    37383736            fixEdge<Int52RepUse>(node->child2());
     
    39743972                        if (edge->isAnyIntConstant()) {
    39753973                            result = m_insertionSet.insertNode(
    3976                                 indexForChecks, SpecAnyInt, Int52Constant, originForChecks,
     3974                                indexForChecks, SpecInt52Any, Int52Constant, originForChecks,
    39773975                                OpInfo(edge->constant()));
    39783976                        } else if (edge->hasDoubleResult()) {
    39793977                            result = m_insertionSet.insertNode(
    3980                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
     3978                                indexForChecks, SpecInt52Any, Int52Rep, originForChecks,
    39813979                                Edge(edge.node(), DoubleRepAnyIntUse));
    39823980                        } else if (edge->shouldSpeculateInt32ForArithmetic()) {
     
    39863984                        } else {
    39873985                            result = m_insertionSet.insertNode(
    3988                                 indexForChecks, SpecAnyInt, Int52Rep, originForChecks,
     3986                                indexForChecks, SpecInt52Any, Int52Rep, originForChecks,
    39893987                                Edge(edge.node(), AnyIntUse));
    39903988                        }
  • trunk/Source/JavaScriptCore/dfg/DFGGraph.h

    r243232 r244079  
    285285    }
    286286   
    287     bool addShouldSpeculateAnyInt(Node* add)
     287    bool addShouldSpeculateInt52(Node* add)
    288288    {
    289289        if (!enableInt52())
     
    296296            return false;
    297297
    298         if (Node::shouldSpeculateAnyInt(left, right))
     298        if (Node::shouldSpeculateInt52(left, right))
    299299            return true;
    300300
    301         auto shouldSpeculateAnyIntForAdd = [](Node* node) {
    302             auto isAnyIntSpeculationForAdd = [](SpeculatedType value) {
    303                 return !!value && (value & (SpecAnyInt | SpecAnyIntAsDouble)) == value;
    304             };
    305 
     301        auto shouldSpeculateInt52ForAdd = [] (Node* node) {
    306302            // When DoubleConstant node appears, it means that users explicitly write a constant in their code with double form instead of integer form (1.0 instead of 1).
    307303            // In that case, we should honor this decision: using it as integer is not appropriate.
    308304            if (node->op() == DoubleConstant)
    309305                return false;
    310             return isAnyIntSpeculationForAdd(node->prediction());
     306            return isIntAnyFormat(node->prediction());
    311307        };
    312308
    313         // Allow AnyInt ArithAdd only when the one side of the binary operation should be speculated AnyInt. It is a bit conservative
     309        // Allow Int52 ArithAdd only when the one side of the binary operation should be speculated Int52. It is a bit conservative
    314310        // decision. This is because Double to Int52 conversion is not so cheap. Frequent back-and-forth conversions between Double and Int52
    315311        // rather hurt the performance. If the one side of the operation is already Int52, the cost for constructing ArithAdd becomes
    316312        // cheap since only one Double to Int52 conversion could be required.
    317313        // This recovers some regression in assorted tests while keeping kraken crypto improvements.
    318         if (!left->shouldSpeculateAnyInt() && !right->shouldSpeculateAnyInt())
     314        if (!left->shouldSpeculateInt52() && !right->shouldSpeculateInt52())
    319315            return false;
    320316
     
    330326            return false;
    331327
    332         return shouldSpeculateAnyIntForAdd(left) && shouldSpeculateAnyIntForAdd(right);
     328        return shouldSpeculateInt52ForAdd(left) && shouldSpeculateInt52ForAdd(right);
    333329    }
    334330   
     
    342338    }
    343339   
    344     bool binaryArithShouldSpeculateAnyInt(Node* node, PredictionPass pass)
     340    bool binaryArithShouldSpeculateInt52(Node* node, PredictionPass pass)
    345341    {
    346342        if (!enableInt52())
     
    350346        Node* right = node->child2().node();
    351347
    352         return Node::shouldSpeculateAnyInt(left, right)
     348        return Node::shouldSpeculateInt52(left, right)
    353349            && node->canSpeculateInt52(pass)
    354350            && !hasExitSite(node, Int52Overflow);
     
    361357    }
    362358   
    363     bool unaryArithShouldSpeculateAnyInt(Node* node, PredictionPass pass)
     359    bool unaryArithShouldSpeculateInt52(Node* node, PredictionPass pass)
    364360    {
    365361        if (!enableInt52())
    366362            return false;
    367         return node->child1()->shouldSpeculateAnyInt()
     363        return node->child1()->shouldSpeculateInt52()
    368364            && node->canSpeculateInt52(pass)
    369365            && !hasExitSite(node, Int52Overflow);
  • trunk/Source/JavaScriptCore/dfg/DFGNode.h

    r243448 r244079  
    23472347    }
    23482348   
    2349     bool shouldSpeculateAnyInt()
    2350     {
    2351         return isAnyIntSpeculation(prediction());
     2349    bool shouldSpeculateInt52()
     2350    {
     2351        return enableInt52() && isAnyInt52Speculation(prediction());
    23522352    }
    23532353   
     
    26102610    }
    26112611   
    2612     static bool shouldSpeculateAnyInt(Node* op1, Node* op2)
    2613     {
    2614         return op1->shouldSpeculateAnyInt() && op2->shouldSpeculateAnyInt();
     2612    static bool shouldSpeculateInt52(Node* op1, Node* op2)
     2613    {
     2614        return enableInt52() && op1->shouldSpeculateInt52() && op2->shouldSpeculateInt52();
    26152615    }
    26162616   
  • trunk/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp

    r244067 r244079  
    157157            VariableAccessData* variable = node->variableAccessData();
    158158            SpeculatedType prediction = variable->prediction();
    159             if (!variable->couldRepresentInt52() && (prediction & SpecInt52Only))
    160                 prediction = (prediction | SpecAnyIntAsDouble) & ~SpecInt52Only;
     159            if (!variable->couldRepresentInt52() && (prediction & SpecNonInt32AsInt52))
     160                prediction = (prediction | SpecAnyIntAsDouble) & ~SpecNonInt32AsInt52;
    161161            if (prediction)
    162162                changed |= mergePrediction(prediction);
     
    174174                changed |= mergePrediction(SpecInt32Only);
    175175            else if (enableInt52())
    176                 changed |= mergePrediction(SpecAnyInt);
     176                changed |= mergePrediction(SpecInt52Any);
    177177            else
    178178                changed |= mergePrediction(SpecBytecodeNumber);
     
    189189                    if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
    190190                        changed |= mergePrediction(SpecInt32Only);
    191                     else if (m_graph.addShouldSpeculateAnyInt(node))
    192                         changed |= mergePrediction(SpecInt52Only);
     191                    else if (m_graph.addShouldSpeculateInt52(node))
     192                        changed |= mergePrediction(SpecInt52Any);
    193193                    else
    194194                        changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
     
    218218                if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
    219219                    changed |= mergePrediction(SpecInt32Only);
    220                 else if (m_graph.addShouldSpeculateAnyInt(node))
    221                     changed |= mergePrediction(SpecInt52Only);
     220                else if (m_graph.addShouldSpeculateInt52(node))
     221                    changed |= mergePrediction(SpecInt52Any);
    222222                else if (isFullNumberOrBooleanSpeculation(left) && isFullNumberOrBooleanSpeculation(right))
    223223                    changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
     
    239239                    if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
    240240                        changed |= mergePrediction(SpecInt32Only);
    241                     else if (m_graph.addShouldSpeculateAnyInt(node))
    242                         changed |= mergePrediction(SpecInt52Only);
     241                    else if (m_graph.addShouldSpeculateInt52(node))
     242                        changed |= mergePrediction(SpecInt52Any);
    243243                    else
    244244                        changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
     
    260260                    if (m_graph.addSpeculationMode(node, m_pass) != DontSpeculateInt32)
    261261                        changed |= mergePrediction(SpecInt32Only);
    262                     else if (m_graph.addShouldSpeculateAnyInt(node))
    263                         changed |= mergePrediction(SpecInt52Only);
     262                    else if (m_graph.addShouldSpeculateInt52(node))
     263                        changed |= mergePrediction(SpecInt52Any);
    264264                    else
    265265                        changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
     
    284284                if (isInt32OrBooleanSpeculation(prediction) && node->canSpeculateInt32(m_pass))
    285285                    changed |= mergePrediction(SpecInt32Only);
    286                 else if (m_graph.unaryArithShouldSpeculateAnyInt(node, m_pass))
    287                     changed |= mergePrediction(SpecInt52Only);
     286                else if (m_graph.unaryArithShouldSpeculateInt52(node, m_pass))
     287                    changed |= mergePrediction(SpecInt52Any);
    288288                else if (isBytecodeNumberSpeculation(prediction))
    289289                    changed |= mergePrediction(speculatedDoubleTypeForPrediction(node->child1()->prediction()));
     
    327327                    if (m_graph.binaryArithShouldSpeculateInt32(node, m_pass))
    328328                        changed |= mergePrediction(SpecInt32Only);
    329                     else if (m_graph.binaryArithShouldSpeculateAnyInt(node, m_pass))
    330                         changed |= mergePrediction(SpecInt52Only);
     329                    else if (m_graph.binaryArithShouldSpeculateInt52(node, m_pass))
     330                        changed |= mergePrediction(SpecInt52Any);
    331331                    else
    332332                        changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
     
    428428                    changed |= mergePrediction(SpecInt32Only);
    429429                else if (enableInt52())
    430                     changed |= mergePrediction(SpecAnyInt);
     430                    changed |= mergePrediction(SpecInt52Any);
    431431                else
    432432                    changed |= mergePrediction(SpecInt32Only | SpecAnyIntAsDouble);
     
    460460                }
    461461
    462                 if (enableInt52() && node->child1()->shouldSpeculateAnyInt()) {
    463                     changed |= mergePrediction(SpecAnyInt);
     462                if (node->child1()->shouldSpeculateInt52()) {
     463                    changed |= mergePrediction(SpecInt52Any);
    464464                    break;
    465465                }
     
    568568                && isFullNumberSpeculation(right)
    569569                && !m_graph.addShouldSpeculateInt32(node, m_pass)
    570                 && !m_graph.addShouldSpeculateAnyInt(node))
     570                && !m_graph.addShouldSpeculateInt52(node))
    571571                ballot = VoteDouble;
    572572            else
     
    588588                && isFullNumberSpeculation(right)
    589589                && !m_graph.binaryArithShouldSpeculateInt32(node, m_pass)
    590                 && !m_graph.binaryArithShouldSpeculateAnyInt(node, m_pass))
     590                && !m_graph.binaryArithShouldSpeculateInt52(node, m_pass))
    591591                ballot = VoteDouble;
    592592            else
     
    644644                node->variableAccessData()->vote(VoteDouble, weight);
    645645            else if (!isFullNumberSpeculation(prediction)
    646                 || isInt32Speculation(prediction) || isAnyIntSpeculation(prediction))
     646                || isInt32Speculation(prediction) || isAnyInt52Speculation(prediction))
    647647                node->variableAccessData()->vote(VoteValue, weight);
    648648            break;
     
    735735        switch (m_currentNode->op()) {
    736736        case JSConstant: {
    737             SpeculatedType type = speculationFromValue(m_currentNode->asJSValue());
    738             if (type == SpecAnyIntAsDouble && enableInt52())
    739                 type = SpecInt52Only;
    740             setPrediction(type);
     737            setPrediction(speculationFromValue(m_currentNode->asJSValue()));
    741738            break;
    742739        }
     
    10491046        case FiatInt52: {
    10501047            RELEASE_ASSERT(enableInt52());
    1051             setPrediction(SpecAnyInt);
     1048            setPrediction(SpecInt52Any);
    10521049            break;
    10531050        }
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r244067 r244079  
    29202920   
    29212921#if USE(JSVALUE64)
    2922     if (node->shouldSpeculateAnyInt()) {
     2922    if (node->shouldSpeculateInt52()) {
     2923        ASSERT(enableInt52());
    29232924        m_jit.zeroExtend32ToPtr(resultReg, resultReg);
    29242925        strictInt52Result(resultReg, node);
     
    43274328        // Will we need an overflow check? If we can prove that neither input can be
    43284329        // Int52 then the overflow check will not be necessary.
    4329         if (!m_state.forNode(node->child1()).couldBeType(SpecInt52Only)
    4330             && !m_state.forNode(node->child2()).couldBeType(SpecInt52Only)) {
     4330        if (!m_state.forNode(node->child1()).couldBeType(SpecNonInt32AsInt52)
     4331            && !m_state.forNode(node->child2()).couldBeType(SpecNonInt32AsInt52)) {
    43314332            SpeculateWhicheverInt52Operand op1(this, node->child1());
    43324333            SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
     
    45134514        // Will we need an overflow check? If we can prove that neither input can be
    45144515        // Int52 then the overflow check will not be necessary.
    4515         if (!m_state.forNode(node->child1()).couldBeType(SpecInt52Only)
    4516             && !m_state.forNode(node->child2()).couldBeType(SpecInt52Only)) {
     4516        if (!m_state.forNode(node->child1()).couldBeType(SpecNonInt32AsInt52)
     4517            && !m_state.forNode(node->child2()).couldBeType(SpecNonInt32AsInt52)) {
    45174518            SpeculateWhicheverInt52Operand op1(this, node->child1());
    45184519            SpeculateWhicheverInt52Operand op2(this, node->child2(), op1);
     
    45974598        ASSERT(shouldCheckOverflow(node->arithMode()));
    45984599       
    4599         if (!m_state.forNode(node->child1()).couldBeType(SpecInt52Only)) {
     4600        if (!m_state.forNode(node->child1()).couldBeType(SpecNonInt32AsInt52)) {
    46004601            SpeculateWhicheverInt52Operand op1(this, node->child1());
    46014602            GPRTemporary result(this);
  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp

    r244067 r244079  
    943943
    944944    case DataFormatJS: {
    945         DFG_ASSERT(m_jit.graph(), m_currentNode, !(type & SpecInt52Only));
     945        DFG_ASSERT(m_jit.graph(), m_currentNode, !(type & SpecInt52Any));
    946946        // Check the value is an integer.
    947947        GPRReg gpr = info.gpr();
     
    10281028    AbstractValue& value = m_state.forNode(edge);
    10291029
    1030     m_interpreter.filter(value, SpecAnyInt);
     1030    m_interpreter.filter(value, SpecInt52Any);
    10311031    if (value.isClear()) {
    10321032        if (mayHaveTypeCheck(edge.useKind()))
  • trunk/Source/JavaScriptCore/dfg/DFGUseKind.h

    r240114 r244079  
    103103        return SpecInt32Only;
    104104    case Int52RepUse:
    105         return SpecAnyInt;
     105        return SpecInt52Any;
    106106    case AnyIntUse:
    107107        return SpecInt32Only | SpecAnyIntAsDouble;
  • trunk/Source/JavaScriptCore/dfg/DFGVariableAccessData.cpp

    r200034 r244079  
    157157    if (type & ~SpecBytecodeNumber)
    158158        type |= SpecDoublePureNaN;
    159     if (type & SpecAnyInt)
     159    if (type & (SpecInt32Only | SpecInt52Any))
    160160        type |= SpecAnyIntAsDouble;
    161161    return checkAndSet(m_prediction, type);
     
    181181   
    182182    // The argument-aware prediction -- which merges all of an (inlined or machine)
    183     // argument's variable access datas' predictions -- must possibly be AnyInt.
    184     return !(argumentAwarePrediction() & ~SpecAnyInt);
     183    // argument's variable access datas' predictions -- must possibly be Int52Any.
     184    return isAnyInt52Speculation(argumentAwarePrediction());
    185185}
    186186
  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r244067 r244079  
    23272327           
    23282328        case Int52RepUse: {
    2329             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)
    2330                 && !abstractValue(m_node->child2()).couldBeType(SpecInt52Only)) {
     2329            if (!abstractValue(m_node->child1()).couldBeType(SpecNonInt32AsInt52)
     2330                && !abstractValue(m_node->child2()).couldBeType(SpecNonInt32AsInt52)) {
    23312331                Int52Kind kind;
    23322332                LValue left = lowWhicheverInt52(m_node->child1(), kind);
     
    30243024           
    30253025        case Int52RepUse: {
    3026             if (!abstractValue(m_node->child1()).couldBeType(SpecInt52Only)) {
     3026            if (!abstractValue(m_node->child1()).couldBeType(SpecNonInt32AsInt52)) {
    30273027                Int52Kind kind;
    30283028                LValue value = lowWhicheverInt52(m_node->child1(), kind);
     
    1463814638        }
    1463914639       
    14640         if (m_node->shouldSpeculateAnyInt()) {
     14640        if (m_node->shouldSpeculateInt52()) {
    1464114641            setStrictInt52(m_out.zeroExt(result, Int64));
    1464214642            return;
Note: See TracChangeset for help on using the changeset viewer.