Context Navigation

← Previous Change
Next Change →

DFGSpeculativeJIT.cpp

Timestamp:

Dec 19, 2011, 12:22:31 PM (13 years ago)

Author:

Message:

Unreviewed, rolling out r103250.
http://trac.webkit.org/changeset/103250
https://bugs.webkit.org/show_bug.cgi?id=74877

it still breaks codegen (Requested by olliej on #webkit).

Patch by Sheriff Bot <[email protected]> on 2011-12-19

dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::parseBlock):

dfg/DFGNode.h:
dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::propagateArithNodeFlags):
(JSC::DFG::Propagator::fixupNode):
(JSC::DFG::Propagator::byValIsPure):
(JSC::DFG::Propagator::clobbersWorld):
(JSC::DFG::Propagator::getByValLoadElimination):
(JSC::DFG::Propagator::checkStructureLoadElimination):
(JSC::DFG::Propagator::getByOffsetLoadElimination):
(JSC::DFG::Propagator::getPropertyStorageLoadElimination):
(JSC::DFG::Propagator::getIndexedPropertyStorageLoadElimination):
(JSC::DFG::Propagator::performNodeCSE):

dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compilePutByValForByteArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
(JSC::DFG::SpeculativeJIT::compilePutByValForFloatTypedArray):

dfg/DFGSpeculativeJIT.h:
dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

File:

: 1 edited

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp (modified) (6 diffs)

Legend:

: Unmodified
: Added
: Removed

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

-              r103250
+              r103255
+}
+void SpeculativeJIT::compilePutByValForByteArray(Node& node)
+{
+    NodeIndex baseIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
+    NodeIndex propertyIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
+    NodeIndex valueIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
+    NodeIndex storageIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
+    if (!isByteArrayPrediction(m_state.forNode(baseIndex).m_type)) {
+        SpeculateCellOperand base(this, baseIndex);
+        speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSByteArray::s_info)));
+    }
+void SpeculativeJIT::compilePutByValForByteArray(GPRReg base, GPRReg property, Node& node)
+{
+    NodeIndex baseIndex = node.child1();
+    NodeIndex valueIndex = node.child3();
+    if (!isByteArrayPrediction(m_state.forNode(baseIndex).m_type))
+        speculationCheck(BadType, JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(&JSByteArray::s_info)));
     GPRTemporary value;
     GPRReg valueGPR;
 …
         valueGPR = gpr;
+    }
+    StorageOperand storage(this, storageIndex);
+    SpeculateIntegerOperand property(this, propertyIndex);
+    ASSERT_UNUSED(valueGPR, valueGPR != property);
+    ASSERT(valueGPR != base);
+    GPRTemporary storage(this);
     GPRReg storageReg = storage.gpr();
+    MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property.gpr(), MacroAssembler::Address(storageReg, ByteArray::offsetOfSize()));
+    m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property.gpr(), MacroAssembler::TimesOne, ByteArray::offsetOfData()));
+    ASSERT(valueGPR != storageReg);
+    m_jit.loadPtr(MacroAssembler::Address(base, JSByteArray::offsetOfStorage()), storageReg);
+    MacroAssembler::Jump outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(storageReg, ByteArray::offsetOfSize()));
+    m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesOne, ByteArray::offsetOfData()));
     outOfBounds.link(&m_jit);
     noResult(m_compileIndex);
 …
+}
+void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements, TypedArraySignedness signedness)
+{
+    NodeIndex baseIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
+    NodeIndex propertyIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
+    NodeIndex valueIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
+    NodeIndex storageIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck) {
+        SpeculateCellOperand base(this, baseIndex);
+        speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
+    }
+    StorageOperand storage(this, storageIndex);
+    GPRReg storageReg = storage.gpr();
+    SpeculateIntegerOperand property(this, propertyIndex);
+    GPRReg propertyReg = property.gpr();
+    MacroAssembler::Jump outOfBounds;
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck || speculationRequirements != NoTypedArraySpecCheck) {
+        SpeculateCellOperand base(this, baseIndex);
+        if (speculationRequirements != NoTypedArrayTypeSpecCheck)
+            speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
+        if (speculationRequirements != NoTypedArraySpecCheck)
+            outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(base.gpr(), descriptor.m_lengthOffset));
+    }
+void SpeculativeJIT::compilePutByValForIntTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements, TypedArraySignedness signedness)
+{
+    NodeIndex baseIndex = node.child1();
+    NodeIndex valueIndex = node.child3();
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck)
+        speculationCheck(BadType, JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
     GPRTemporary value;
     GPRReg valueGPR;
 …
         valueGPR = gpr;
+    }
+    ASSERT_UNUSED(valueGPR, valueGPR != property);
+    ASSERT(valueGPR != base);
+    GPRTemporary storage(this);
+    GPRReg storageReg = storage.gpr();
+    ASSERT(valueGPR != storageReg);
+    m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
+    MacroAssembler::Jump outOfBounds;
+    if (speculationRequirements != NoTypedArraySpecCheck)
+        outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(base, descriptor.m_lengthOffset));
     switch (elementSize) {
     case 1:
         m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesOne));
+        m_jit.store8(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesOne));
         break;
     case 2:
         m_jit.store16(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesTwo));
+        m_jit.store16(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesTwo));
         break;
     case 4:
         m_jit.store32(value.gpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour));
+        m_jit.store32(value.gpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesFour));
         break;
     default:
 …
+}
+void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements)
+{
+    NodeIndex baseIndex = m_jit.graph().m_varArgChildren[node.firstChild()];
+    NodeIndex propertyIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 1];
+    NodeIndex valueIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 2];
+    NodeIndex storageIndex = m_jit.graph().m_varArgChildren[node.firstChild() + 3];
+void SpeculativeJIT::compilePutByValForFloatTypedArray(const TypedArrayDescriptor& descriptor, GPRReg base, GPRReg property, Node& node, size_t elementSize, TypedArraySpeculationRequirements speculationRequirements)
+{
+    NodeIndex baseIndex = node.child1();
+    NodeIndex valueIndex = node.child3();
     SpeculateDoubleOperand valueOp(this, valueIndex);
+    SpeculateStrictInt32Operand property(this, propertyIndex);
+    StorageOperand storage(this, storageIndex);
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck)
+        speculationCheck(BadType, JSValueSource::unboxedCell(base), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base, JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
+    GPRTemporary result(this);
+    GPRTemporary storage(this);
     GPRReg storageReg = storage.gpr();
     GPRReg propertyReg = property.gpr();
+    m_jit.loadPtr(MacroAssembler::Address(base, descriptor.m_storageOffset), storageReg);
     MacroAssembler::Jump outOfBounds;
+    if (speculationRequirements != NoTypedArrayTypeSpecCheck || speculationRequirements != NoTypedArraySpecCheck) {
+        SpeculateCellOperand base(this, baseIndex);
+        if (speculationRequirements != NoTypedArrayTypeSpecCheck)
+            speculationCheck(BadType, JSValueSource::unboxedCell(base.gpr()), baseIndex, m_jit.branchPtr(MacroAssembler::NotEqual, MacroAssembler::Address(base.gpr(), JSCell::classInfoOffset()), MacroAssembler::TrustedImmPtr(descriptor.m_classInfo)));
+        if (speculationRequirements != NoTypedArraySpecCheck)
+            outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(base.gpr(), descriptor.m_lengthOffset));
+    }
+    if (speculationRequirements != NoTypedArraySpecCheck)
+        outOfBounds = m_jit.branch32(MacroAssembler::AboveOrEqual, property, MacroAssembler::Address(base, descriptor.m_lengthOffset));
     switch (elementSize) {
 …
         m_jit.moveDouble(valueOp.fpr(), scratch.fpr());
         m_jit.convertDoubleToFloat(valueOp.fpr(), scratch.fpr());
         m_jit.storeFloat(scratch.fpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesFour));
+        m_jit.storeFloat(scratch.fpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesFour));
         break;
+    }
     case 8:
         m_jit.storeDouble(valueOp.fpr(), MacroAssembler::BaseIndex(storageReg, propertyReg, MacroAssembler::TimesEight));
+        m_jit.storeDouble(valueOp.fpr(), MacroAssembler::BaseIndex(storageReg, property, MacroAssembler::TimesEight));
         break;
     default:

Note: See TracChangeset for help on using the changeset viewer.

Context Navigation

Changeset 103255 in webkit for trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

Legend:

trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

Download in other formats: