Changeset 103604 in webkit for trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

Timestamp:

Dec 22, 2011, 9:47:17 PM (13 years ago)

Author:

[email protected]

Message:

DFG should not speculate array even when predictions say that the base is not an array
​https://bugs.webkit.org/show_bug.cgi?id=75160
<rdar://problem/10622646>
<rdar://problem/10622649>

Reviewed by Oliver Hunt.

Added the ability to call slow path when the base is known to not be an array.
Also rationalized the logic for deciding when the index is not an int, and
cleaned up the logic for deciding when to speculate typed array.

Neutral for the most part, with odd speed-ups and slow-downs. The slow-downs can
likely be mitigated by having the notion of a polymorphic array access, where we
try, but don't speculate, to access the array one way before either trying some
other ways or calling slow path.

• bytecode/PredictedType.h:

(JSC::isActionableMutableArrayPrediction):
(JSC::isActionableArrayPrediction):

• dfg/DFGAbstractState.cpp:

(JSC::DFG::AbstractState::execute):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateInt8Array):
(JSC::DFG::Node::shouldSpeculateInt16Array):
(JSC::DFG::Node::shouldSpeculateInt32Array):
(JSC::DFG::Node::shouldSpeculateUint8Array):
(JSC::DFG::Node::shouldSpeculateUint16Array):
(JSC::DFG::Node::shouldSpeculateUint32Array):
(JSC::DFG::Node::shouldSpeculateFloat32Array):
(JSC::DFG::Node::shouldSpeculateFloat64Array):

• dfg/DFGPropagator.cpp:

(JSC::DFG::Propagator::byValIsPure):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):

• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

File:

• trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/dfg/DFGAbstractState.cpp

@@ -403 +403 @@
             
     case GetByVal: {
-        PredictedType indexPrediction = m_graph[node.child2()].prediction();
-        if (!(indexPrediction & PredictInt32) && indexPrediction) {
+        if (!node.prediction() || !m_graph[node.child1()].prediction() || !m_graph[node.child2()].prediction()) {
+            m_isValid = false;
+            break;
+        }
+        if (!isActionableArrayPrediction(m_graph[node.child1()].prediction()) || !m_graph[node.child2()].shouldSpeculateInteger()) {
             clobberStructures(nodeIndex);
             forNode(nodeIndex).makeTop();
@@ -470 +473 @@
             break;
         }
+        ASSERT(m_graph[node.child1()].shouldSpeculateArray());
         forNode(node.child1()).filter(PredictArray);
         forNode(node.child2()).filter(PredictInt32);
@@ -478 +482 @@
     case PutByVal:
     case PutByValAlias: {
-        PredictedType indexPrediction = m_graph[node.child2()].prediction();
-        if (!(indexPrediction & PredictInt32) && indexPrediction) {
+        if (!m_graph[node.child1()].prediction() || !m_graph[node.child2()].prediction()) {
+            m_isValid = false;
+            break;
+        }
+        if (!m_graph[node.child2()].shouldSpeculateInteger() || !isActionableMutableArrayPrediction(m_graph[node.child1()].prediction())) {
+            ASSERT(node.op == PutByVal);
             clobberStructures(nodeIndex);
             forNode(nodeIndex).makeTop();
@@ -539 +547 @@
             break;
         }
-            
+        ASSERT(m_graph[node.child1()].shouldSpeculateArray());
         forNode(node.child1()).filter(PredictArray);
         forNode(node.child2()).filter(PredictInt32);