Changeset 103637 in webkit for trunk/Source/JavaScriptCore/assembler

Timestamp:

Dec 23, 2011, 1:08:12 PM (13 years ago)

Author:

[email protected]

Message:

DFG loads from signed 8-bit and 16-bit typed arrays are broken
​https://bugs.webkit.org/show_bug.cgi?id=75163

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Added 8-bit and 16-bit signed loads. Because doing so on ARM is less trivial, I'm
currently disabling Int8Array and Int16Array optimizations on ARM.

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::load8Signed):
(JSC::MacroAssemblerX86Common::load16Signed):

• assembler/X86Assembler.h:

(JSC::X86Assembler::movswl_mr):
(JSC::X86Assembler::movsbl_mr):

• bytecode/PredictedType.h:

(JSC::isActionableMutableArrayPrediction):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateInt8Array):
(JSC::DFG::Node::shouldSpeculateInt16Array):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):

LayoutTests:

Reviewed by Geoffrey Garen.

Fixed some minor goofs in the previously comitted typed array tests, and added
new ones to cover this bug.

• fast/js/dfg-int16array-expected.txt: Added.
• fast/js/dfg-int16array.html: Added.
• fast/js/dfg-int8array-expected.txt: Added.
• fast/js/dfg-int8array.html: Added.
• fast/js/script-tests/dfg-float32array.js:

(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):

• fast/js/script-tests/dfg-int16array.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

• fast/js/script-tests/dfg-int32array.js:

(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):

• fast/js/script-tests/dfg-int8array.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

Location:

trunk/Source/JavaScriptCore/assembler

Files:

• MacroAssemblerX86Common.h (modified) (2 diffs)
• X86Assembler.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -487 +487 @@
     }
     
+    void load8Signed(BaseIndex address, RegisterID dest)
+    {
+        m_assembler.movsbl_mr(address.offset, address.base, address.index, address.scale, dest);
+    }
+
+    void load8Signed(ImplicitAddress address, RegisterID dest)
+    {
+        m_assembler.movsbl_mr(address.offset, address.base, dest);
+    }
+    
     void load16(BaseIndex address, RegisterID dest)
     {
@@ -495 +505 @@
     {
         m_assembler.movzwl_mr(address.offset, address.base, dest);
+    }
+
+    void load16Signed(BaseIndex address, RegisterID dest)
+    {
+        m_assembler.movswl_mr(address.offset, address.base, address.index, address.scale, dest);
+    }
+    
+    void load16Signed(Address address, RegisterID dest)
+    {
+        m_assembler.movswl_mr(address.offset, address.base, dest);
     }
 

trunk/Source/JavaScriptCore/assembler/X86Assembler.h

@@ -187 +187 @@
         OP2_IMUL_GvEv       = 0xAF,
         OP2_MOVZX_GvEb      = 0xB6,
+        OP2_MOVSX_GvEb      = 0xBE,
         OP2_MOVZX_GvEw      = 0xB7,
+        OP2_MOVSX_GvEw      = 0xBF,
         OP2_PEXTRW_GdUdIb   = 0xC5,
         OP2_PSLLQ_UdqIb     = 0x73,
@@ -1225 +1227 @@
     }
 
+    void movswl_mr(int offset, RegisterID base, RegisterID dst)
+    {
+        m_formatter.twoByteOp(OP2_MOVSX_GvEw, dst, base, offset);
+    }
+
+    void movswl_mr(int offset, RegisterID base, RegisterID index, int scale, RegisterID dst)
+    {
+        m_formatter.twoByteOp(OP2_MOVSX_GvEw, dst, base, index, scale, offset);
+    }
+
     void movzbl_mr(int offset, RegisterID base, RegisterID dst)
     {
@@ -1233 +1245 @@
     {
         m_formatter.twoByteOp(OP2_MOVZX_GvEb, dst, base, index, scale, offset);
+    }
+
+    void movsbl_mr(int offset, RegisterID base, RegisterID dst)
+    {
+        m_formatter.twoByteOp(OP2_MOVSX_GvEb, dst, base, offset);
+    }
+    
+    void movsbl_mr(int offset, RegisterID base, RegisterID index, int scale, RegisterID dst)
+    {
+        m_formatter.twoByteOp(OP2_MOVSX_GvEb, dst, base, index, scale, offset);
     }