Changeset 103637 in webkit for trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

Timestamp:

Dec 23, 2011, 1:08:12 PM (14 years ago)

Author:

[email protected]

Message:

DFG loads from signed 8-bit and 16-bit typed arrays are broken
​https://bugs.webkit.org/show_bug.cgi?id=75163

Source/JavaScriptCore:

Reviewed by Geoffrey Garen.

Added 8-bit and 16-bit signed loads. Because doing so on ARM is less trivial, I'm
currently disabling Int8Array and Int16Array optimizations on ARM.

• assembler/MacroAssemblerX86Common.h:

(JSC::MacroAssemblerX86Common::load8Signed):
(JSC::MacroAssemblerX86Common::load16Signed):

• assembler/X86Assembler.h:

(JSC::X86Assembler::movswl_mr):
(JSC::X86Assembler::movsbl_mr):

• bytecode/PredictedType.h:

(JSC::isActionableMutableArrayPrediction):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateInt8Array):
(JSC::DFG::Node::shouldSpeculateInt16Array):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):

LayoutTests:

Reviewed by Geoffrey Garen.

Fixed some minor goofs in the previously comitted typed array tests, and added
new ones to cover this bug.

• fast/js/dfg-int16array-expected.txt: Added.
• fast/js/dfg-int16array.html: Added.
• fast/js/dfg-int8array-expected.txt: Added.
• fast/js/dfg-int8array.html: Added.
• fast/js/script-tests/dfg-float32array.js:

(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):

• fast/js/script-tests/dfg-int16array.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

• fast/js/script-tests/dfg-int32array.js:

(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):

• fast/js/script-tests/dfg-int8array.js: Added.

(getter1):
(setter1):
(getter2):
(setter2):
(getter3):
(setter3):
(getter4):
(setter4):
(getters.getter1.a):
(.a):
(setters.setter1.a):
(safeGetter):
(safeSetter):

File:

• trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h (modified) (2 diffs)

trunk/Source/JavaScriptCore/assembler/MacroAssemblerX86Common.h

@@ -487 +487 @@
     }
     
+    void load8Signed(BaseIndex address, RegisterID dest)
+    {
+        m_assembler.movsbl_mr(address.offset, address.base, address.index, address.scale, dest);
+    }
+
+    void load8Signed(ImplicitAddress address, RegisterID dest)
+    {
+        m_assembler.movsbl_mr(address.offset, address.base, dest);
+    }
+    
     void load16(BaseIndex address, RegisterID dest)
     {
@@ -495 +505 @@
     {
         m_assembler.movzwl_mr(address.offset, address.base, dest);
+    }
+
+    void load16Signed(BaseIndex address, RegisterID dest)
+    {
+        m_assembler.movswl_mr(address.offset, address.base, address.index, address.scale, dest);
+    }
+    
+    void load16Signed(Address address, RegisterID dest)
+    {
+        m_assembler.movswl_mr(address.offset, address.base, dest);
     }