Ignore:
Timestamp:
Jun 26, 2012, 6:34:01 PM (13 years ago)
Author:
[email protected]
Message:

DFG PutByValAlias is too aggressive
https://bugs.webkit.org/show_bug.cgi?id=90026
<rdar://problem/11751830>

Source/JavaScriptCore:

Reviewed by Gavin Barraclough.

For CSE on normal arrays, we now treat PutByVal as impure. This does not appear to affect
performance by much.

For CSE on typed arrays, we fix PutByValAlias by making GetByVal speculate that the access
is within bounds. This also has the effect of making our out-of-bounds handling consistent
with WebCore.

  • dfg/DFGCSEPhase.cpp:

(JSC::DFG::CSEPhase::performNodeCSE):

  • dfg/DFGGraph.h:

(JSC::DFG::Graph::byValIsPure):
(JSC::DFG::Graph::clobbersWorld):

  • dfg/DFGNodeType.h:

(DFG):

  • dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
(JSC::DFG::SpeculativeJIT::compileGetByValOnFloatTypedArray):

LayoutTests:

Reviewed by Gavin Barraclough.

  • fast/js/dfg-put-by-val-setter-then-get-by-val-expected.txt: Added.
  • fast/js/dfg-put-by-val-setter-then-get-by-val.html: Added.
  • fast/js/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias-expected.txt: Added.
  • fast/js/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias.html: Added.
  • fast/js/script-tests/dfg-put-by-val-setter-then-get-by-val.js: Added.

(foo):
(for):

  • fast/js/script-tests/dfg-uint8clampedarray-out-of-bounds-put-by-val-alias.js: Added.

(foo):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp

    r121215 r121307  
    20012001    }
    20022002
    2003     MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset));
    2004     m_jit.xorPtr(resultReg, resultReg);
    2005     MacroAssembler::Jump outOfBounds = m_jit.jump();
    2006     inBounds.link(&m_jit);
     2003    speculationCheck(
     2004        Uncountable, JSValueRegs(), NoNode,
     2005        m_jit.branch32(
     2006            MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset)));
    20072007    switch (elementSize) {
    20082008    case 1:
     
    20242024        ASSERT_NOT_REACHED();
    20252025    }
    2026     outOfBounds.link(&m_jit);
    20272026    if (elementSize < 4 || signedness == SignedTypedArray) {
    20282027        integerResult(resultReg, m_compileIndex);
     
    21632162    FPRReg resultReg = result.fpr();
    21642163    ASSERT(speculationRequirements != NoTypedArraySpecCheck);
    2165     MacroAssembler::Jump inBounds = m_jit.branch32(MacroAssembler::Below, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset));
    2166     static const double zero = 0;
    2167     m_jit.loadDouble(&zero, resultReg);
    2168     MacroAssembler::Jump outOfBounds = m_jit.jump();
    2169     inBounds.link(&m_jit);
     2164    speculationCheck(
     2165        Uncountable, JSValueRegs(), NoNode,
     2166        m_jit.branch32(
     2167            MacroAssembler::AboveOrEqual, propertyReg, MacroAssembler::Address(baseReg, descriptor.m_lengthOffset)));
    21702168    switch (elementSize) {
    21712169    case 4:
     
    21842182        ASSERT_NOT_REACHED();
    21852183    }
    2186     outOfBounds.link(&m_jit);
    21872184    doubleResult(resultReg, m_compileIndex);
    21882185}
Note: See TracChangeset for help on using the changeset viewer.