Ignore:
Timestamp:
Aug 6, 2013, 9:04:50 PM (12 years ago)
Author:
[email protected]
Message:

DFG FixupPhase should insert Int32ToDouble nodes for number uses in NewArray, and SpeculativeJIT 64-bit should not try to coerce integer constants to double constants
https://bugs.webkit.org/show_bug.cgi?id=119528

Reviewed by Geoffrey Garen.

Source/JavaScriptCore:

Either of the two fixes would solve the crash I saw. Basically, for best performance, we want the DFG register allocator to track double uses and non-double
uses of a node separately, and we accomplish this by inserting Int32ToDouble nodes in the FixupPhase. But even if FixupPhase fails to do this, we still want
the DFG register allocator to do the right thing: if it encounters a double use of an integer, it should perform a conversion and preserve the original
format of the value (namely, that it was an integer). For constants, the best format to preserve is None, so that future integer uses rematerialize the int
from scratch. This only affects the 64-bit backend; the 32-bit backend was already doing the right thing.

This also fixes some more debug dumping code, and adds some stronger assertions for integer arrays.

  • bytecode/CodeBlock.cpp:

(JSC::CodeBlock::finalizeUnconditionally):

  • dfg/DFGDriver.cpp:

(JSC::DFG::compile):

  • dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):

  • dfg/DFGGraph.cpp:

(JSC::DFG::Graph::dump):

  • dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateDouble):

  • runtime/JSObject.h:

(JSC::JSObject::getIndexQuickly):
(JSC::JSObject::tryGetIndexQuickly):

LayoutTests:

  • fast/js/dfg-new-array-double-const-then-int-const.html: Added.
  • fast/js/dfg-new-array-double-const-then-int-const-expected.txt: Added.
  • fast/js/jsc-test-list:
  • fast/js/script-tests/dfg-new-array-double-const-then-int-const.js: Added.

(bar):
(foo):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/bytecode/CodeBlock.cpp

    r153671 r153778  
    22072207                if ((!origin || Heap::isMarked(origin)) && Heap::isMarked(from))
    22082208                    continue;
    2209                 dataLog("    Transition under ", JSValue(origin), ", ", JSValue(from), " -> ", JSValue(to), ".\n");
     2209                dataLog("    Transition under ", RawPointer(origin), ", ", RawPointer(from), " -> ", RawPointer(to), ".\n");
    22102210            }
    22112211            for (unsigned i = 0; i < dfgCommon->weakReferences.size(); ++i) {
     
    22132213                if (Heap::isMarked(weak))
    22142214                    continue;
    2215                 dataLog("    Weak reference ", JSValue(weak), ".\n");
     2215                dataLog("    Weak reference ", RawPointer(weak), ".\n");
    22162216            }
    22172217        }
Note: See TracChangeset for help on using the changeset viewer.