Changeset 163418 in webkit for trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

Timestamp:

Feb 4, 2014, 5:03:21 PM (11 years ago)

Author:

[email protected]

Message:

DFG PutByVal on typed arrays should detect OutOfBounds sooner
​https://bugs.webkit.org/show_bug.cgi?id=128162

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in
DFG::ArrayMode for typed arrays.

Also make it possible to have tests for convergence.

Also turn one of the LayoutTests/js/dfg- tests into a stress test because it
was relying on a specific number of recompiles. Stress tests instead take
the approach of just running for a while. That's more robust.

• bytecode/CodeBlock.h:
• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::fromObserved):
(JSC::DFG::ArrayMode::refine):

• dfg/DFGArrayMode.h:

(JSC::DFG::ArrayMode::withSpeculationFromProfile):
(JSC::DFG::ArrayMode::withProfile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compilePutByVal):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

• jsc.cpp:

(GlobalObject::finishCreation):
(functionReoptimizationRetryCount):

• runtime/TestRunnerUtils.cpp:

(JSC::getExecutableForFunction):
(JSC::getSomeBaselineCodeBlockForFunction):
(JSC::numberOfDFGCompiles):
(JSC::setNeverInline):

• runtime/TestRunnerUtils.h:
• tests/stress/float32-repeat-out-of-bounds.js: Added.

(foo):

• tests/stress/int8-repeat-out-of-bounds.js: Added.

(foo):

• tests/stress/string-out-of-bounds-negative-proto-value.js: Added.

(foo):

Tools:

Reviewed by Mark Hahnenberg.

Add a defautNoEagerRun, which is intended to be used for convergence tests.

• Scripts/run-jsc-stress-tests:

LayoutTests:

Reviewed by Mark Hahnenberg.

dfg-string-out-of-blahblah was moved to JSC/tests/stress.

dfg-convert-this-dom-window was using dfgShouldBe() incorrectly and this got revealed
by my TestRunnerUtils refactoring.

• js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Removed.
• js/dfg-string-out-of-bounds-negative-proto-value.html: Removed.
• js/script-tests/dfg-convert-this-dom-window.js:
• js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Removed.

File:

• trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.cpp

@@ -50 +50 @@
         if (action == Array::Write && !profile->mayInterceptIndexedAccesses(locker))
             return ArrayMode(Array::Undecided, nonArray, Array::OutOfBounds, Array::Convert);
-        return ArrayMode(Array::SelectUsingPredictions, nonArray);
+        return ArrayMode(Array::SelectUsingPredictions, nonArray).withSpeculationFromProfile(locker, profile, makeSafe);
 
     case asArrayModes(ArrayWithUndecided):
@@ -60 +60 @@
         if (action == Array::Write && !profile->mayInterceptIndexedAccesses(locker))
             return ArrayMode(Array::Undecided, Array::PossiblyArray, Array::OutOfBounds, Array::Convert);
-        return ArrayMode(Array::SelectUsingPredictions);
+        return ArrayMode(Array::SelectUsingPredictions).withSpeculationFromProfile(locker, profile, makeSafe);
 
     case asArrayModes(NonArrayWithInt32):
@@ -101 +101 @@
     default:
         if ((observed & asArrayModes(NonArray)) && profile->mayInterceptIndexedAccesses(locker))
-            return ArrayMode(Array::SelectUsingPredictions);
+            return ArrayMode(Array::SelectUsingPredictions).withSpeculationFromProfile(locker, profile, makeSafe);
         
         Array::Type type;
@@ -200 +200 @@
         
         ArrayMode result;
-        if (graph.hasExitSite(codeOrigin, OutOfBounds))
+        if (graph.hasExitSite(codeOrigin, OutOfBounds) || !isInBounds())
             result = withSpeculation(Array::OutOfBounds);
         else
-            result = *this;
+            result = withSpeculation(Array::InBounds);
         
         if (isInt8ArraySpeculation(base))