Changeset 163418 in webkit for trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

Timestamp:

Feb 4, 2014, 5:03:21 PM (11 years ago)

Author:

[email protected]

Message:

DFG PutByVal on typed arrays should detect OutOfBounds sooner
​https://bugs.webkit.org/show_bug.cgi?id=128162

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in
DFG::ArrayMode for typed arrays.

Also make it possible to have tests for convergence.

Also turn one of the LayoutTests/js/dfg- tests into a stress test because it
was relying on a specific number of recompiles. Stress tests instead take
the approach of just running for a while. That's more robust.

• bytecode/CodeBlock.h:
• dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::fromObserved):
(JSC::DFG::ArrayMode::refine):

• dfg/DFGArrayMode.h:

(JSC::DFG::ArrayMode::withSpeculationFromProfile):
(JSC::DFG::ArrayMode::withProfile):

• ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compilePutByVal):

• jit/JITPropertyAccess.cpp:

(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

• jsc.cpp:

(GlobalObject::finishCreation):
(functionReoptimizationRetryCount):

• runtime/TestRunnerUtils.cpp:

(JSC::getExecutableForFunction):
(JSC::getSomeBaselineCodeBlockForFunction):
(JSC::numberOfDFGCompiles):
(JSC::setNeverInline):

• runtime/TestRunnerUtils.h:
• tests/stress/float32-repeat-out-of-bounds.js: Added.

(foo):

• tests/stress/int8-repeat-out-of-bounds.js: Added.

(foo):

• tests/stress/string-out-of-bounds-negative-proto-value.js: Added.

(foo):

Tools:

Reviewed by Mark Hahnenberg.

Add a defautNoEagerRun, which is intended to be used for convergence tests.

• Scripts/run-jsc-stress-tests:

LayoutTests:

Reviewed by Mark Hahnenberg.

dfg-string-out-of-blahblah was moved to JSC/tests/stress.

dfg-convert-this-dom-window was using dfgShouldBe() incorrectly and this got revealed
by my TestRunnerUtils refactoring.

• js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Removed.
• js/dfg-string-out-of-bounds-negative-proto-value.html: Removed.
• js/script-tests/dfg-convert-this-dom-window.js:
• js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Removed.

File:

• trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h (modified) (3 diffs)

trunk/Source/JavaScriptCore/dfg/DFGArrayMode.h

@@ -174 +174 @@
     }
     
-    ArrayMode withProfile(const ConcurrentJITLocker& locker, ArrayProfile* profile, bool makeSafe) const
+    ArrayMode withArrayClass(Array::Class arrayClass) const
+    {
+        return ArrayMode(type(), arrayClass, speculation(), conversion());
+    }
+    
+    ArrayMode withSpeculationFromProfile(const ConcurrentJITLocker& locker, ArrayProfile* profile, bool makeSafe) const
     {
         Array::Speculation mySpeculation;
-        Array::Class myArrayClass;
-        
+
         if (makeSafe)
             mySpeculation = Array::OutOfBounds;
@@ -185 +189 @@
         else
             mySpeculation = Array::InBounds;
+        
+        return withSpeculation(mySpeculation);
+    }
+    
+    ArrayMode withProfile(const ConcurrentJITLocker& locker, ArrayProfile* profile, bool makeSafe) const
+    {
+        Array::Class myArrayClass;
         
         if (isJSArray()) {
@@ -194 +205 @@
             myArrayClass = arrayClass();
         
-        return ArrayMode(type(), myArrayClass, mySpeculation, conversion());
+        return withArrayClass(myArrayClass).withSpeculationFromProfile(locker, profile, makeSafe);
     }