Ignore:
Timestamp:
Feb 4, 2014, 5:03:21 PM (11 years ago)
Author:
[email protected]
Message:

DFG PutByVal on typed arrays should detect OutOfBounds sooner
https://bugs.webkit.org/show_bug.cgi?id=128162

Source/JavaScriptCore:

Reviewed by Mark Hahnenberg.

Just wire the m_outOfBounds flag in ArrayProfile into the OutOfBounds speculation in
DFG::ArrayMode for typed arrays.

Also make it possible to have tests for convergence.

Also turn one of the LayoutTests/js/dfg- tests into a stress test because it
was relying on a specific number of recompiles. Stress tests instead take
the approach of just running for a while. That's more robust.

  • bytecode/CodeBlock.h:
  • dfg/DFGArrayMode.cpp:

(JSC::DFG::ArrayMode::fromObserved):
(JSC::DFG::ArrayMode::refine):

  • dfg/DFGArrayMode.h:

(JSC::DFG::ArrayMode::withSpeculationFromProfile):
(JSC::DFG::ArrayMode::withProfile):

  • ftl/FTLLowerDFGToLLVM.cpp:

(JSC::FTL::LowerDFGToLLVM::compilePutByVal):

  • jit/JITPropertyAccess.cpp:

(JSC::JIT::emitIntTypedArrayPutByVal):
(JSC::JIT::emitFloatTypedArrayPutByVal):

  • jsc.cpp:

(GlobalObject::finishCreation):
(functionReoptimizationRetryCount):

  • runtime/TestRunnerUtils.cpp:

(JSC::getExecutableForFunction):
(JSC::getSomeBaselineCodeBlockForFunction):
(JSC::numberOfDFGCompiles):
(JSC::setNeverInline):

  • runtime/TestRunnerUtils.h:
  • tests/stress/float32-repeat-out-of-bounds.js: Added.

(foo):

  • tests/stress/int8-repeat-out-of-bounds.js: Added.

(foo):

  • tests/stress/string-out-of-bounds-negative-proto-value.js: Added.

(foo):

Tools:

Reviewed by Mark Hahnenberg.

Add a defautNoEagerRun, which is intended to be used for convergence tests.

  • Scripts/run-jsc-stress-tests:

LayoutTests:

Reviewed by Mark Hahnenberg.

dfg-string-out-of-blahblah was moved to JSC/tests/stress.

dfg-convert-this-dom-window was using dfgShouldBe() incorrectly and this got revealed
by my TestRunnerUtils refactoring.

  • js/dfg-string-out-of-bounds-negative-proto-value-expected.txt: Removed.
  • js/dfg-string-out-of-bounds-negative-proto-value.html: Removed.
  • js/script-tests/dfg-convert-this-dom-window.js:
  • js/script-tests/dfg-string-out-of-bounds-negative-proto-value.js: Removed.
File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/runtime/TestRunnerUtils.cpp

    r156240 r163418  
    11/*
    2  * Copyright (C) 2013 Apple Inc. All rights reserved.
     2 * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
    33 *
    44 * Redistribution and use in source and binary forms, with or without
     
    3232namespace JSC {
    3333
    34 static FunctionExecutable* getExecutable(JSValue theFunctionValue)
     34FunctionExecutable* getExecutableForFunction(JSValue theFunctionValue)
    3535{
    3636    JSFunction* theFunction = jsDynamicCast<JSFunction*>(theFunctionValue);
     
    4141        theFunction->executable());
    4242    return executable;
     43}
     44
     45CodeBlock* getSomeBaselineCodeBlockForFunction(JSValue theFunctionValue)
     46{
     47    FunctionExecutable* executable = getExecutableForFunction(theFunctionValue);
     48    if (!executable)
     49        return 0;
     50   
     51    CodeBlock* baselineCodeBlock = executable->baselineCodeBlockFor(CodeForCall);
     52   
     53    if (!baselineCodeBlock)
     54        baselineCodeBlock = executable->baselineCodeBlockFor(CodeForConstruct);
     55   
     56    return baselineCodeBlock;
    4357}
    4458
     
    5266    pretendToHaveManyCompiles = true;
    5367#endif
    54    
    55     if (FunctionExecutable* executable = getExecutable(theFunctionValue)) {
    56         CodeBlock* baselineCodeBlock = executable->baselineCodeBlockFor(CodeForCall);
    57        
    58         if (!baselineCodeBlock)
    59             baselineCodeBlock = executable->baselineCodeBlockFor(CodeForConstruct);
    60        
    61         if (!baselineCodeBlock)
    62             return jsNumber(0);
    6368
     69    if (CodeBlock* baselineCodeBlock = getSomeBaselineCodeBlockForFunction(theFunctionValue)) {
    6470        if (pretendToHaveManyCompiles)
    6571            return jsNumber(1000000.0);
     
    6773    }
    6874   
    69     return jsUndefined();
     75    return jsNumber(0);
    7076}
    7177
    7278JSValue setNeverInline(JSValue theFunctionValue)
    7379{
    74     if (FunctionExecutable* executable = getExecutable(theFunctionValue))
     80    if (FunctionExecutable* executable = getExecutableForFunction(theFunctionValue))
    7581        executable->setNeverInline(true);
    7682   
Note: See TracChangeset for help on using the changeset viewer.