Changeset 218137 in webkit for trunk/Source/JavaScriptCore/assembler/CPU.h

Timestamp:

Jun 12, 2017, 2:01:52 PM (8 years ago)

Author:

[email protected]

Message:

We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
​https://bugs.webkit.org/show_bug.cgi?id=172957
<rdar://problem/32602704>

Reviewed by Filip Pizlo.

JSTests:

• stress/spec-empty-flows-through-cell-checks.js: Added.

(A):
(B):
(i.catch):

Source/JavaScriptCore:

Consider this program:
`
block#1:
n: GetClosureVar(..., |this|) this will load empty JSValue()
SetLocal(Cell:@n, locFoo) Cell check succeeds because JSValue() looks like a cell
Branch(#2, #3)

Block#3:
x: GetLocal(locFoo)
y: CheckNotEmpty(@x)
`

If we claim that a cell check filters out the empty value, we will
incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.

On 64 bit platforms:

• Cell use kind *now allows* the empty value to pass through.
• CellOrOther use kind *now allows* for the empty value to pass through
• NotCell use kind *no longer allows* the empty value to pass through.

• assembler/CPU.h:

(JSC::isARMv7IDIVSupported):
(JSC::isARM64):
(JSC::isX86):
(JSC::isX86_64):
(JSC::is64Bit):
(JSC::is32Bit):
(JSC::isMIPS):
Make these functions constexpr so we can use them in static variable assignment.

• bytecode/SpeculatedType.h:
• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
(JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
(JSC::DFG::SpeculativeJIT::speculateCell):
(JSC::DFG::SpeculativeJIT::speculateCellOrOther):
(JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
(JSC::DFG::SpeculativeJIT::speculateString):
(JSC::DFG::SpeculativeJIT::speculateStringOrOther):
(JSC::DFG::SpeculativeJIT::speculateSymbol):
(JSC::DFG::SpeculativeJIT::speculateNotCell):

• dfg/DFGSpeculativeJIT32_64.cpp:
• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::fillSpeculateCell):
(JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
(JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
(JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
(JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
(JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
(JSC::FTL::DFG::LowerDFGToB3::boolify):
(JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
(JSC::FTL::DFG::LowerDFGToB3::lowCell):
(JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
(JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
(JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
(JSC::FTL::DFG::LowerDFGToB3::isNotCell):
(JSC::FTL::DFG::LowerDFGToB3::isCell):
(JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateString):
(JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
(JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):

File:

• trunk/Source/JavaScriptCore/assembler/CPU.h (modified) (6 diffs)

trunk/Source/JavaScriptCore/assembler/CPU.h

@@ -30 +30 @@
 namespace JSC {
 
-inline bool isARMv7IDIVSupported()
+constexpr bool isARMv7IDIVSupported()
 {
 #if HAVE(ARM_IDIV_INSTRUCTIONS)
@@ -39 +39 @@
 }
 
-inline bool isARM64()
+constexpr bool isARM64()
 {
 #if CPU(ARM64)
@@ -48 +48 @@
 }
 
-inline bool isX86()
+constexpr bool isX86()
 {
 #if CPU(X86_64) || CPU(X86)
@@ -57 +57 @@
 }
 
-inline bool isX86_64()
+constexpr bool isX86_64()
 {
 #if CPU(X86_64)
@@ -66 +66 @@
 }
 
-inline bool is64Bit()
+constexpr bool is64Bit()
 {
 #if USE(JSVALUE64)
@@ -75 +75 @@
 }
 
-inline bool is32Bit()
+constexpr bool is32Bit()
 {
     return !is64Bit();
 }
 
-inline bool isMIPS()
+constexpr bool isMIPS()
 {
 #if CPU(MIPS)