Changeset 261147 in webkit for trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

Timestamp:

May 4, 2020, 10:05:27 PM (5 years ago)

Author:

[email protected]

Message:

[JSC] DFG NotCellUse is used without considering about BigInt32
​https://bugs.webkit.org/show_bug.cgi?id=211395

Reviewed by Saam Barati.

JSTests:

• stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js: Added.

(shouldThrow):
(test):
(i.shouldThrow):

• stress/non-cell-nor-bigint-should-reject-bigint.js: Added.

(shouldBe):
(test):

• stress/should-not-emit-double-rep-for-bigint.js: Added.

(foo):

• stress/urshift-value-to-int32-should-reject-bigint.js: Added.

(shouldThrow):
(test):
(i.shouldThrow):

Source/JavaScriptCore:

When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems.

1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case.
2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double without any errors.

To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse
for ValueToInt32 because of the same reason.

For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since
CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug ​https://bugs.webkit.org/show_bug.cgi?id=211407.

• bytecode/SpeculatedType.h:

(JSC::isNotCellNorBigIntSpeculation):

• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::fixIntConvertingEdge):
(JSC::DFG::FixupPhase::fixupChecksInBlock):

• dfg/DFGNode.h:

(JSC::DFG::Node::shouldSpeculateNotCellNorBigInt):

• dfg/DFGSafeToExecute.h:

(JSC::DFG::SafeToExecuteEdge::operator()):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::compileValueToInt32):
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
(JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt):
(JSC::DFG::SpeculativeJIT::speculate):

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGUseKind.cpp:

(WTF::printInternal):

• dfg/DFGUseKind.h:

(JSC::DFG::typeFilterFor):
(JSC::DFG::checkMayCrashIfInputIsEmpty):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
(JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32):
(JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32):
(JSC::FTL::DFG::LowerDFGToB3::speculate):
(JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt):
(JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted.

File:

• trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp (modified) (1 diff)

trunk/Source/JavaScriptCore/ftl/FTLCapabilities.cpp

@@ -501 +501 @@
                 case DerivedArrayUse:
                 case NotCellUse:
+                case NotCellNorBigIntUse:
                 case OtherUse:
                 case KnownOtherUse: