Changeset 262252 in webkit for trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

Timestamp:

May 28, 2020, 11:38:48 AM (5 years ago)

Author:

[email protected]

Message:

for-of should check the iterable is a JSArray for FastArray in DFG iterator_open
​https://bugs.webkit.org/show_bug.cgi?id=212383

Reviewed by Saam Barati.

JSTests:

• stress/check-sub-class.js:
• stress/for-of-iterator-open-fast-array-should-check-js-type.js: Added.

(foo):

Source/JavaScriptCore:

This patch fixes an issue where we didn't check that the iterable operand to
iterator_open was a JSArray when lowering the FastArray only variant of the bytecode to the DFG.
This meant we would OSR exit at the iterator_next's lowering then assertion failure in the
checkpoint OSR exit helper. To make this work, this patch extends (and renames from CheckSubClass)
CheckJSCast to use the same JSType information that we use for the jsCast function. In order to
get the JSType range from a ClassInfo* the macro that autogenerates MethodTable now also fills
a Optional<JSTypeRange> into the ClassInfo as well.

Lastly, speculationFromClassInfo was misused by AI. This patch
renames it to speculationFromClassInfoInheritance to better
reflect how AI was using it. The only other user of
speculationFromClassInfo was speculationFromStructure. Any case
where speculationFromClassInfoInteritance would differ from what a
Structure would tell you has been hoisted to
speculationFromStructure.

• assembler/testmasm.cpp:

(JSC::testBranchIfType):
(JSC::testBranchIfNotType):

• bytecode/SpeculatedType.cpp:

(JSC::speculationFromClassInfoInheritance):
(JSC::speculationFromStructure):
(JSC::speculationFromClassInfo): Deleted.

• bytecode/SpeculatedType.h:
• dfg/DFGAbstractInterpreterInlines.h:

(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

• dfg/DFGAbstractValue.cpp:

(JSC::DFG::AbstractValue::filterClassInfo):

• dfg/DFGByteCodeParser.cpp:

(JSC::DFG::ByteCodeParser::handleDOMJITGetter):
(JSC::DFG::ByteCodeParser::parseBlock):

• dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

• dfg/DFGConstantFoldingPhase.cpp:

(JSC::DFG::ConstantFoldingPhase::foldConstants):

• dfg/DFGDoesGC.cpp:

(JSC::DFG::doesGC):

• dfg/DFGFixupPhase.cpp:

(JSC::DFG::FixupPhase::fixupNode):
(JSC::DFG::FixupPhase::attemptToMakeCallDOM):
(JSC::DFG::FixupPhase::fixupCheckJSCast):
(JSC::DFG::FixupPhase::fixupCheckSubClass): Deleted.

• dfg/DFGNode.h:

(JSC::DFG::Node::hasClassInfo const):

• dfg/DFGNodeType.h:
• dfg/DFGPredictionPropagationPhase.cpp:
• dfg/DFGSafeToExecute.h:

(JSC::DFG::safeToExecute):

• dfg/DFGSpeculativeJIT.cpp:

(JSC::DFG::SpeculativeJIT::checkArray):
(JSC::DFG::SpeculativeJIT::compileCheckJSCast):
(JSC::DFG::SpeculativeJIT::compileCheckSubClass): Deleted.

• dfg/DFGSpeculativeJIT.h:
• dfg/DFGSpeculativeJIT32_64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• dfg/DFGSpeculativeJIT64.cpp:

(JSC::DFG::SpeculativeJIT::compile):

• ftl/FTLCapabilities.cpp:

(JSC::FTL::canCompile):

• ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileNode):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckJSCast):
(JSC::FTL::DFG::LowerDFGToB3::isCellWithType):
(JSC::FTL::DFG::LowerDFGToB3::isTypedArrayView):
(JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass): Deleted.

• jit/AssemblyHelpers.h:

(JSC::AssemblyHelpers::branchIfType):
(JSC::AssemblyHelpers::branchIfNotType):

• runtime/ClassInfo.h:
• runtime/JSCast.h:

(JSC::JSTypeRange::contains const):
(JSC::JSCastingHelpers::inheritsJSTypeImpl):

• runtime/JSFunction.cpp:

(JSC::JSFunction::assertTypeInfoFlagInvariants):

• tools/JSDollarVM.cpp:

(JSC::functionCreateDOMJITCheckJSCastObject):
(JSC::JSDollarVM::finishCreation):
(JSC::functionCreateDOMJITCheckSubClassObject): Deleted.

Source/WebCore:

Update various InheritsTraits specializations to contain a typeRange member.
Also, change the inherits function to use inheritsJSTypeImpl like the JSC
variants.

• bindings/js/JSDocumentCustom.h:

(JSC::JSCastingHelpers::InheritsTraits<WebCore::JSDocument>::inherits):

• bindings/js/JSElementCustom.h:

(JSC::JSCastingHelpers::InheritsTraits<WebCore::JSElement>::inherits):

• bindings/js/JSEventCustom.h:

(JSC::JSCastingHelpers::InheritsTraits<WebCore::JSEvent>::inherits):

• bindings/js/JSNodeCustom.h:

(JSC::JSCastingHelpers::InheritsTraits<WebCore::JSNode>::inherits):

• bindings/scripts/CodeGeneratorJS.pm:

(GenerateHeader):

Source/WTF:

Optional should be able to copy/move constructor itself as long as <T> is
trivially copyable. This lets us copy Optionals into const globals without
global constructors.

• wtf/Optional.h:

(WTF::Optional::Optional):
(WTF::Optional::NOEXCEPT_):

File:

• trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp (modified) (4 diffs)

trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

@@ -1590 +1590 @@
             compileNumberToStringWithValidRadixConstant();
             break;
-        case CheckSubClass:
-            compileCheckSubClass();
+        case CheckJSCast:
+            compileCheckJSCast();
             break;
         case CallDOM:
@@ -13940 +13940 @@
     }
 
-    void compileCheckSubClass()
+    void compileCheckJSCast()
     {
         LValue cell = lowCell(m_node->child1());
 
         const ClassInfo* classInfo = m_node->classInfo();
+
+        if (classInfo->inheritsJSTypeRange) {
+            LValue hasType = isCellWithType(cell, classInfo->inheritsJSTypeRange.value(), speculationFromClassInfoInheritance(classInfo));
+            speculate(BadType, jsValueValue(cell), m_node->child1().node(), m_out.bitNot(hasType));
+            return;
+        }
+
         if (!classInfo->checkSubClassSnippet) {
             LBasicBlock loop = m_out.newBlock();
@@ -17709 +17716 @@
     }
 
-    LValue isCellWithType(LValue cell, JSType queriedType, Optional<SpeculatedType> speculatedTypeForQuery, SpeculatedType type = SpecFullTop)
+    LValue isCellWithType(LValue cell, JSTypeRange queriedTypeRange, Optional<SpeculatedType> speculatedTypeForQuery, SpeculatedType type = SpecFullTop)
     {
         if (speculatedTypeForQuery) {
@@ -17715 +17722 @@
                 return proven;
         }
-        return m_out.equal(
+        if (queriedTypeRange.first == queriedTypeRange.last) {
+            return m_out.equal(
+                m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
+                m_out.constInt32(queriedTypeRange.first));
+        }
+
+        ASSERT(queriedTypeRange.last > queriedTypeRange.first);
+        LValue first = m_out.sub(
             m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
-            m_out.constInt32(queriedType));
+            m_out.constInt32(queriedTypeRange.first));
+        return m_out.belowOrEqual(first, m_out.constInt32(queriedTypeRange.last - queriedTypeRange.first));
+    }
+
+    LValue isCellWithType(LValue cell, JSType queriedType, Optional<SpeculatedType> speculatedTypeForQuery, SpeculatedType type = SpecFullTop)
+    {
+        return isCellWithType(cell, JSTypeRange { queriedType, queriedType }, speculatedTypeForQuery, type);
     }
 
     LValue isTypedArrayView(LValue cell, SpeculatedType type = SpecFullTop)
     {
-        if (LValue proven = isProvenValue(type & SpecCell, SpecTypedArrayView))
-            return proven;
-        LValue jsType = m_out.sub(
-            m_out.load8ZeroExt32(cell, m_heaps.JSCell_typeInfoType),
-            m_out.constInt32(FirstTypedArrayType));
-        return m_out.below(
-            jsType,
-            m_out.constInt32(NumberOfTypedArrayTypesExcludingDataView));
+        return isCellWithType(cell, JSTypeRange { static_cast<JSType>(FirstTypedArrayType), static_cast<JSType>(LastTypedArrayTypeExcludingDataView) }, SpecTypedArrayView, type);
     }