Ignore:
Timestamp:
Jun 2, 2020, 9:55:15 AM (5 years ago)
Author:
[email protected]
Message:

MultiDeleteByOffset should not always def
https://bugs.webkit.org/show_bug.cgi?id=212621
<rdar://problem/63824182>

Reviewed by Yusuke Suzuki.

JSTests:

  • stress/multi-del-by-offset-doesnt-always-def-osr-entry.js: Added.

(foo):

  • stress/multi-del-by-offset-doesnt-always-def.js: Added.

(foo):
(let.p.set undefined):

Source/JavaScriptCore:

Clobberize used to claim that MultiDeleteByOffset always defd a value.
That's an incorrect modeling of MultiDeleteByOffset though, since it might
have delete misses in its variant list. This would lead us to incorrectly
CSE when we shouldn't. This patch fixes this by saying MultiDeleteByOffset
only defs when all its cases write out a value (are hits).

  • dfg/DFGClobberize.h:

(JSC::DFG::clobberize):

  • dfg/DFGNode.cpp:

(JSC::DFG::MultiDeleteByOffsetData::allVariantsStoreEmpty const):

  • dfg/DFGNode.h:
  • ftl/FTLLowerDFGToB3.cpp:

(JSC::FTL::DFG::LowerDFGToB3::compileMultiDeleteByOffset):

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp

    r262338 r262425  
    84728472            m_out.appendTo(blocks[block], block + 1 < blocks.size() ? blocks[block + 1] : exit);
    84738473
    8474             if (variant.newStructure()) {
    8475                 LValue storage;
    8476 
    8477                 if (isInlineOffset(variant.offset()))
    8478                     storage = base;
    8479                 else
    8480                     storage = m_out.loadPtr(base, m_heaps.JSObject_butterfly);
    8481 
    8482                 storeProperty(m_out.int64Zero, storage, data.identifierNumber, variant.offset());
    8483 
    8484                 ASSERT(variant.oldStructure()->indexingType() == variant.newStructure()->indexingType());
    8485                 ASSERT(variant.oldStructure()->typeInfo().inlineTypeFlags() == variant.newStructure()->typeInfo().inlineTypeFlags());
    8486                 ASSERT(variant.oldStructure()->typeInfo().type() == variant.newStructure()->typeInfo().type());
    8487                 m_out.store32(
    8488                     weakStructureID(m_graph.registerStructure(variant.newStructure())), base, m_heaps.JSCell_structureID);
    8489             }
     8474            LValue storage;
     8475
     8476            if (isInlineOffset(variant.offset()))
     8477                storage = base;
     8478            else
     8479                storage = m_out.loadPtr(base, m_heaps.JSObject_butterfly);
     8480
     8481            storeProperty(m_out.int64Zero, storage, data.identifierNumber, variant.offset());
     8482
     8483            ASSERT(variant.oldStructure()->indexingType() == variant.newStructure()->indexingType());
     8484            ASSERT(variant.oldStructure()->typeInfo().inlineTypeFlags() == variant.newStructure()->typeInfo().inlineTypeFlags());
     8485            ASSERT(variant.oldStructure()->typeInfo().type() == variant.newStructure()->typeInfo().type());
     8486            m_out.store32(
     8487                weakStructureID(m_graph.registerStructure(variant.newStructure())), base, m_heaps.JSCell_structureID);
    84908488
    84918489            results.append(m_out.anchor(variant.result() ? m_out.booleanTrue : m_out.booleanFalse));
Note: See TracChangeset for help on using the changeset viewer.