Modified: trunk/JSTests/ChangeLog (261833 => 261834)
--- trunk/JSTests/ChangeLog 2020-05-18 22:22:02 UTC (rev 261833)
+++ trunk/JSTests/ChangeLog 2020-05-18 22:26:32 UTC (rev 261834)
@@ -1,3 +1,13 @@
+2020-05-18 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] BigInt peephole compare should speculate appropriately
+ https://bugs.webkit.org/show_bug.cgi?id=212037
+ <rdar://problem/63346966>
+
+ Reviewed by Saam Barati.
+
+ * stress/bigint-compare-peephole-branch.js: Added.
+
2020-05-18 Keith Miller <keith_mil...@apple.com>
OSR loop entry to iterator_next generic needs to CheckNotEmpty on m_next
Added: trunk/JSTests/stress/bigint-compare-peephole-branch.js (0 => 261834)
--- trunk/JSTests/stress/bigint-compare-peephole-branch.js (rev 0)
+++ trunk/JSTests/stress/bigint-compare-peephole-branch.js 2020-05-18 22:26:32 UTC (rev 261834)
@@ -0,0 +1,6 @@
+//@ runDefault("--useConcurrentJIT=0")
+
+for (let i=0; i < 10000; i++) {
+ for (let j=0n; j < 2n**31n;)
+ break;
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (261833 => 261834)
--- trunk/Source/_javascript_Core/ChangeLog 2020-05-18 22:22:02 UTC (rev 261833)
+++ trunk/Source/_javascript_Core/ChangeLog 2020-05-18 22:26:32 UTC (rev 261834)
@@ -1,3 +1,20 @@
+2020-05-18 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] BigInt peephole compare should speculate appropriately
+ https://bugs.webkit.org/show_bug.cgi?id=212037
+ <rdar://problem/63346966>
+
+ Reviewed by Saam Barati.
+
+ SpeculativeJIT::nonSpeculativePeepholeBranch missed BigInt speculation. This patch renames it
+ to SpeculativeJIT::genericJSValuePeepholeBranch and adds speculation checks appropriately.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
+ (JSC::DFG::SpeculativeJIT::genericJSValuePeepholeBranch):
+ (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch): Deleted.
+ * dfg/DFGSpeculativeJIT.h:
+
2020-05-18 Keith Miller <keith_mil...@apple.com>
OSR loop entry to iterator_next generic needs to CheckNotEmpty on m_next
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (261833 => 261834)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2020-05-18 22:22:02 UTC (rev 261833)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2020-05-18 22:26:32 UTC (rev 261834)
@@ -1868,11 +1868,11 @@
else if (!needsTypeCheck(node->child2(), SpecOther))
nonSpeculativePeepholeBranchNullOrUndefined(node->child1(), branchNode);
else {
- nonSpeculativePeepholeBranch(node, branchNode, condition, operation);
+ genericJSValuePeepholeBranch(node, branchNode, condition, operation);
return true;
}
} else {
- nonSpeculativePeepholeBranch(node, branchNode, condition, operation);
+ genericJSValuePeepholeBranch(node, branchNode, condition, operation);
return true;
}
@@ -14403,7 +14403,7 @@
unblessedBooleanResult(resultGPR, node, UseChildrenCalledExplicitly);
}
-void SpeculativeJIT::nonSpeculativePeepholeBranch(Node* node, Node* branchNode, MacroAssembler::RelationalCondition cond, S_JITOperation_GJJ helperFunction)
+void SpeculativeJIT::genericJSValuePeepholeBranch(Node* node, Node* branchNode, MacroAssembler::RelationalCondition cond, S_JITOperation_GJJ helperFunction)
{
BasicBlock* taken = branchNode->branchData()->taken.block;
BasicBlock* notTaken = branchNode->branchData()->notTaken.block;
@@ -14420,8 +14420,11 @@
notTaken = tmp;
}
- JSValueOperand arg1(this, node->child1());
- JSValueOperand arg2(this, node->child2());
+ JSValueOperand arg1(this, node->child1(), ManualOperandSpeculation);
+ JSValueOperand arg2(this, node->child2(), ManualOperandSpeculation);
+ speculate(node, node->child1());
+ speculate(node, node->child2());
+
JSValueRegs arg1Regs = arg1.jsValueRegs();
JSValueRegs arg2Regs = arg2.jsValueRegs();
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (261833 => 261834)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2020-05-18 22:22:02 UTC (rev 261833)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2020-05-18 22:26:32 UTC (rev 261834)
@@ -742,7 +742,7 @@
void nonSpeculativeNonPeepholeCompareNullOrUndefined(Edge operand);
void nonSpeculativePeepholeBranchNullOrUndefined(Edge operand, Node* branchNode);
- void nonSpeculativePeepholeBranch(Node*, Node* branchNode, MacroAssembler::RelationalCondition, S_JITOperation_GJJ helperFunction);
+ void genericJSValuePeepholeBranch(Node*, Node* branchNode, MacroAssembler::RelationalCondition, S_JITOperation_GJJ helperFunction);
void genericJSValueNonPeepholeCompare(Node*, MacroAssembler::RelationalCondition, S_JITOperation_GJJ helperFunction);
void nonSpeculativePeepholeStrictEq(Node*, Node* branchNode, bool invert = false);