Diff
Modified: trunk/JSTests/ChangeLog (283937 => 283938)
--- trunk/JSTests/ChangeLog 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/JSTests/ChangeLog 2021-10-11 21:45:29 UTC (rev 283938)
@@ -1,3 +1,14 @@
+2021-10-11 Saam Barati <sbar...@apple.com>
+
+ Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+ https://bugs.webkit.org/show_bug.cgi?id=231465
+ <rdar://83876470>
+
+ Reviewed by Yusuke Suzuki.
+
+ * stress/dont-branch-around-regalloc-enumerator-get-by-val.js: Added.
+ (foo):
+
2021-10-09 Yusuke Suzuki <ysuz...@apple.com>
[JSC] Refine RegExp#compile based on regexp-legacy-features proposal
Added: trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (0 => 283938)
--- trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js (rev 0)
+++ trunk/JSTests/stress/dont-branch-around-regalloc-enumerator-get-by-val.js 2021-10-11 21:45:29 UTC (rev 283938)
@@ -0,0 +1,10 @@
+function foo(o) {
+ for (let p in o) {
+ o[p];
+ }
+}
+
+for (let i=0; i<10000; i++) {
+ foo(new Uint32Array());
+ foo({o:undefined});
+}
Modified: trunk/Source/_javascript_Core/ChangeLog (283937 => 283938)
--- trunk/Source/_javascript_Core/ChangeLog 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/ChangeLog 2021-10-11 21:45:29 UTC (rev 283938)
@@ -1,3 +1,20 @@
+2021-10-11 Saam Barati <sbar...@apple.com>
+
+ Don't branch around register allocation in DFG enumerator get by val and pass in the right LValue type to strictInt52ToJSValue
+ https://bugs.webkit.org/show_bug.cgi?id=231465
+ <rdar://83876470>
+
+ Reviewed by Yusuke Suzuki.
+
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::setIntTypedArrayLoadResult):
+ (JSC::DFG::SpeculativeJIT::compileGetByValOnIntTypedArray):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
+
2021-10-11 Geza Lore <gl...@igalia.com>
[JSC][ARMv7] Make LLInt CSR save/restore order match the JITs
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (283937 => 283938)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2021-10-11 21:45:29 UTC (rev 283938)
@@ -3325,19 +3325,20 @@
}
}
-void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox)
+void SpeculativeJIT::setIntTypedArrayLoadResult(Node* node, JSValueRegs resultRegs, TypedArrayType type, bool canSpeculate, bool shouldBox, FPRReg resultFPR)
{
bool isUInt32 = elementSize(type) == 4 && !isSigned(type);
+ if (isUInt32)
+ ASSERT(resultFPR != InvalidFPRReg);
GPRReg resultReg = resultRegs.payloadGPR();
if (shouldBox) {
if (isUInt32) {
- FPRTemporary fresult(this);
- m_jit.convertInt32ToDouble(resultReg, fresult.fpr());
+ m_jit.convertInt32ToDouble(resultReg, resultFPR);
JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, resultReg, TrustedImm32(0));
- m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), fresult.fpr());
+ m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), resultFPR);
positive.link(&m_jit);
- m_jit.boxDouble(fresult.fpr(), resultRegs);
+ m_jit.boxDouble(resultFPR, resultRegs);
} else
m_jit.boxInt32(resultRegs.payloadGPR(), resultRegs);
jsValueResult(resultRegs, node);
@@ -3365,12 +3366,11 @@
}
#endif
- FPRTemporary fresult(this);
- m_jit.convertInt32ToDouble(resultReg, fresult.fpr());
+ m_jit.convertInt32ToDouble(resultReg, resultFPR);
JITCompiler::Jump positive = m_jit.branch32(MacroAssembler::GreaterThanOrEqual, resultReg, TrustedImm32(0));
- m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), fresult.fpr());
+ m_jit.addDouble(JITCompiler::AbsoluteAddress(&AssemblyHelpers::twoToThe32), resultFPR);
positive.link(&m_jit);
- doubleResult(fresult.fpr(), node);
+ doubleResult(resultFPR, node);
}
void SpeculativeJIT::compileGetByValOnIntTypedArray(Node* node, TypedArrayType type, const ScopedLambda<std::tuple<JSValueRegs, DataFormat>(DataFormat preferredFormat)>& prefix)
@@ -3385,6 +3385,13 @@
GPRReg propertyReg = property.gpr();
GPRReg storageReg = storage.gpr();
+ std::optional<FPRTemporary> fprTemp;
+ FPRReg resultFPR = InvalidFPRReg;
+ if (elementSize(type) == 4 && !isSigned(type)) {
+ fprTemp.emplace(this);
+ resultFPR = fprTemp->fpr();
+ }
+
JSValueRegs resultRegs;
DataFormat format;
std::tie(resultRegs, format) = prefix(DataFormatInt32);
@@ -3393,7 +3400,7 @@
emitTypedArrayBoundsCheck(node, baseReg, propertyReg);
loadFromIntTypedArray(storageReg, propertyReg, resultRegs.payloadGPR(), type);
constexpr bool canSpeculate = true;
- setIntTypedArrayLoadResult(node, resultRegs, type, canSpeculate, shouldBox);
+ setIntTypedArrayLoadResult(node, resultRegs, type, canSpeculate, shouldBox, resultFPR);
}
bool SpeculativeJIT::getIntTypedArrayStoreOperand(
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (283937 => 283938)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2021-10-11 21:45:29 UTC (rev 283938)
@@ -1469,7 +1469,7 @@
#endif
Edge valueUse);
void loadFromIntTypedArray(GPRReg storageReg, GPRReg propertyReg, GPRReg resultReg, TypedArrayType);
- void setIntTypedArrayLoadResult(Node*, JSValueRegs resultRegs, TypedArrayType, bool canSpeculate, bool shouldBox);
+ void setIntTypedArrayLoadResult(Node*, JSValueRegs resultRegs, TypedArrayType, bool canSpeculate, bool shouldBox, FPRReg);
template <typename ClassType> void compileNewFunctionCommon(GPRReg, RegisteredStructure, GPRReg, GPRReg, GPRReg, MacroAssembler::JumpList&, size_t, FunctionExecutable*);
void compileNewFunction(Node*);
void compileSetFunctionName(Node*);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (283937 => 283938)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp 2021-10-11 21:45:29 UTC (rev 283938)
@@ -3671,6 +3671,12 @@
GPRReg oldValueGPR = oldValue.gpr();
resultGPR = result.gpr();
GPRReg newValueGPR = newValue.gpr();
+ std::optional<FPRTemporary> fprTemp;
+ FPRReg resultFPR = InvalidFPRReg;
+ if (elementSize(type) == 4 && !isSigned(type)) {
+ fprTemp.emplace(this);
+ resultFPR = fprTemp->fpr();
+ }
// FIXME: It shouldn't be necessary to nop-pad between register allocation and a jump label.
// https://bugs.webkit.org/show_bug.cgi?id=170974
@@ -3774,7 +3780,7 @@
}
constexpr bool canSpeculate = false;
constexpr bool shouldBox = false;
- setIntTypedArrayLoadResult(node, JSValueRegs(resultGPR), type, canSpeculate, shouldBox);
+ setIntTypedArrayLoadResult(node, JSValueRegs(resultGPR), type, canSpeculate, shouldBox, resultFPR);
break;
}
Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (283937 => 283938)
--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-10-11 21:21:13 UTC (rev 283937)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2021-10-11 21:45:29 UTC (rev 283938)
@@ -13658,7 +13658,7 @@
if (elementSize(type) < 4 || isSigned(type))
genericResult = boxInt32(genericResult);
else
- genericResult = strictInt52ToJSValue(genericResult);
+ genericResult = strictInt52ToJSValue(m_out.zeroExt(genericResult, Int64));
} else if (genericResult->type() == Double)
genericResult = boxDouble(genericResult);
