[webkit-changes] [199894] trunk/Source/JavaScriptCore

[commit-queue]

Title: [199894] trunk/Source/_javascript_Core

Revision

199894

Author

commit-qu...@webkit.org

Date

2016-04-22 12:27:57 -0700 (Fri, 22 Apr 2016)

Log Message

[JSC] Integer Multiply of a number by itself does not need negative zero support
https://bugs.webkit.org/show_bug.cgi?id=156895

Patch by Benjamin Poulain <bpoul...@apple.com> on 2016-04-22
Reviewed by Saam Barati.

You cannot produce negative zero by squaring an integer.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithMul):
Minor codegen fixes:
-Use the right form of multiply for ARM.
-Use a sign-extended 32bit immediates, that's the one with fast forms
 in the MacroAssembler.

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h
• trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (199893 => 199894)

--- trunk/Source/_javascript_Core/ChangeLog	2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-04-22 19:27:57 UTC (rev 199894)
@@ -1,3 +1,21 @@
+2016-04-22  Benjamin Poulain  <bpoul...@apple.com>
+
+        [JSC] Integer Multiply of a number by itself does not need negative zero support
+        https://bugs.webkit.org/show_bug.cgi?id=156895
+
+        Reviewed by Saam Barati.
+
+        You cannot produce negative zero by squaring an integer.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileArithMul):
+        Minor codegen fixes:
+        -Use the right form of multiply for ARM.
+        -Use a sign-extended 32bit immediates, that's the one with fast forms
+         in the MacroAssembler.
+
 2016-04-21  Darin Adler  <da...@apple.com>
 
         Follow-on to the build fix.

Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h (199893 => 199894)

--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h	2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h	2016-04-22 19:27:57 UTC (rev 199894)
@@ -322,6 +322,11 @@
         m_assembler.smull(dest, dataTempRegister, dest, src);
     }
 
+    void mul32(RegisterID left, RegisterID right, RegisterID dest)
+    {
+        m_assembler.smull(dest, dataTempRegister, left, right);
+    }
+
     void mul32(TrustedImm32 imm, RegisterID src, RegisterID dest)
     {
         move(imm, dataTempRegister);

Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (199893 => 199894)

--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp	2016-04-22 19:27:57 UTC (rev 199894)
@@ -248,7 +248,8 @@
                 fixIntOrBooleanEdge(rightChild);
                 if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
                     node->setArithMode(Arith::Unchecked);
-                else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+                else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
+                    || leftChild.node() == rightChild.node())
                     node->setArithMode(Arith::CheckOverflow);
                 else
                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);
@@ -257,7 +258,8 @@
             if (m_graph.binaryArithShouldSpeculateMachineInt(node, FixupPass)) {
                 fixEdge<Int52RepUse>(leftChild);
                 fixEdge<Int52RepUse>(rightChild);
-                if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+                if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
+                    || leftChild.node() == rightChild.node())
                     node->setArithMode(Arith::CheckOverflow);
                 else
                     node->setArithMode(Arith::CheckOverflowAndNegativeZero);

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (199893 => 199894)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2016-04-22 19:27:57 UTC (rev 199894)
@@ -3964,10 +3964,9 @@
         // We can perform truncated multiplications if we get to this point, because if the
         // fixup phase could not prove that it would be safe, it would have turned us into
         // a double multiplication.
-        if (!shouldCheckOverflow(node->arithMode())) {
-            m_jit.move(reg1, result.gpr());
-            m_jit.mul32(reg2, result.gpr());
-        } else {
+        if (!shouldCheckOverflow(node->arithMode()))
+            m_jit.mul32(reg1, reg2, result.gpr());
+        else {
             speculationCheck(
                 Overflow, JSValueRegs(), 0,
                 m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
@@ -4031,10 +4030,10 @@
                 MacroAssembler::NonZero, resultGPR);
             speculationCheck(
                 NegativeZero, JSValueRegs(), 0,
-                m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm64(0)));
+                m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm32(0)));
             speculationCheck(
                 NegativeZero, JSValueRegs(), 0,
-                m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm64(0)));
+                m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
             resultNonZero.link(&m_jit);
         }
         

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes