Diff
Modified: branches/safari-610.1.12-branch/JSTests/ChangeLog (261349 => 261350)
--- branches/safari-610.1.12-branch/JSTests/ChangeLog 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/JSTests/ChangeLog 2020-05-07 23:50:36 UTC (rev 261350)
@@ -1,3 +1,99 @@
+2020-05-07 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r261147. rdar://problem/62995512
+
+ [JSC] DFG NotCellUse is used without considering about BigInt32
+ https://bugs.webkit.org/show_bug.cgi?id=211395
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js: Added.
+ (shouldThrow):
+ (test):
+ (i.shouldThrow):
+ * stress/non-cell-nor-bigint-should-reject-bigint.js: Added.
+ (shouldBe):
+ (test):
+ * stress/should-not-emit-double-rep-for-bigint.js: Added.
+ (foo):
+ * stress/urshift-value-to-int32-should-reject-bigint.js: Added.
+ (shouldThrow):
+ (test):
+ (i.shouldThrow):
+
+ Source/_javascript_Core:
+
+ When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems.
+
+ 1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case.
+ 2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not
+ accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double
+ without any errors.
+
+ To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse
+ for ValueToInt32 because of the same reason.
+
+ For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since
+ CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug https://bugs.webkit.org/show_bug.cgi?id=211407.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isNotCellNorBigIntSpeculation):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixIntConvertingEdge):
+ (JSC::DFG::FixupPhase::fixupChecksInBlock):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateNotCellNorBigInt):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+ (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::checkMayCrashIfInputIsEmpty):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
+ (JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt):
+ (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@261147 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-05-04 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] DFG NotCellUse is used without considering about BigInt32
+ https://bugs.webkit.org/show_bug.cgi?id=211395
+
+ Reviewed by Saam Barati.
+
+ * stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js: Added.
+ (shouldThrow):
+ (test):
+ (i.shouldThrow):
+ * stress/non-cell-nor-bigint-should-reject-bigint.js: Added.
+ (shouldBe):
+ (test):
+ * stress/should-not-emit-double-rep-for-bigint.js: Added.
+ (foo):
+ * stress/urshift-value-to-int32-should-reject-bigint.js: Added.
+ (shouldThrow):
+ (test):
+ (i.shouldThrow):
+
2020-05-01 Yusuke Suzuki <ysuz...@apple.com>
Fix stress/big-int-negate-jit.js
Added: branches/safari-610.1.12-branch/JSTests/stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js (0 => 261350)
--- branches/safari-610.1.12-branch/JSTests/stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js (rev 0)
+++ branches/safari-610.1.12-branch/JSTests/stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js 2020-05-07 23:50:36 UTC (rev 261350)
@@ -0,0 +1,42 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+function test(value) {
+ return Math.abs(value);
+}
+noInline(test);
+
+for (var i = 0; i < 1e4; ++i) {
+ shouldBe(test(null), 0);
+ shouldBe(test(false), 0);
+ shouldBe(test(0.5), 0.5);
+}
+
+for (var i = 0; i < 1e2; ++i) {
+ shouldThrow(() => {
+ test(2n);
+ }, `TypeError: Conversion from 'BigInt' to 'number' is not allowed.`);
+ shouldThrow(() => {
+ test(0xf00000n);
+ }, `TypeError: Conversion from 'BigInt' to 'number' is not allowed.`);
+ shouldThrow(() => {
+ test(0xffffffffffffffffffffffffffn);
+ }, `TypeError: Conversion from 'BigInt' to 'number' is not allowed.`);
+}
Added: branches/safari-610.1.12-branch/JSTests/stress/non-cell-nor-bigint-should-reject-bigint.js (0 => 261350)
--- branches/safari-610.1.12-branch/JSTests/stress/non-cell-nor-bigint-should-reject-bigint.js (rev 0)
+++ branches/safari-610.1.12-branch/JSTests/stress/non-cell-nor-bigint-should-reject-bigint.js 2020-05-07 23:50:36 UTC (rev 261350)
@@ -0,0 +1,19 @@
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+function test(a, b) {
+ return a < b;
+}
+noInline(test);
+
+for (var i = 0; i < 1e4; ++i) {
+ shouldBe(test(null, 0.2), true);
+ shouldBe(test(0.5, 0.2), false);
+ shouldBe(test(0.5, undefined), false);
+}
+
+shouldBe(test(1, 2), true);
+for (var i = 0; i < 1e3; ++i)
+ shouldBe(test(1n, 2), true);
Added: branches/safari-610.1.12-branch/JSTests/stress/should-not-emit-double-rep-for-bigint.js (0 => 261350)
--- branches/safari-610.1.12-branch/JSTests/stress/should-not-emit-double-rep-for-bigint.js (rev 0)
+++ branches/safari-610.1.12-branch/JSTests/stress/should-not-emit-double-rep-for-bigint.js 2020-05-07 23:50:36 UTC (rev 261350)
@@ -0,0 +1,10 @@
+//@ runDefault("--validateAbstractInterpreterState=1")
+
+function foo(x) {
+ if (x > 0n)
+ return
+}
+
+for (let i = 0; i < 10000000; i++) {
+ foo(1);
+}
Added: branches/safari-610.1.12-branch/JSTests/stress/urshift-value-to-int32-should-reject-bigint.js (0 => 261350)
--- branches/safari-610.1.12-branch/JSTests/stress/urshift-value-to-int32-should-reject-bigint.js (rev 0)
+++ branches/safari-610.1.12-branch/JSTests/stress/urshift-value-to-int32-should-reject-bigint.js 2020-05-07 23:50:36 UTC (rev 261350)
@@ -0,0 +1,42 @@
+function shouldThrow(func, errorMessage) {
+ var errorThrown = false;
+ var error = null;
+ try {
+ func();
+ } catch (e) {
+ errorThrown = true;
+ error = e;
+ }
+ if (!errorThrown)
+ throw new Error('not thrown');
+ if (String(error) !== errorMessage)
+ throw new Error(`bad error: ${String(error)}`);
+}
+
+function shouldBe(actual, expected) {
+ if (actual !== expected)
+ throw new Error('bad value: ' + actual);
+}
+
+function test(value) {
+ return value >>> 3;
+}
+noInline(test);
+
+for (var i = 0; i < 1e4; ++i) {
+ shouldBe(test(null), 0);
+ shouldBe(test(false), 0);
+ shouldBe(test(10000000), 1250000);
+}
+
+for (var i = 0; i < 1e2; ++i) {
+ shouldThrow(() => {
+ test(2n);
+ }, `TypeError: BigInt does not support >>> operator`);
+ shouldThrow(() => {
+ test(0xf00000n);
+ }, `TypeError: BigInt does not support >>> operator`);
+ shouldThrow(() => {
+ test(0xffffffffffffffffffffffffffn);
+ }, `TypeError: BigInt does not support >>> operator`);
+}
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/ChangeLog (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/ChangeLog 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/ChangeLog 2020-05-07 23:50:36 UTC (rev 261350)
@@ -1,3 +1,131 @@
+2020-05-07 Alan Coon <alanc...@apple.com>
+
+ Cherry-pick r261147. rdar://problem/62995512
+
+ [JSC] DFG NotCellUse is used without considering about BigInt32
+ https://bugs.webkit.org/show_bug.cgi?id=211395
+
+ Reviewed by Saam Barati.
+
+ JSTests:
+
+ * stress/non-cell-nor-bigint-should-be-emitted-for-to-number-target-if-bigint-appears.js: Added.
+ (shouldThrow):
+ (test):
+ (i.shouldThrow):
+ * stress/non-cell-nor-bigint-should-reject-bigint.js: Added.
+ (shouldBe):
+ (test):
+ * stress/should-not-emit-double-rep-for-bigint.js: Added.
+ (foo):
+ * stress/urshift-value-to-int32-should-reject-bigint.js: Added.
+ (shouldThrow):
+ (test):
+ (i.shouldThrow):
+
+ Source/_javascript_Core:
+
+ When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems.
+
+ 1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case.
+ 2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not
+ accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double
+ without any errors.
+
+ To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse
+ for ValueToInt32 because of the same reason.
+
+ For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since
+ CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug https://bugs.webkit.org/show_bug.cgi?id=211407.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isNotCellNorBigIntSpeculation):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixIntConvertingEdge):
+ (JSC::DFG::FixupPhase::fixupChecksInBlock):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateNotCellNorBigInt):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+ (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::checkMayCrashIfInputIsEmpty):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
+ (JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt):
+ (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted.
+
+ git-svn-id: https://svn.webkit.org/repository/webkit/trunk@261147 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+ 2020-05-04 Yusuke Suzuki <ysuz...@apple.com>
+
+ [JSC] DFG NotCellUse is used without considering about BigInt32
+ https://bugs.webkit.org/show_bug.cgi?id=211395
+
+ Reviewed by Saam Barati.
+
+ When we see CompareXXX(BigInt32, Double), we are emitting CompareXXX(DoubleRep(BigInt:NotCellUse), Double). But this has two problems.
+
+ 1. We should emit CompareXXX(UntypedUse, UntypedUse) in this case.
+ 2. DoubleRep(NotCellUse) does not support converting BigInt32 to double. Since DoubleRep's semantics is for ToNumber, it should not
+ accept BigInt32 since it should throw an error. However, DoubleRep currently assumes that NotCellUse value can be converted to double
+ without any errors.
+
+ To keep DoubleRep's semantics ToNumber, we replace NotCellUse with NotCellNorBigIntUse, which rejects BigInt32. This patch also uses NotCellNorBigIntUse
+ for ValueToInt32 because of the same reason.
+
+ For CompareXXX and CompareEq nodes, we can optimize it if we introduce new DoubleRepAcceptingBigInt32 DFG node which can convert BigInt32 to Double, since
+ CompareXXX and CompareEq are not requiring toNumber semantics. This should be done in a separate bug https://bugs.webkit.org/show_bug.cgi?id=211407.
+
+ * bytecode/SpeculatedType.h:
+ (JSC::isNotCellNorBigIntSpeculation):
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ (JSC::DFG::FixupPhase::fixIntConvertingEdge):
+ (JSC::DFG::FixupPhase::fixupChecksInBlock):
+ * dfg/DFGNode.h:
+ (JSC::DFG::Node::shouldSpeculateNotCellNorBigInt):
+ * dfg/DFGSafeToExecute.h:
+ (JSC::DFG::SafeToExecuteEdge::operator()):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileValueToInt32):
+ (JSC::DFG::SpeculativeJIT::compileDoubleRep):
+ (JSC::DFG::SpeculativeJIT::speculateNotCellNorBigInt):
+ (JSC::DFG::SpeculativeJIT::speculate):
+ * dfg/DFGSpeculativeJIT.h:
+ * dfg/DFGUseKind.cpp:
+ (WTF::printInternal):
+ * dfg/DFGUseKind.h:
+ (JSC::DFG::typeFilterFor):
+ (JSC::DFG::checkMayCrashIfInputIsEmpty):
+ * ftl/FTLCapabilities.cpp:
+ (JSC::FTL::canCompile):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
+ (JSC::FTL::DFG::LowerDFGToB3::compileValueToInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellNorBigIntToInt32):
+ (JSC::FTL::DFG::LowerDFGToB3::speculate):
+ (JSC::FTL::DFG::LowerDFGToB3::speculateNotCellNorBigInt):
+ (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32): Deleted.
+
2020-05-02 Mark Lam <mark....@apple.com>
Gardening: rolling out r261050 and r261051.
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/bytecode/SpeculatedType.h (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/bytecode/SpeculatedType.h 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/bytecode/SpeculatedType.h 2020-05-07 23:50:36 UTC (rev 261350)
@@ -152,6 +152,11 @@
return !(value & SpecCellCheck) && value;
}
+inline bool isNotCellNorBigIntSpeculation(SpeculatedType value)
+{
+ return !(value & (SpecCellCheck | SpecBigInt)) && value;
+}
+
inline bool isObjectSpeculation(SpeculatedType value)
{
return !!(value & SpecObject) && !(value & ~SpecObject);
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGAbstractInterpreterInlines.h 2020-05-07 23:50:36 UTC (rev 261350)
@@ -709,7 +709,7 @@
SpeculatedType type = forNode(node->child1()).m_type;
switch (node->child1().useKind()) {
- case NotCellUse: {
+ case NotCellNorBigIntUse: {
if (type & SpecOther) {
type &= ~SpecOther;
type |= SpecDoublePureNaN | SpecBoolInt32; // Null becomes zero, undefined becomes NaN.
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2020-05-07 23:50:36 UTC (rev 261350)
@@ -429,7 +429,7 @@
}
case ArithClz32: {
- if (node->child1()->shouldSpeculateNotCell()) {
+ if (node->child1()->shouldSpeculateNotCellNorBigInt()) {
fixIntConvertingEdge(node->child1());
node->clearFlags(NodeMustGenerate);
} else
@@ -476,7 +476,7 @@
node->clearFlags(NodeMustGenerate);
break;
}
- if (node->child1()->shouldSpeculateNotCell()) {
+ if (node->child1()->shouldSpeculateNotCellNorBigInt()) {
node->setOp(ArithNegate);
fixDoubleOrBooleanEdge(node->child1());
node->setResult(NodeResultDouble);
@@ -741,7 +741,7 @@
break;
}
- if (node->child1()->shouldSpeculateNotCell()) {
+ if (node->child1()->shouldSpeculateNotCellNorBigInt()) {
fixDoubleOrBooleanEdge(node->child1());
node->clearFlags(NodeMustGenerate);
} else
@@ -800,7 +800,7 @@
node->convertToIdentity();
break;
}
- if (node->child1()->shouldSpeculateNotCell()) {
+ if (node->child1()->shouldSpeculateNotCellNorBigInt()) {
fixDoubleOrBooleanEdge(node->child1());
if (isInt32OrBooleanSpeculation(node->getHeapPrediction()) && m_graph.roundShouldSpeculateInt32(node, FixupPass)) {
@@ -823,7 +823,7 @@
case ArithSqrt:
case ArithUnary: {
Edge& child1 = node->child1();
- if (child1->shouldSpeculateNotCell()) {
+ if (child1->shouldSpeculateNotCellNorBigInt()) {
fixDoubleOrBooleanEdge(child1);
node->clearFlags(NodeMustGenerate);
} else
@@ -910,9 +910,12 @@
fixDoubleOrBooleanEdge(node->child1());
fixDoubleOrBooleanEdge(node->child2());
}
+
+ // FIXME: We can convert BigInt32 to Double in Compare nodes since they do not require ToNumber semantics.
+ // https://bugs.webkit.org/show_bug.cgi?id=211407
if (node->op() != CompareEq
- && node->child1()->shouldSpeculateNotCell()
- && node->child2()->shouldSpeculateNotCell()) {
+ && node->child1()->shouldSpeculateNotCellNorBigInt()
+ && node->child2()->shouldSpeculateNotCellNorBigInt()) {
if (node->child1()->shouldSpeculateNumberOrBoolean())
fixDoubleOrBooleanEdge(node->child1());
else
@@ -3690,7 +3693,7 @@
else if (node->shouldSpeculateNumber())
useKind = DoubleRepUse;
else
- useKind = NotCellUse;
+ useKind = NotCellNorBigIntUse;
Node* newNode = m_insertionSet.insertNode(
m_indexInBlock, SpecInt32Only, ValueToInt32, m_currentNode->origin,
Edge(node, useKind));
@@ -4341,7 +4344,7 @@
else if (edge->shouldSpeculateNumber())
useKind = NumberUse;
else
- useKind = NotCellUse;
+ useKind = NotCellNorBigIntUse;
result = m_insertionSet.insertNode(
indexForChecks, SpecBytecodeDouble, DoubleRep, originForChecks,
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGNode.h (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGNode.h 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGNode.h 2020-05-07 23:50:36 UTC (rev 261350)
@@ -2765,6 +2765,11 @@
{
return isNotCellSpeculation(prediction());
}
+
+ bool shouldSpeculateNotCellNorBigInt()
+ {
+ return isNotCellNorBigIntSpeculation(prediction());
+ }
bool shouldSpeculateUntypedForArithmetic()
{
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSafeToExecute.h 2020-05-07 23:50:36 UTC (rev 261350)
@@ -87,6 +87,7 @@
case NotStringVarUse:
case NotSymbolUse:
case NotCellUse:
+ case NotCellNorBigIntUse:
case OtherUse:
case MiscUse:
case AnyIntUse:
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2020-05-07 23:50:36 UTC (rev 261350)
@@ -2383,7 +2383,7 @@
}
case NumberUse:
- case NotCellUse: {
+ case NotCellNorBigIntUse: {
switch (checkGeneratedTypeForToInt32(node->child1().node())) {
case GeneratedOperandInteger: {
SpeculateInt32Operand op1(this, node->child1(), ManualOperandSpeculation);
@@ -2414,6 +2414,10 @@
DFG_TYPE_CHECK(
JSValueRegs(gpr), node->child1(), ~SpecCellCheck, m_jit.branchIfCell(JSValueRegs(gpr)));
+#if USE(BIGINT32)
+ DFG_TYPE_CHECK(
+ JSValueRegs(gpr), node->child1(), ~SpecCellCheck & ~SpecBigInt, m_jit.branchIfBigInt32(JSValueRegs(gpr), resultGpr));
+#endif
// It's not a cell: so true turns into 1 and all else turns into 0.
m_jit.compare64(JITCompiler::Equal, gpr, TrustedImm32(JSValue::ValueTrue), resultGpr);
@@ -2609,7 +2613,7 @@
return;
}
- case NotCellUse:
+ case NotCellNorBigIntUse:
case NumberUse: {
SpeculatedType possibleTypes = m_state.forNode(node->child1()).m_type;
if (isInt32Speculation(possibleTypes)) {
@@ -2633,7 +2637,7 @@
JITCompiler::Jump isInteger = m_jit.branchIfInt32(op1GPR);
- if (node->child1().useKind() == NotCellUse) {
+ if (node->child1().useKind() == NotCellNorBigIntUse) {
JITCompiler::Jump isNumber = m_jit.branchIfNumber(op1GPR);
JITCompiler::Jump isUndefined = m_jit.branchIfUndefined(op1GPR);
@@ -2643,7 +2647,7 @@
JITCompiler::Jump isNull = m_jit.branchIfNull(op1GPR);
done.append(isNull);
- DFG_TYPE_CHECK(JSValueRegs(op1GPR), node->child1(), ~SpecCellCheck,
+ DFG_TYPE_CHECK(JSValueRegs(op1GPR), node->child1(), ~SpecCellCheck & ~SpecBigInt,
m_jit.branchTest64(JITCompiler::Zero, op1GPR, TrustedImm32(JSValue::BoolTag)));
JITCompiler::Jump isFalse = m_jit.branch64(JITCompiler::Equal, op1GPR, TrustedImm64(JSValue::ValueFalse));
@@ -2681,7 +2685,7 @@
JITCompiler::Jump isInteger = m_jit.branchIfInt32(op1TagGPR);
- if (node->child1().useKind() == NotCellUse) {
+ if (node->child1().useKind() == NotCellNorBigIntUse) {
JITCompiler::Jump isNumber = m_jit.branch32(JITCompiler::Below, op1TagGPR, JITCompiler::TrustedImm32(JSValue::LowestTag + 1));
JITCompiler::Jump isUndefined = m_jit.branchIfUndefined(op1TagGPR);
@@ -10833,6 +10837,25 @@
speculateNotCell(edge, operand.jsValueRegs());
}
+void SpeculativeJIT::speculateNotCellNorBigInt(Edge edge)
+{
+#if USE(BIGINT32)
+ if (!needsTypeCheck(edge, ~SpecCellCheck & ~SpecBigInt))
+ return;
+
+ JSValueOperand operand(this, edge, ManualOperandSpeculation);
+ GPRTemporary temp(this);
+
+ JSValueRegs regs = operand.jsValueRegs();
+ GPRReg tempGPR = temp.gpr();
+
+ DFG_TYPE_CHECK(regs, edge, ~SpecCellCheck, m_jit.branchIfCell(regs));
+ DFG_TYPE_CHECK(regs, edge, ~SpecCellCheck & ~SpecBigInt, m_jit.branchIfBigInt32(regs, tempGPR));
+#else
+ speculateNotCell(edge);
+#endif
+}
+
void SpeculativeJIT::speculateOther(Edge edge, JSValueRegs regs, GPRReg tempGPR)
{
DFG_TYPE_CHECK(regs, edge, SpecOther, m_jit.branchIfNotOther(regs, tempGPR));
@@ -11012,6 +11035,9 @@
case NotCellUse:
speculateNotCell(edge);
break;
+ case NotCellNorBigIntUse:
+ speculateNotCellNorBigInt(edge);
+ break;
case OtherUse:
speculateOther(edge);
break;
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.h 2020-05-07 23:50:36 UTC (rev 261350)
@@ -1639,6 +1639,7 @@
void speculateHeapBigInt(Edge);
void speculateNotCell(Edge, JSValueRegs);
void speculateNotCell(Edge);
+ void speculateNotCellNorBigInt(Edge);
void speculateOther(Edge, JSValueRegs, GPRReg temp);
void speculateOther(Edge, JSValueRegs);
void speculateOther(Edge);
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGUseKind.cpp (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGUseKind.cpp 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGUseKind.cpp 2020-05-07 23:50:36 UTC (rev 261350)
@@ -169,6 +169,9 @@
case NotCellUse:
out.print("NotCell");
return;
+ case NotCellNorBigIntUse:
+ out.print("NotCellNorBigInt");
+ return;
case KnownOtherUse:
out.print("KnownOther");
return;
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGUseKind.h (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGUseKind.h 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/dfg/DFGUseKind.h 2020-05-07 23:50:36 UTC (rev 261350)
@@ -80,6 +80,7 @@
NotStringVarUse,
NotSymbolUse,
NotCellUse,
+ NotCellNorBigIntUse,
KnownOtherUse,
OtherUse,
MiscUse,
@@ -184,6 +185,8 @@
return ~SpecSymbol;
case NotCellUse:
return ~SpecCellCheck;
+ case NotCellNorBigIntUse:
+ return ~SpecCellCheck & ~SpecBigInt;
case KnownOtherUse:
case OtherUse:
return SpecOther;
@@ -301,6 +304,7 @@
case OtherUse:
case MiscUse:
case NotCellUse:
+ case NotCellNorBigIntUse:
return false;
default:
return true;
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/ftl/FTLCapabilities.cpp (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/ftl/FTLCapabilities.cpp 2020-05-07 23:50:36 UTC (rev 261350)
@@ -500,6 +500,7 @@
case ProxyObjectUse:
case DerivedArrayUse:
case NotCellUse:
+ case NotCellNorBigIntUse:
case OtherUse:
case KnownOtherUse:
case MiscUse:
Modified: branches/safari-610.1.12-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (261349 => 261350)
--- branches/safari-610.1.12-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-05-07 23:50:31 UTC (rev 261349)
+++ branches/safari-610.1.12-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2020-05-07 23:50:36 UTC (rev 261350)
@@ -1754,9 +1754,9 @@
return;
}
- case NotCellUse:
+ case NotCellNorBigIntUse:
case NumberUse: {
- bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellUse;
+ bool shouldConvertNonNumber = m_node->child1().useKind() == NotCellNorBigIntUse;
LValue value = lowJSValue(m_node->child1(), ManualOperandSpeculation);
@@ -1819,7 +1819,7 @@
m_out.appendTo(convertBooleanFalseCase, continuation);
LValue valueIsNotBooleanFalse = m_out.notEqual(value, m_out.constInt64(JSValue::ValueFalse));
- FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCellCheck, valueIsNotBooleanFalse);
+ FTL_TYPE_CHECK(jsValueValue(value), m_node->child1(), ~SpecCellCheck & ~SpecBigInt, valueIsNotBooleanFalse);
ValueFromBlock convertedFalse = m_out.anchor(m_out.constDouble(0));
m_out.jump(continuation);
@@ -1914,7 +1914,7 @@
break;
case NumberUse:
- case NotCellUse: {
+ case NotCellNorBigIntUse: {
LoweredNodeValue value = m_int32Values.get(m_node->child1().node());
if (isValid(value)) {
setInt32(value.value());
@@ -1923,7 +1923,7 @@
value = m_jsValueValues.get(m_node->child1().node());
if (isValid(value)) {
- setInt32(numberOrNotCellToInt32(m_node->child1(), value.value()));
+ setInt32(numberOrNotCellNorBigIntToInt32(m_node->child1(), value.value()));
break;
}
@@ -1930,7 +1930,7 @@
// We'll basically just get here for constants. But it's good to have this
// catch-all since we often add new representations into the mix.
setInt32(
- numberOrNotCellToInt32(
+ numberOrNotCellNorBigIntToInt32(
m_node->child1(),
lowJSValue(m_node->child1(), ManualOperandSpeculation)));
break;
@@ -13165,13 +13165,13 @@
m_out.appendTo(continuation, lastNext);
}
- LValue numberOrNotCellToInt32(Edge edge, LValue value)
+ LValue numberOrNotCellNorBigIntToInt32(Edge edge, LValue value)
{
LBasicBlock intCase = m_out.newBlock();
LBasicBlock notIntCase = m_out.newBlock();
LBasicBlock doubleCase = 0;
LBasicBlock notNumberCase = 0;
- if (edge.useKind() == NotCellUse) {
+ if (edge.useKind() == NotCellNorBigIntUse) {
doubleCase = m_out.newBlock();
notNumberCase = m_out.newBlock();
}
@@ -13202,6 +13202,9 @@
m_out.appendTo(notNumberCase, continuation);
FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecCellCheck, isCell(value));
+#if USE(BIGINT32)
+ FTL_TYPE_CHECK(jsValueValue(value), edge, ~SpecCellCheck & ~SpecBigInt, isBigInt32(value));
+#endif
LValue specialResult = m_out.select(
m_out.equal(value, m_out.constInt64(JSValue::encode(jsBoolean(true)))),
@@ -17563,6 +17566,9 @@
case NotCellUse:
speculateNotCell(edge);
break;
+ case NotCellNorBigIntUse:
+ speculateNotCellNorBigInt(edge);
+ break;
case OtherUse:
speculateOther(edge);
break;
@@ -17595,6 +17601,18 @@
return;
lowNotCell(edge);
}
+
+ void speculateNotCellNorBigInt(Edge edge)
+ {
+#if USE(BIGINT32)
+ if (!m_interpreter.needsTypeCheck(edge))
+ return;
+ LValue nonCell = lowNotCell(edge);
+ FTL_TYPE_CHECK(jsValueValue(nonCell), edge, ~SpecCellCheck & ~SpecBigInt, isBigInt32(nonCell));
+#else
+ speculateNotCell(edge);
+#endif
+ }
void speculateCellOrOther(Edge edge)
{
