[webkit-changes] [200990] trunk/Source/JavaScriptCore

[commit-queue]

Title: [200990] trunk/Source/_javascript_Core

Revision

200990

Author

commit-qu...@webkit.org

Date

2016-05-16 20:28:46 -0700 (Mon, 16 May 2016)

Log Message

[JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
https://bugs.webkit.org/show_bug.cgi?id=157700

Patch by Benjamin Poulain <bpoul...@apple.com> on 2016-05-16
Reviewed by Michael Saboff.

In general, fillSpeculateInt32() originate from SpeculateInt32
and the user does not care about the tag.

This is particularily obvious on Sunspider's math-spectral-norm.js.
In that test, registers are frequently spilled because of x86's DIV.

When they are re-filled, they were always tagged.
Since the loops are small, all the tagging adds up.

* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (200989 => 200990)

--- trunk/Source/_javascript_Core/ChangeLog	2016-05-17 02:34:14 UTC (rev 200989)
+++ trunk/Source/_javascript_Core/ChangeLog	2016-05-17 03:28:46 UTC (rev 200990)
@@ -1,3 +1,22 @@
+2016-05-16  Benjamin Poulain  <bpoul...@apple.com>
+
+        [JSC][DFG] Fill spilled Int32 as Int32 instead of JSInt32
+        https://bugs.webkit.org/show_bug.cgi?id=157700
+
+        Reviewed by Michael Saboff.
+
+        In general, fillSpeculateInt32() originate from SpeculateInt32
+        and the user does not care about the tag.
+
+        This is particularily obvious on Sunspider's math-spectral-norm.js.
+        In that test, registers are frequently spilled because of x86's DIV.
+
+        When they are re-filled, they were always tagged.
+        Since the loops are small, all the tagging adds up.
+
+        * dfg/DFGSpeculativeJIT64.cpp:
+        (JSC::DFG::SpeculativeJIT::fillSpeculateInt32Internal):
+
 2016-05-16  Saam barati  <sbar...@apple.com>
 
         Unreviewed Cloop build fix.

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp (200989 => 200990)

--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2016-05-17 02:34:14 UTC (rev 200989)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT64.cpp	2016-05-17 03:28:46 UTC (rev 200990)
@@ -942,11 +942,13 @@
             }
             if (spillFormat == DataFormatInt32) {
                 m_jit.load32(JITCompiler::addressFor(virtualRegister), gpr);
-                m_jit.or64(GPRInfo::tagTypeNumberRegister, gpr);
-            } else
+                info.fillInt32(*m_stream, gpr);
+                returnFormat = DataFormatInt32;
+            } else {
                 m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);
-            info.fillJSValue(*m_stream, gpr, DataFormatJSInt32);
-            returnFormat = DataFormatJSInt32;
+                info.fillJSValue(*m_stream, gpr, DataFormatJSInt32);
+                returnFormat = DataFormatJSInt32;
+            }
             return gpr;
         }
         m_jit.load64(JITCompiler::addressFor(virtualRegister), gpr);

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes