Title: [214240] trunk/Source/_javascript_Core
- Revision
- 214240
- Author
- mark....@apple.com
- Date
- 2017-03-21 18:55:00 -0700 (Tue, 21 Mar 2017)
Log Message
The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
https://bugs.webkit.org/show_bug.cgi?id=169933
<rdar://problem/31105125>
Reviewed by Filip Pizlo and Geoffrey Garen.
Also fixed the bit-rotted RangeKey::dump() function.
* dfg/DFGIntegerCheckCombiningPhase.cpp:
(JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (214239 => 214240)
--- trunk/Source/_javascript_Core/ChangeLog 2017-03-22 01:44:21 UTC (rev 214239)
+++ trunk/Source/_javascript_Core/ChangeLog 2017-03-22 01:55:00 UTC (rev 214240)
@@ -1,3 +1,16 @@
+2017-03-21 Mark Lam <mark....@apple.com>
+
+ The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
+ https://bugs.webkit.org/show_bug.cgi?id=169933
+ <rdar://problem/31105125>
+
+ Reviewed by Filip Pizlo and Geoffrey Garen.
+
+ Also fixed the bit-rotted RangeKey::dump() function.
+
+ * dfg/DFGIntegerCheckCombiningPhase.cpp:
+ (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
+
2017-03-21 Csaba Osztrogonác <o...@webkit.org>
[ARM] Add missing MacroAssembler functions after r214187
Modified: trunk/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp (214239 => 214240)
--- trunk/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2017-03-22 01:44:21 UTC (rev 214239)
+++ trunk/Source/_javascript_Core/dfg/DFGIntegerCheckCombiningPhase.cpp 2017-03-22 01:55:00 UTC (rev 214240)
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2014 Apple Inc. All rights reserved.
+ * Copyright (C) 2014-2017 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -105,7 +105,16 @@
out.print("ArrayBounds(");
break;
}
- out.print(m_source, ", ", m_key, ")");
+ if (m_source)
+ out.print(m_source);
+ else
+ out.print("null");
+ out.print(", ");
+ if (m_key)
+ out.print(m_key);
+ else
+ out.print("null");
+ out.print(")");
}
RangeKind m_kind;
@@ -249,7 +258,13 @@
Node* maxNode;
if (!data.m_key.m_source) {
- minNode = 0;
+ // data.m_key.m_source being null means that we're comparing against int32 constants (see rangeKeyAndAddend()).
+ // Since CheckInBounds does an unsigned comparison, if the minBound >= 0, it is also covered by the
+ // maxBound comparison. However, if minBound < 0, then CheckInBounds should always fail its speculation check.
+ // We'll force an OSR exit in that case.
+ minNode = nullptr;
+ if (range.m_minBound < 0)
+ m_insertionSet.insertNode(nodeIndex, SpecNone, ForceOSRExit, node->origin);
maxNode = m_insertionSet.insertConstant(
nodeIndex, maxOrigin, jsNumber(range.m_maxBound));
} else {
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
