[webkit-changes] [240998] trunk/Source/JavaScriptCore

Tue, 05 Feb 2019 15:34:37 -0800

Title: [240998] trunk/Source/_javascript_Core
Revision
240998
Author
[email protected]
Date
2019-02-05 15:34:05 -0800 (Tue, 05 Feb 2019)

Log Message

Fix DFG's doesGC() for a few more nodes.
https://bugs.webkit.org/show_bug.cgi?id=194307
<rdar://problem/47832956>

Reviewed by Yusuke Suzuki.

Fix doesGC() for the following nodes:

    NumberToStringWithValidRadixConstant:
        Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
        which can allocate a string.
        Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
        which can allocate a string.
        Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
        which can allocate a string.

    RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
        memory for all kinds of objects.
    RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
        RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
        these allocates memory for the match result.
    RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
        calls RegExpObject's collectMatches(), which allocates an array amongst
        other objects.

    StringFromCharCode:
        If the uint32 code to convert is greater than maxSingleCharacterString,
        we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
        which allocates a new string if the code is greater than maxSingleCharacterString.

Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
to use maxSingleCharacterString instead of a literal constant.

* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileFromCharCode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):

Modified Paths

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (240997 => 240998)


--- trunk/Source/_javascript_Core/ChangeLog	2019-02-05 23:33:05 UTC (rev 240997)
+++ trunk/Source/_javascript_Core/ChangeLog	2019-02-05 23:34:05 UTC (rev 240998)
@@ -1,3 +1,45 @@
+2019-02-05  Mark Lam  <[email protected]>
+
+        Fix DFG's doesGC() for a few more nodes.
+        https://bugs.webkit.org/show_bug.cgi?id=194307
+        <rdar://problem/47832956>
+
+        Reviewed by Yusuke Suzuki.
+
+        Fix doesGC() for the following nodes:
+
+            NumberToStringWithValidRadixConstant:
+                Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
+                which can allocate a string.
+                Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
+                which can allocate a string.
+                Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
+                which can allocate a string.
+
+            RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
+                memory for all kinds of objects.
+            RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
+                RegExpObject::execInline() and RegExpObject::matchGlobal().  Both of
+                these allocates memory for the match result.
+            RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
+                calls RegExpObject's collectMatches(), which allocates an array amongst
+                other objects.
+
+            StringFromCharCode:
+                If the uint32 code to convert is greater than maxSingleCharacterString,
+                we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
+                which allocates a new string if the code is greater than maxSingleCharacterString.
+
+        Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
+        to use maxSingleCharacterString instead of a literal constant.
+
+        * dfg/DFGDoesGC.cpp:
+        (JSC::DFG::doesGC):
+        * dfg/DFGSpeculativeJIT.cpp:
+        (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+        * ftl/FTLLowerDFGToB3.cpp:
+        (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
+
 2019-02-05  Keith Rollin  <[email protected]>
 
         Enable the automatic checking and regenerations of .xcfilelists during builds

Modified: trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp (240997 => 240998)


--- trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2019-02-05 23:33:05 UTC (rev 240997)
+++ trunk/Source/_javascript_Core/dfg/DFGDoesGC.cpp	2019-02-05 23:34:05 UTC (rev 240998)
@@ -121,9 +121,6 @@
     case CheckNotEmpty:
     case AssertNotEmpty:
     case CheckStringIdent:
-    case RegExpExecNonGlobalOrSticky:
-    case RegExpMatchFast:
-    case RegExpMatchFastGlobal:
     case CompareLess:
     case CompareLessEq:
     case CompareGreater:
@@ -150,7 +147,6 @@
     case IsTypedArrayView:
     case TypeOf:
     case LogicalNot:
-    case NumberToStringWithValidRadixConstant:
     case Jump:
     case Branch:
     case Switch:
@@ -165,7 +161,6 @@
     case ForceOSRExit:
     case CPUIntrinsic:
     case CheckTraps:
-    case StringFromCharCode:
     case NormalizeMapKey:
     case GetMapBucket:
     case GetMapBucketHead:
@@ -301,6 +296,7 @@
     case InstanceOfCustom:
     case LoadVarargs:
     case NumberToStringWithRadix:
+    case NumberToStringWithValidRadixConstant:
     case PutById:
     case PutByIdDirect:
     case PutByIdFlush:
@@ -316,6 +312,9 @@
     case PutStack:
     case PutToArguments:
     case RegExpExec:
+    case RegExpExecNonGlobalOrSticky:
+    case RegExpMatchFast:
+    case RegExpMatchFastGlobal:
     case RegExpTest:
     case ResolveScope:
     case ResolveScopeForHoistingFuncDeclInEval:
@@ -417,6 +416,13 @@
             return false;
         return true;
 
+    case StringFromCharCode:
+        // FIXME: Should we constant fold this case?
+        // https://bugs.webkit.org/show_bug.cgi?id=194308
+        if (node->child1()->isInt32Constant() && (node->child1()->asUInt32() <= maxSingleCharacterString))
+            return false;
+        return true;
+
     case LastNodeType:
         RELEASE_ASSERT_NOT_REACHED();
         return true;

Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (240997 => 240998)


--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2019-02-05 23:33:05 UTC (rev 240997)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp	2019-02-05 23:34:05 UTC (rev 240998)
@@ -2282,7 +2282,7 @@
     GPRReg smallStringsReg = smallStrings.gpr();
 
     JITCompiler::JumpList slowCases;
-    slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(0xff)));
+    slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(maxSingleCharacterString)));
     m_jit.move(TrustedImmPtr(m_jit.vm()->smallStrings.singleCharacterStrings()), smallStringsReg);
     m_jit.loadPtr(MacroAssembler::BaseIndex(smallStringsReg, propertyReg, MacroAssembler::ScalePtr, 0), scratchReg);

Modified: trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (240997 => 240998)


--- trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2019-02-05 23:33:05 UTC (rev 240997)
+++ trunk/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp	2019-02-05 23:34:05 UTC (rev 240998)
@@ -6708,7 +6708,7 @@
         LBasicBlock continuation = m_out.newBlock();
 
         m_out.branch(
-            m_out.aboveOrEqual(value, m_out.constInt32(0xff)),
+            m_out.aboveOrEqual(value, m_out.constInt32(maxSingleCharacterString)),
             rarely(slowCase), usually(smallIntCase));
 
         LBasicBlock lastNext = m_out.appendTo(smallIntCase, slowCase);

_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to