Title: [241036] branches/safari-607-branch
- Revision
- 241036
- Author
- mark....@apple.com
- Date
- 2019-02-06 11:40:29 -0800 (Wed, 06 Feb 2019)
Log Message
Cherry-pick r240998. rdar://problem/47843417
2019-02-05 Mark Lam <mark....@apple.com>
Fix DFG's doesGC() for a few more nodes.
https://bugs.webkit.org/show_bug.cgi?id=194307
<rdar://problem/47832956>
Reviewed by Yusuke Suzuki.
Fix doesGC() for the following nodes:
NumberToStringWithValidRadixConstant:
Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
which can allocate a string.
Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
which can allocate a string.
Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
which can allocate a string.
RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
memory for all kinds of objects.
RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
RegExpObject::execInline() and RegExpObject::matchGlobal(). Both of
these allocates memory for the match result.
RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
calls RegExpObject's collectMatches(), which allocates an array amongst
other objects.
StringFromCharCode:
If the uint32 code to convert is greater than maxSingleCharacterString,
we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
which allocates a new string if the code is greater than maxSingleCharacterString.
Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
to use maxSingleCharacterString instead of a literal constant.
* dfg/DFGDoesGC.cpp:
(JSC::DFG::doesGC):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileFromCharCode):
* ftl/FTLLowerDFGToB3.cpp:
(JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
Modified Paths
Property Changed
Diff
Index: branches/safari-607-branch
===================================================================
--- branches/safari-607-branch 2019-02-06 19:33:43 UTC (rev 241035)
+++ branches/safari-607-branch 2019-02-06 19:40:29 UTC (rev 241036)
Property changes: branches/safari-607-branch
Modified: svn:mergeinfo
-/trunk:53455,239940,240329,240335,240616,240917,240991
\ No newline at end of property
+/trunk:53455,239940,240329,240335,240616,240917,240991,240998
\ No newline at end of property
Modified: branches/safari-607-branch/Source/_javascript_Core/ChangeLog (241035 => 241036)
--- branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 19:33:43 UTC (rev 241035)
+++ branches/safari-607-branch/Source/_javascript_Core/ChangeLog 2019-02-06 19:40:29 UTC (rev 241036)
@@ -1,5 +1,51 @@
2019-02-06 Mark Lam <mark....@apple.com>
+ Cherry-pick r240998. rdar://problem/47843417
+
+ 2019-02-05 Mark Lam <mark....@apple.com>
+
+ Fix DFG's doesGC() for a few more nodes.
+ https://bugs.webkit.org/show_bug.cgi?id=194307
+ <rdar://problem/47832956>
+
+ Reviewed by Yusuke Suzuki.
+
+ Fix doesGC() for the following nodes:
+
+ NumberToStringWithValidRadixConstant:
+ Calls operationInt32ToStringWithValidRadix(), which calls int32ToString(),
+ which can allocate a string.
+ Calls operationInt52ToStringWithValidRadix(), which calls int52ToString(),
+ which can allocate a string.
+ Calls operationDoubleToStringWithValidRadix(), which calls numberToString(),
+ which can allocate a string.
+
+ RegExpExecNonGlobalOrSticky: calls createRegExpMatchesArray() which allocates
+ memory for all kinds of objects.
+ RegExpMatchFast: calls operationRegExpMatchFastString(), which calls
+ RegExpObject::execInline() and RegExpObject::matchGlobal(). Both of
+ these allocates memory for the match result.
+ RegExpMatchFastGlobal: calls operationRegExpMatchFastGlobalString(), which
+ calls RegExpObject's collectMatches(), which allocates an array amongst
+ other objects.
+
+ StringFromCharCode:
+ If the uint32 code to convert is greater than maxSingleCharacterString,
+ we'll call operationStringFromCharCode(), which calls jsSingleCharacterString(),
+ which allocates a new string if the code is greater than maxSingleCharacterString.
+
+ Also fix SpeculativeJIT::compileFromCharCode() and FTL's compileStringFromCharCode()
+ to use maxSingleCharacterString instead of a literal constant.
+
+ * dfg/DFGDoesGC.cpp:
+ (JSC::DFG::doesGC):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileFromCharCode):
+ * ftl/FTLLowerDFGToB3.cpp:
+ (JSC::FTL::DFG::LowerDFGToB3::compileStringFromCharCode):
+
+2019-02-06 Mark Lam <mark....@apple.com>
+
Cherry-pick r240991. rdar://problem/47855123
2019-02-05 Mark Lam <mark....@apple.com>
Modified: branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp (241035 => 241036)
--- branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-06 19:33:43 UTC (rev 241035)
+++ branches/safari-607-branch/Source/_javascript_Core/dfg/DFGDoesGC.cpp 2019-02-06 19:40:29 UTC (rev 241036)
@@ -128,9 +128,6 @@
case CheckNotEmpty:
case AssertNotEmpty:
case CheckStringIdent:
- case RegExpExecNonGlobalOrSticky:
- case RegExpMatchFast:
- case RegExpMatchFastGlobal:
case CompareLess:
case CompareLessEq:
case CompareGreater:
@@ -156,7 +153,6 @@
case IsTypedArrayView:
case TypeOf:
case LogicalNot:
- case NumberToStringWithValidRadixConstant:
case Jump:
case Branch:
case Switch:
@@ -171,7 +167,6 @@
case ForceOSRExit:
case CPUIntrinsic:
case CheckTraps:
- case StringFromCharCode:
case NormalizeMapKey:
case GetMapBucket:
case GetMapBucketHead:
@@ -307,6 +302,7 @@
case InstanceOfCustom:
case LoadVarargs:
case NumberToStringWithRadix:
+ case NumberToStringWithValidRadixConstant:
case PutById:
case PutByIdDirect:
case PutByIdFlush:
@@ -322,6 +318,9 @@
case PutStack:
case PutToArguments:
case RegExpExec:
+ case RegExpExecNonGlobalOrSticky:
+ case RegExpMatchFast:
+ case RegExpMatchFastGlobal:
case RegExpTest:
case ResolveScope:
case ResolveScopeForHoistingFuncDeclInEval:
@@ -416,6 +415,13 @@
return false;
return true;
+ case StringFromCharCode:
+ // FIXME: Should we constant fold this case?
+ // https://bugs.webkit.org/show_bug.cgi?id=194308
+ if (node->child1()->isInt32Constant() && (node->child1()->asUInt32() <= maxSingleCharacterString))
+ return false;
+ return true;
+
case LastNodeType:
RELEASE_ASSERT_NOT_REACHED();
return true;
Modified: branches/safari-607-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (241035 => 241036)
--- branches/safari-607-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-02-06 19:33:43 UTC (rev 241035)
+++ branches/safari-607-branch/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2019-02-06 19:40:29 UTC (rev 241036)
@@ -2282,7 +2282,7 @@
GPRReg smallStringsReg = smallStrings.gpr();
JITCompiler::JumpList slowCases;
- slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(0xff)));
+ slowCases.append(m_jit.branch32(MacroAssembler::AboveOrEqual, propertyReg, TrustedImm32(maxSingleCharacterString)));
m_jit.move(TrustedImmPtr(m_jit.vm()->smallStrings.singleCharacterStrings()), smallStringsReg);
m_jit.loadPtr(MacroAssembler::BaseIndex(smallStringsReg, propertyReg, MacroAssembler::ScalePtr, 0), scratchReg);
Modified: branches/safari-607-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp (241035 => 241036)
--- branches/safari-607-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-06 19:33:43 UTC (rev 241035)
+++ branches/safari-607-branch/Source/_javascript_Core/ftl/FTLLowerDFGToB3.cpp 2019-02-06 19:40:29 UTC (rev 241036)
@@ -6704,7 +6704,7 @@
LBasicBlock continuation = m_out.newBlock();
m_out.branch(
- m_out.aboveOrEqual(value, m_out.constInt32(0xff)),
+ m_out.aboveOrEqual(value, m_out.constInt32(maxSingleCharacterString)),
rarely(slowCase), usually(smallIntCase));
LBasicBlock lastNext = m_out.appendTo(smallIntCase, slowCase);
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
