- Revision
- 199894
- Author
- commit-qu...@webkit.org
- Date
- 2016-04-22 12:27:57 -0700 (Fri, 22 Apr 2016)
Log Message
[JSC] Integer Multiply of a number by itself does not need negative zero support
https://bugs.webkit.org/show_bug.cgi?id=156895
Patch by Benjamin Poulain <bpoul...@apple.com> on 2016-04-22
Reviewed by Saam Barati.
You cannot produce negative zero by squaring an integer.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithMul):
Minor codegen fixes:
-Use the right form of multiply for ARM.
-Use a sign-extended 32bit immediates, that's the one with fast forms
in the MacroAssembler.
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (199893 => 199894)
--- trunk/Source/_javascript_Core/ChangeLog 2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-04-22 19:27:57 UTC (rev 199894)
@@ -1,3 +1,21 @@
+2016-04-22 Benjamin Poulain <bpoul...@apple.com>
+
+ [JSC] Integer Multiply of a number by itself does not need negative zero support
+ https://bugs.webkit.org/show_bug.cgi?id=156895
+
+ Reviewed by Saam Barati.
+
+ You cannot produce negative zero by squaring an integer.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileArithMul):
+ Minor codegen fixes:
+ -Use the right form of multiply for ARM.
+ -Use a sign-extended 32bit immediates, that's the one with fast forms
+ in the MacroAssembler.
+
2016-04-21 Darin Adler <da...@apple.com>
Follow-on to the build fix.
Modified: trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h (199893 => 199894)
--- trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h 2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/assembler/MacroAssemblerARMv7.h 2016-04-22 19:27:57 UTC (rev 199894)
@@ -322,6 +322,11 @@
m_assembler.smull(dest, dataTempRegister, dest, src);
}
+ void mul32(RegisterID left, RegisterID right, RegisterID dest)
+ {
+ m_assembler.smull(dest, dataTempRegister, left, right);
+ }
+
void mul32(TrustedImm32 imm, RegisterID src, RegisterID dest)
{
move(imm, dataTempRegister);
Modified: trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp (199893 => 199894)
--- trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/dfg/DFGFixupPhase.cpp 2016-04-22 19:27:57 UTC (rev 199894)
@@ -248,7 +248,8 @@
fixIntOrBooleanEdge(rightChild);
if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
node->setArithMode(Arith::Unchecked);
- else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+ else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
+ || leftChild.node() == rightChild.node())
node->setArithMode(Arith::CheckOverflow);
else
node->setArithMode(Arith::CheckOverflowAndNegativeZero);
@@ -257,7 +258,8 @@
if (m_graph.binaryArithShouldSpeculateMachineInt(node, FixupPass)) {
fixEdge<Int52RepUse>(leftChild);
fixEdge<Int52RepUse>(rightChild);
- if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+ if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
+ || leftChild.node() == rightChild.node())
node->setArithMode(Arith::CheckOverflow);
else
node->setArithMode(Arith::CheckOverflowAndNegativeZero);
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp (199893 => 199894)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-04-22 19:25:40 UTC (rev 199893)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT.cpp 2016-04-22 19:27:57 UTC (rev 199894)
@@ -3964,10 +3964,9 @@
// We can perform truncated multiplications if we get to this point, because if the
// fixup phase could not prove that it would be safe, it would have turned us into
// a double multiplication.
- if (!shouldCheckOverflow(node->arithMode())) {
- m_jit.move(reg1, result.gpr());
- m_jit.mul32(reg2, result.gpr());
- } else {
+ if (!shouldCheckOverflow(node->arithMode()))
+ m_jit.mul32(reg1, reg2, result.gpr());
+ else {
speculationCheck(
Overflow, JSValueRegs(), 0,
m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
@@ -4031,10 +4030,10 @@
MacroAssembler::NonZero, resultGPR);
speculationCheck(
NegativeZero, JSValueRegs(), 0,
- m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm64(0)));
+ m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm32(0)));
speculationCheck(
NegativeZero, JSValueRegs(), 0,
- m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm64(0)));
+ m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
resultNonZero.link(&m_jit);
}