[JSC] Add undefined->double conversion to DoubleRep
authorbenjamin@webkit.org <benjamin@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 May 2015 01:30:58 +0000 (01:30 +0000)
committerbenjamin@webkit.org <benjamin@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 28 May 2015 01:30:58 +0000 (01:30 +0000)
commit14951b5e970e720f313352621a0dbeb0b78d6da5
treee4e9e022cbb3b8627fe382bd9c6a51d432090fb3
parent8c8f35b25eff2a81d4784d6e541cdaad274cbe27
[JSC] Add undefined->double conversion to DoubleRep
https://bugs.webkit.org/show_bug.cgi?id=145293

Patch by Benjamin Poulain <bpoulain@apple.com> on 2015-05-27
Reviewed by Filip Pizlo.

Source/JavaScriptCore:

This patch adds undefined to double conversion to the DoubleRep
node for the cases were we speculate "undefined" as part of the types
processed.

The use case is doing math with accidental out-of-bounds access. For example,
something like:
    for (var i = 0; i <= length; ++i)
        ouptput += array[i];

would cause us to OSR exit every time i === length.

When hitting one of those cases, we would already speculate double math,
but the DoubleRep node was unable to convert the undefined and would exit.

With this patch the use kind NotCellUse cover this conversion for DoubleRep.
I have been quite conservative so in general we will not find "undefined"
until a few recompile but being optimistic seems better since this is a corner case.

This patch is a 80% progression on WebXPRT's DNA Sequencing test.

* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::injectTypeConversionsForEdge):
* dfg/DFGNode.h:
(JSC::DFG::Node::sawUndefined):
* dfg/DFGPredictionPropagationPhase.cpp:
(JSC::DFG::PredictionPropagationPhase::propagate):
* dfg/DFGSafeToExecute.h:
(JSC::DFG::SafeToExecuteEdge::operator()):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileDoubleRep):
* dfg/DFGUseKind.cpp:
(WTF::printInternal):
* dfg/DFGUseKind.h:
(JSC::DFG::typeFilterFor):
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileDoubleRep):
(JSC::FTL::LowerDFGToLLVM::jsValueToDouble):
* tests/stress/double-rep-with-undefined.js: Added.
(addArgsNumberAndUndefined):
(addArgsInt32AndUndefined):
(testFallbackWithDouble):
(addArgsDoubleAndUndefined):
(testFallbackWithObject.):
(testFallbackWithObject):
(addArgsOnlyUndefined):
(testFallbackWithString):

LayoutTests:

* js/regress/math-with-out-of-bounds-array-values-expected.txt: Added.
* js/regress/math-with-out-of-bounds-array-values.html: Added.
* js/regress/script-tests/math-with-out-of-bounds-array-values.js: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@184933 268f45cc-cd09-0410-ab3c-d52691b4dbfc
13 files changed:
LayoutTests/ChangeLog
LayoutTests/js/regress/math-with-out-of-bounds-array-values-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/math-with-out-of-bounds-array-values.html [new file with mode: 0644]
LayoutTests/js/regress/script-tests/math-with-out-of-bounds-array-values.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp
Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp
Source/JavaScriptCore/tests/stress/double-rep-with-non-cell.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/double-rep-with-null.js [new file with mode: 0644]
Source/JavaScriptCore/tests/stress/double-rep-with-undefined.js [new file with mode: 0644]