https://bugs.webkit.org/show_bug.cgi?id=156895
Patch by Benjamin Poulain <bpoulain@apple.com> on 2016-04-22
Reviewed by Saam Barati.
You cannot produce negative zero by squaring an integer.
* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):
* dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compileArithMul):
Minor codegen fixes:
-Use the right form of multiply for ARM.
-Use a sign-extended 32bit immediates, that's the one with fast forms
in the MacroAssembler.
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@199894
268f45cc-cd09-0410-ab3c-
d52691b4dbfc
+2016-04-22 Benjamin Poulain <bpoulain@apple.com>
+
+ [JSC] Integer Multiply of a number by itself does not need negative zero support
+ https://bugs.webkit.org/show_bug.cgi?id=156895
+
+ Reviewed by Saam Barati.
+
+ You cannot produce negative zero by squaring an integer.
+
+ * dfg/DFGFixupPhase.cpp:
+ (JSC::DFG::FixupPhase::fixupNode):
+ * dfg/DFGSpeculativeJIT.cpp:
+ (JSC::DFG::SpeculativeJIT::compileArithMul):
+ Minor codegen fixes:
+ -Use the right form of multiply for ARM.
+ -Use a sign-extended 32bit immediates, that's the one with fast forms
+ in the MacroAssembler.
+
2016-04-21 Darin Adler <darin@apple.com>
Follow-on to the build fix.
m_assembler.smull(dest, dataTempRegister, dest, src);
}
+ void mul32(RegisterID left, RegisterID right, RegisterID dest)
+ {
+ m_assembler.smull(dest, dataTempRegister, left, right);
+ }
+
void mul32(TrustedImm32 imm, RegisterID src, RegisterID dest)
{
move(imm, dataTempRegister);
fixIntOrBooleanEdge(rightChild);
if (bytecodeCanTruncateInteger(node->arithNodeFlags()))
node->setArithMode(Arith::Unchecked);
- else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+ else if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
+ || leftChild.node() == rightChild.node())
node->setArithMode(Arith::CheckOverflow);
else
node->setArithMode(Arith::CheckOverflowAndNegativeZero);
if (m_graph.binaryArithShouldSpeculateMachineInt(node, FixupPass)) {
fixEdge<Int52RepUse>(leftChild);
fixEdge<Int52RepUse>(rightChild);
- if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags()))
+ if (bytecodeCanIgnoreNegativeZero(node->arithNodeFlags())
+ || leftChild.node() == rightChild.node())
node->setArithMode(Arith::CheckOverflow);
else
node->setArithMode(Arith::CheckOverflowAndNegativeZero);
// We can perform truncated multiplications if we get to this point, because if the
// fixup phase could not prove that it would be safe, it would have turned us into
// a double multiplication.
- if (!shouldCheckOverflow(node->arithMode())) {
- m_jit.move(reg1, result.gpr());
- m_jit.mul32(reg2, result.gpr());
- } else {
+ if (!shouldCheckOverflow(node->arithMode()))
+ m_jit.mul32(reg1, reg2, result.gpr());
+ else {
speculationCheck(
Overflow, JSValueRegs(), 0,
m_jit.branchMul32(MacroAssembler::Overflow, reg1, reg2, result.gpr()));
MacroAssembler::NonZero, resultGPR);
speculationCheck(
NegativeZero, JSValueRegs(), 0,
- m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm64(0)));
+ m_jit.branch64(MacroAssembler::LessThan, op1GPR, TrustedImm32(0)));
speculationCheck(
NegativeZero, JSValueRegs(), 0,
- m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm64(0)));
+ m_jit.branch64(MacroAssembler::LessThan, op2GPR, TrustedImm32(0)));
resultNonZero.link(&m_jit);
}
git://git.webkit.org / WebKit-https.git / commitdiff