FTL should support hole/OOB array accesses
authorfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 6 Dec 2013 22:05:10 +0000 (22:05 +0000)
committerfpizlo@apple.com <fpizlo@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Fri, 6 Dec 2013 22:05:10 +0000 (22:05 +0000)
https://bugs.webkit.org/show_bug.cgi?id=118077

Reviewed by Oliver Hunt and Mark Hahnenberg.

Source/JavaScriptCore:

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::baseIndex):

LayoutTests:

* js/regress/double-get-by-val-out-of-bounds-expected.txt: Added.
* js/regress/double-get-by-val-out-of-bounds.html: Added.
* js/regress/get-by-val-out-of-bounds-expected.txt: Added.
* js/regress/get-by-val-out-of-bounds.html: Added.
* js/regress/script-tests/double-get-by-val-out-of-bounds.js: Added.
(foo):
* js/regress/script-tests/get-by-val-out-of-bounds.js: Added.
(foo):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@160246 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/js/regress/double-get-by-val-out-of-bounds-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/double-get-by-val-out-of-bounds.html [new file with mode: 0644]
LayoutTests/js/regress/get-by-val-out-of-bounds-expected.txt [new file with mode: 0644]
LayoutTests/js/regress/get-by-val-out-of-bounds.html [new file with mode: 0644]
LayoutTests/js/regress/script-tests/double-get-by-val-out-of-bounds.js [new file with mode: 0644]
LayoutTests/js/regress/script-tests/get-by-val-out-of-bounds.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/ftl/FTLCapabilities.cpp
Source/JavaScriptCore/ftl/FTLIntrinsicRepository.h
Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp

index 2d13955..4179575 100644 (file)
@@ -1,3 +1,19 @@
+2013-12-06  Filip Pizlo  <fpizlo@apple.com>
+
+        FTL should support hole/OOB array accesses
+        https://bugs.webkit.org/show_bug.cgi?id=118077
+
+        Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+        * js/regress/double-get-by-val-out-of-bounds-expected.txt: Added.
+        * js/regress/double-get-by-val-out-of-bounds.html: Added.
+        * js/regress/get-by-val-out-of-bounds-expected.txt: Added.
+        * js/regress/get-by-val-out-of-bounds.html: Added.
+        * js/regress/script-tests/double-get-by-val-out-of-bounds.js: Added.
+        (foo):
+        * js/regress/script-tests/get-by-val-out-of-bounds.js: Added.
+        (foo):
+
 2013-12-06  Rob Buis  <rob.buis@samsung.com>
 
         [CSS Shapes] ShapeOutsideInfo needs to use the parent's writing mode when calculating offsets
diff --git a/LayoutTests/js/regress/double-get-by-val-out-of-bounds-expected.txt b/LayoutTests/js/regress/double-get-by-val-out-of-bounds-expected.txt
new file mode 100644 (file)
index 0000000..f161628
--- /dev/null
@@ -0,0 +1,10 @@
+JSRegress/double-get-by-val-out-of-bounds
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/regress/double-get-by-val-out-of-bounds.html b/LayoutTests/js/regress/double-get-by-val-out-of-bounds.html
new file mode 100644 (file)
index 0000000..cda25af
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="resources/regress-pre.js"></script>
+<script src="script-tests/double-get-by-val-out-of-bounds.js"></script>
+<script src="resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/js/regress/get-by-val-out-of-bounds-expected.txt b/LayoutTests/js/regress/get-by-val-out-of-bounds-expected.txt
new file mode 100644 (file)
index 0000000..d474de7
--- /dev/null
@@ -0,0 +1,10 @@
+JSRegress/get-by-val-out-of-bounds
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS no exception thrown
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
diff --git a/LayoutTests/js/regress/get-by-val-out-of-bounds.html b/LayoutTests/js/regress/get-by-val-out-of-bounds.html
new file mode 100644 (file)
index 0000000..bee25f4
--- /dev/null
@@ -0,0 +1,12 @@
+<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
+<html>
+<head>
+<script src="../../resources/js-test-pre.js"></script>
+</head>
+<body>
+<script src="resources/regress-pre.js"></script>
+<script src="script-tests/get-by-val-out-of-bounds.js"></script>
+<script src="resources/regress-post.js"></script>
+<script src="../../resources/js-test-post.js"></script>
+</body>
+</html>
diff --git a/LayoutTests/js/regress/script-tests/double-get-by-val-out-of-bounds.js b/LayoutTests/js/regress/script-tests/double-get-by-val-out-of-bounds.js
new file mode 100644 (file)
index 0000000..48b0c42
--- /dev/null
@@ -0,0 +1,11 @@
+function foo(a) {
+    return a[1];
+}
+
+noInline(foo);
+
+for (var i = 0; i < 100000; ++i) {
+    var result = foo([42.5]);
+    if (result !== void 0)
+        throw "Error: bad value: " + result;
+}
diff --git a/LayoutTests/js/regress/script-tests/get-by-val-out-of-bounds.js b/LayoutTests/js/regress/script-tests/get-by-val-out-of-bounds.js
new file mode 100644 (file)
index 0000000..db055b4
--- /dev/null
@@ -0,0 +1,11 @@
+function foo(a) {
+    return a[1];
+}
+
+noInline(foo);
+
+for (var i = 0; i < 100000; ++i) {
+    var result = foo([42]);
+    if (result !== void 0)
+        throw "Error: bad value: " + result;
+}
index 6f73bf5..67d37d0 100644 (file)
@@ -1,3 +1,17 @@
+2013-12-06  Filip Pizlo  <fpizlo@apple.com>
+
+        FTL should support hole/OOB array accesses
+        https://bugs.webkit.org/show_bug.cgi?id=118077
+
+        Reviewed by Oliver Hunt and Mark Hahnenberg.
+
+        * ftl/FTLCapabilities.cpp:
+        (JSC::FTL::canCompile):
+        * ftl/FTLIntrinsicRepository.h:
+        * ftl/FTLLowerDFGToLLVM.cpp:
+        (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
+        (JSC::FTL::LowerDFGToLLVM::baseIndex):
+
 2013-12-06  Michael Saboff  <msaboff@apple.com>
 
         Split sizing of VarArgs frames from loading arguments for the frame
index 0a51b43..e6a8c2c 100644 (file)
@@ -158,13 +158,6 @@ inline CapabilityLevel canCompile(Node* node)
                 return CanCompileAndOSREnter;
             return CannotCompile;
         }
-        switch (node->arrayMode().speculation()) {
-        case Array::SaneChain:
-        case Array::InBounds:
-            break;
-        default:
-            return CannotCompile;
-        }
         break;
     case PutByVal:
     case PutByValAlias:
index cbc3c22..af4c013 100644 (file)
@@ -54,6 +54,7 @@ namespace JSC { namespace FTL {
     macro(C_JITOperation_ESt, functionType(intPtr, intPtr, intPtr)) \
     macro(I_JITOperation_EJss, functionType(intPtr, intPtr, intPtr)) \
     macro(J_JITOperation_E, functionType(int64, intPtr)) \
+    macro(J_JITOperation_EAZ, functionType(int64, intPtr, intPtr, int32)) \
     macro(J_JITOperation_EJssZ, functionType(int64, intPtr, intPtr, int32)) \
     macro(J_JITOperation_ESsiJI, functionType(int64, intPtr, intPtr, int64, intPtr)) \
     macro(Jss_JITOperation_EZ, functionType(intPtr, intPtr, int32)) \
index 4af3929..5365e1d 100644 (file)
@@ -1482,25 +1482,45 @@ private:
             LValue index = lowInt32(m_node->child2());
             LValue storage = lowStorage(m_node->child3());
             
+            IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
+                m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
+            
             if (m_node->arrayMode().isInBounds()) {
                 speculate(
                     OutOfBounds, noValue(), 0,
                     m_out.aboveOrEqual(
                         index, m_out.load32(storage, m_heaps.Butterfly_publicLength)));
                 
-                LValue result = m_out.load64(m_out.baseIndex(
-                    m_node->arrayMode().type() == Array::Int32 ?
-                        m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties,
-                    storage, m_out.zeroExt(index, m_out.intPtr),
-                    m_state.forNode(m_node->child2()).m_value));
+                LValue result = m_out.load64(baseIndex(heap, storage, index, m_node->child2()));
                 speculate(LoadFromHole, noValue(), 0, m_out.isZero64(result));
                 setJSValue(result);
                 return;
             }
             
-            // FIXME: Implement hole/OOB loads in the FTL.
-            // https://bugs.webkit.org/show_bug.cgi?id=118077
-            RELEASE_ASSERT_NOT_REACHED();
+            LValue base = lowCell(m_node->child1());
+            
+            LBasicBlock fastCase = FTL_NEW_BLOCK(m_out, ("GetByVal int/contiguous fast case"));
+            LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("GetByVal int/contiguous slow case"));
+            LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetByVal int/contiguous continuation"));
+            
+            m_out.branch(
+                m_out.aboveOrEqual(
+                    index, m_out.load32(storage, m_heaps.Butterfly_publicLength)),
+                slowCase, fastCase);
+            
+            LBasicBlock lastNext = m_out.appendTo(fastCase, slowCase);
+            
+            ValueFromBlock fastResult = m_out.anchor(
+                m_out.load64(baseIndex(heap, storage, index, m_node->child2())));
+            m_out.branch(m_out.isZero64(fastResult.value()), slowCase, continuation);
+            
+            m_out.appendTo(slowCase, continuation);
+            ValueFromBlock slowResult = m_out.anchor(
+                vmCall(m_out.operation(operationGetByValArrayInt), m_callFrame, base, index));
+            m_out.jump(continuation);
+            
+            m_out.appendTo(continuation, lastNext);
+            setJSValue(m_out.phi(m_out.int64, fastResult, slowResult));
             return;
         }
             
@@ -1508,16 +1528,16 @@ private:
             LValue index = lowInt32(m_node->child2());
             LValue storage = lowStorage(m_node->child3());
             
+            IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
+            
             if (m_node->arrayMode().isInBounds()) {
                 speculate(
                     OutOfBounds, noValue(), 0,
                     m_out.aboveOrEqual(
                         index, m_out.load32(storage, m_heaps.Butterfly_publicLength)));
                 
-                LValue result = m_out.loadDouble(m_out.baseIndex(
-                    m_heaps.indexedDoubleProperties,
-                    storage, m_out.zeroExt(index, m_out.intPtr),
-                    m_state.forNode(m_node->child2()).m_value));
+                LValue result = m_out.loadDouble(
+                    baseIndex(heap, storage, index, m_node->child2()));
                 
                 if (!m_node->arrayMode().isSaneChain()) {
                     speculate(
@@ -1528,9 +1548,35 @@ private:
                 break;
             }
             
-            // FIXME: Implement hole/OOB loads in the FTL.
-            // https://bugs.webkit.org/show_bug.cgi?id=118077
-            RELEASE_ASSERT_NOT_REACHED();
+            LValue base = lowCell(m_node->child1());
+            
+            LBasicBlock inBounds = FTL_NEW_BLOCK(m_out, ("GetByVal double in bounds"));
+            LBasicBlock boxPath = FTL_NEW_BLOCK(m_out, ("GetByVal double boxing"));
+            LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("GetByVal double slow case"));
+            LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetByVal double continuation"));
+            
+            m_out.branch(
+                m_out.aboveOrEqual(
+                    index, m_out.load32(storage, m_heaps.Butterfly_publicLength)),
+                slowCase, inBounds);
+            
+            LBasicBlock lastNext = m_out.appendTo(inBounds, boxPath);
+            LValue doubleValue = m_out.loadDouble(
+                baseIndex(heap, storage, index, m_node->child2()));
+            m_out.branch(
+                m_out.doubleNotEqualOrUnordered(doubleValue, doubleValue), slowCase, boxPath);
+            
+            m_out.appendTo(boxPath, slowCase);
+            ValueFromBlock fastResult = m_out.anchor(boxDouble(doubleValue));
+            m_out.jump(continuation);
+            
+            m_out.appendTo(slowCase, continuation);
+            ValueFromBlock slowResult = m_out.anchor(
+                vmCall(m_out.operation(operationGetByValArrayInt), m_callFrame, base, index));
+            m_out.jump(continuation);
+            
+            m_out.appendTo(continuation, lastNext);
+            setJSValue(m_out.phi(m_out.int64, fastResult, slowResult));
             return;
         }
             
@@ -2715,6 +2761,13 @@ private:
         info.m_isInvalidationPoint = true;
     }
     
+    TypedPointer baseIndex(IndexedAbstractHeap& heap, LValue storage, LValue index, Edge edge)
+    {
+        return m_out.baseIndex(
+            heap, storage, m_out.zeroExt(index, m_out.intPtr),
+            m_state.forNode(edge).m_value);
+    }
+    
     LValue allocateCell(LValue allocator, LValue structure, LBasicBlock slowPath)
     {
         LBasicBlock success = FTL_NEW_BLOCK(m_out, ("object allocation success"));