[DFG] Should not fixup AnyIntUse in 32_64
authorutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 21 Aug 2016 19:45:50 +0000 (19:45 +0000)
committerutatane.tea@gmail.com <utatane.tea@gmail.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sun, 21 Aug 2016 19:45:50 +0000 (19:45 +0000)
https://bugs.webkit.org/show_bug.cgi?id=161029

Reviewed by Saam Barati.

JSTests:

* typeProfiler/int52-dfg.js: Added.
(test):
* typeProfiler/number-filter-dfg.js: Added.
(test):

Source/JavaScriptCore:

DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.

And this patch also fixes the case that the type set only contains TypeNumber. Previously,
we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.

* dfg/DFGFixupPhase.cpp:
(JSC::DFG::FixupPhase::fixupNode):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@204697 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JSTests/ChangeLog
JSTests/typeProfiler/int52-dfg.js [new file with mode: 0644]
JSTests/typeProfiler/number-filter-dfg.js [new file with mode: 0644]
Source/JavaScriptCore/ChangeLog
Source/JavaScriptCore/dfg/DFGFixupPhase.cpp

index 0f962b4..9f81f9f 100644 (file)
@@ -1,3 +1,15 @@
+2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DFG] Should not fixup AnyIntUse in 32_64
+        https://bugs.webkit.org/show_bug.cgi?id=161029
+
+        Reviewed by Saam Barati.
+
+        * typeProfiler/int52-dfg.js: Added.
+        (test):
+        * typeProfiler/number-filter-dfg.js: Added.
+        (test):
+
 2016-08-19  Benjamin Poulain  <bpoulain@apple.com>
 
         [JSC] ArithSqrt should work with any argument type
diff --git a/JSTests/typeProfiler/int52-dfg.js b/JSTests/typeProfiler/int52-dfg.js
new file mode 100644 (file)
index 0000000..004fa4b
--- /dev/null
@@ -0,0 +1,15 @@
+load("./driver/driver.js");
+
+function test()
+{
+    var ok = 0;
+    for (var i = 0; i < 1e4; ++i) {
+        ok += 0xfffffffff;  // Int52
+    }
+    return ok;
+}
+test();
+
+var types = findTypeForExpression(test, "ok += 0x");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 1, "Primitive type names should one candidate.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
diff --git a/JSTests/typeProfiler/number-filter-dfg.js b/JSTests/typeProfiler/number-filter-dfg.js
new file mode 100644 (file)
index 0000000..671503c
--- /dev/null
@@ -0,0 +1,16 @@
+load("./driver/driver.js");
+
+function test(value)
+{
+    var ok = 0.5;
+    ok += value;
+    return ok;
+}
+noInline(test);
+for (var i = 0; i < 1e4; ++i)
+    test(1.2);
+test(0.5);
+var types = findTypeForExpression(test, "ok += value");
+assert(types.instructionTypeSet.primitiveTypeNames.length === 2, "Primitive type names should two candidates.");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Integer) !== -1, "Primitive type names should contain 'Integer'");
+assert(types.instructionTypeSet.primitiveTypeNames.indexOf(T.Number) !== -1, "Primitive type names should contain 'Number'");
index 8c48dc7..5014959 100644 (file)
@@ -1,3 +1,20 @@
+2016-08-21  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        [DFG] Should not fixup AnyIntUse in 32_64
+        https://bugs.webkit.org/show_bug.cgi?id=161029
+
+        Reviewed by Saam Barati.
+
+        DFG fixup phase uses AnyIntUse even in 32bit DFG. This patch removes this incorrect filtering.
+        If the 32bit DFG see the TypeAnyInt, it should fallback to the NumberUse case.
+
+        And this patch also fixes the case that the type set only contains TypeNumber. Previously,
+        we used NumberUse edge filtering. But it misses AnyInt logging: While the NumberUse filter
+        passes both TypeAnyInt and TypeNumber, the type set only logged TypeNumber.
+
+        * dfg/DFGFixupPhase.cpp:
+        (JSC::DFG::FixupPhase::fixupNode):
+
 2016-08-20  Brian Burg  <bburg@apple.com>
 
         Remote Inspector: some methods don't need to be marked virtual anymore
index 3bb156b..948a57e 100644 (file)
@@ -1459,12 +1459,23 @@ private:
             RefPtr<TypeSet> typeSet = node->typeLocation()->m_instructionTypeSet;
             RuntimeTypeMask seenTypes = typeSet->seenTypes();
             if (typeSet->doesTypeConformTo(TypeAnyInt)) {
-                if (node->child1()->shouldSpeculateInt32())
+                if (node->child1()->shouldSpeculateInt32()) {
                     fixEdge<Int32Use>(node->child1());
-                else
+                    node->remove();
+                    break;
+                }
+
+                if (enableInt52()) {
                     fixEdge<AnyIntUse>(node->child1());
-                node->remove();
-            } else if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt)) {
+                    node->remove();
+                    break;
+                }
+
+                // Must not perform fixEdge<NumberUse> here since the type set only includes TypeAnyInt. Double values should be logged.
+            }
+
+            if (typeSet->doesTypeConformTo(TypeNumber | TypeAnyInt) && ((seenTypes & TypeNumber) && (seenTypes & TypeAnyInt))) {
+                // NumberUse can pass TypeNumber and TypeAnyInt. Thus, this node removal is allowed only if both TypeNumber and TypeAnyInt are logged in the type set.
                 fixEdge<NumberUse>(node->child1());
                 node->remove();
             } else if (typeSet->doesTypeConformTo(TypeString)) {