[webkit-changes] [95233] trunk/Source/JavaScriptCore

[fpizlo]

Title: [95233] trunk/Source/_javascript_Core

Revision

95233

Author

fpi...@apple.com

Date

2011-09-15 14:53:48 -0700 (Thu, 15 Sep 2011)

Log Message

DFG speculative JIT sometimes asserts that a value is not a number
even when it doesn't know anything about the number
https://bugs.webkit.org/show_bug.cgi?id=68189

Reviewed by Oliver Hunt.

* dfg/DFGGenerationInfo.h:
(JSC::DFG::GenerationInfo::isUnknownJS):
* dfg/DFGJITCodeGenerator.cpp:
(JSC::DFG::JITCodeGenerator::isKnownNotNumber):

Modified Paths

• trunk/Source/_javascript_Core/ChangeLog
• trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h
• trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp

Diff

Modified: trunk/Source/_javascript_Core/ChangeLog (95232 => 95233)

--- trunk/Source/_javascript_Core/ChangeLog	2011-09-15 21:49:17 UTC (rev 95232)
+++ trunk/Source/_javascript_Core/ChangeLog	2011-09-15 21:53:48 UTC (rev 95233)
@@ -1,5 +1,18 @@
 2011-09-15  Filip Pizlo  <fpi...@apple.com>
 
+        DFG speculative JIT sometimes asserts that a value is not a number
+        even when it doesn't know anything about the number
+        https://bugs.webkit.org/show_bug.cgi?id=68189
+
+        Reviewed by Oliver Hunt.
+
+        * dfg/DFGGenerationInfo.h:
+        (JSC::DFG::GenerationInfo::isUnknownJS):
+        * dfg/DFGJITCodeGenerator.cpp:
+        (JSC::DFG::JITCodeGenerator::isKnownNotNumber):
+
+2011-09-15  Filip Pizlo  <fpi...@apple.com>
+
         All of the functionality in the non-speculative JIT should be
         available to the speculative JIT via helper methods
         https://bugs.webkit.org/show_bug.cgi?id=68186

Modified: trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h (95232 => 95233)

--- trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h	2011-09-15 21:49:17 UTC (rev 95232)
+++ trunk/Source/_javascript_Core/dfg/DFGGenerationInfo.h	2011-09-15 21:53:48 UTC (rev 95233)
@@ -259,6 +259,12 @@
     {
         return isJSFormat(DataFormatJSBoolean);
     }
+    
+    bool isUnknownJS()
+    {
+        return registerFormat() == DataFormatNone || registerFormat() == DataFormatJS
+            || spillFormat() == DataFormatNone || spillFormat() == DataFormatJS;
+    }
 
     // Get the machine resister currently holding the value.
     GPRReg gpr() { ASSERT(m_registerFormat && m_registerFormat != DataFormatDouble); return u.gpr; }

Modified: trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp (95232 => 95233)

--- trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-09-15 21:49:17 UTC (rev 95232)
+++ trunk/Source/_javascript_Core/dfg/DFGJITCodeGenerator.cpp	2011-09-15 21:53:48 UTC (rev 95233)
@@ -414,7 +414,7 @@
     VirtualRegister virtualRegister = node.virtualRegister();
     GenerationInfo& info = m_generationInfo[virtualRegister];
     
-    return (!info.isJSDouble() && !info.isJSInteger())
+    return (!info.isJSDouble() && !info.isJSInteger() && !info.isUnknownJS())
         || (node.isConstant() && !isNumberConstant(nodeIndex));
 }
 

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes