Title: [204176] trunk/Source/_javascript_Core
- Revision
- 204176
- Author
- [email protected]
- Date
- 2016-08-05 10:08:22 -0700 (Fri, 05 Aug 2016)
Log Message
Fix 32-bit OverridesHasInstance in the DFG.
https://bugs.webkit.org/show_bug.cgi?id=160600
Reviewed by Mark Lam.
In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
was a constant late in compilation. That fix was ommited from the 32-bit version,
causing the new test to fail.
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
Modified Paths
Diff
Modified: trunk/Source/_javascript_Core/ChangeLog (204175 => 204176)
--- trunk/Source/_javascript_Core/ChangeLog 2016-08-05 16:57:34 UTC (rev 204175)
+++ trunk/Source/_javascript_Core/ChangeLog 2016-08-05 17:08:22 UTC (rev 204176)
@@ -1,3 +1,18 @@
+2016-08-05 Keith Miller <[email protected]>
+
+ Fix 32-bit OverridesHasInstance in the DFG.
+ https://bugs.webkit.org/show_bug.cgi?id=160600
+
+ Reviewed by Mark Lam.
+
+ In https://trac.webkit.org/changeset/204140, we fixed an issue where the DFG might
+ do the wrong thing if it proved that the Symbol.hasInstance value for a constructor
+ was a constant late in compilation. That fix was ommited from the 32-bit version,
+ causing the new test to fail.
+
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+
2016-08-04 Saam Barati <[email protected]>
Restore CodeBlock jettison code to jettison when a CodeBlock has been alive for a long time
Modified: trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp (204175 => 204176)
--- trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-08-05 16:57:34 UTC (rev 204175)
+++ trunk/Source/_javascript_Core/dfg/DFGSpeculativeJIT32_64.cpp 2016-08-05 17:08:22 UTC (rev 204176)
@@ -4636,13 +4636,10 @@
GPRReg baseGPR = base.gpr();
GPRReg resultGPR = result.gpr();
- // If we have proven that the constructor's Symbol.hasInstance will always be the one on
- // Function.prototype[Symbol.hasInstance] then we don't need a runtime check here. We don't worry
- // about the case where the constructor's Symbol.hasInstance is a constant but is not the default
- // one as fixup should have converted this check to true.
- ASSERT(!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction == hasInstanceValueNode->asCell());
- if (!hasInstanceValueNode->isCellConstant()) {
-
+ // It would be great if constant folding handled automatically the case where we knew the hasInstance function
+ // was a constant. Unfortunately, the folding rule for OverridesHasInstance is in the strength reduction phase
+ // since it relies on OSR information. https://bugs.webkit.org/show_bug.cgi?id=154832
+ if (!hasInstanceValueNode->isCellConstant() || defaultHasInstanceFunction != hasInstanceValueNode->asCell()) {
JSValueRegs hasInstanceValueRegs = hasInstanceValue.jsValueRegs();
hasInstanceValueNotCell = m_jit.branchIfNotCell(hasInstanceValueRegs);
notDefaulthasInstanceValue = m_jit.branchPtr(MacroAssembler::NotEqual, hasInstanceValueRegs.payloadGPR(), TrustedImmPtr(defaultHasInstanceFunction));
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
