<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[162299] branches/jsCStack/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/162299">162299</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-01-19 17:26:24 -0800 (Sun, 19 Jan 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>FTL should ascribe range meta-data when loading array.length
https://bugs.webkit.org/show_bug.cgi?id=126543
Not yet reviewed.
The main thing this accomplishes is we now have Output::load32NonNegative() which is
a 32-bit integer load that promises that the value is not negative. We then use that
for all length loads.
But underneath that, we have the notion of ValueRange, which is a simplified
encapsulation of LLVM "range" metadata.
I considered making the range meta-data part of AbstractHeap. It would make sense
there. But considering that we just use this for basically one thing (the length), it
feels like conflating this with the AbstractHeap would result in some
overengineering. We should revisit this if we ever have other ranges.
* JavaScriptCore.xcodeproj/project.pbxproj:
* ftl/FTLCommonValues.cpp:
(JSC::FTL::CommonValues::CommonValues):
* ftl/FTLCommonValues.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
(JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
(JSC::FTL::LowerDFGToLLVM::compileSwitch):
(JSC::FTL::LowerDFGToLLVM::typedArrayLength):
(JSC::FTL::LowerDFGToLLVM::boolify):
(JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
* ftl/FTLOutput.h:
(JSC::FTL::Output::ascribeRange):
(JSC::FTL::Output::nonNegative32):
(JSC::FTL::Output::load32NonNegative):
* ftl/FTLValueRange.cpp: Added.
(JSC::FTL::ValueRange::decorateInstruction):
* ftl/FTLValueRange.h: Added.
(JSC::FTL::ValueRange::ValueRange):
(JSC::FTL::ValueRange::begin):
(JSC::FTL::ValueRange::end):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#branchesjsCStackSourceJavaScriptCoreChangeLog">branches/jsCStack/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj">branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLCommonValuescpp">branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLCommonValuesh">branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.h</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp">branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLOutputh">branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLValueRangecpp">branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.cpp</a></li>
<li><a href="#branchesjsCStackSourceJavaScriptCoreftlFTLValueRangeh">branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.h</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="branchesjsCStackSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ChangeLog (162298 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ChangeLog 2014-01-20 01:18:13 UTC (rev 162298)
+++ branches/jsCStack/Source/JavaScriptCore/ChangeLog 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -1,3 +1,46 @@
</span><ins>+2014-01-19 Filip Pizlo <fpizlo@apple.com>
+
+ FTL should ascribe range meta-data when loading array.length
+ https://bugs.webkit.org/show_bug.cgi?id=126543
+
+ Not yet reviewed.
+
+ The main thing this accomplishes is we now have Output::load32NonNegative() which is
+ a 32-bit integer load that promises that the value is not negative. We then use that
+ for all length loads.
+
+ But underneath that, we have the notion of ValueRange, which is a simplified
+ encapsulation of LLVM "range" metadata.
+
+ I considered making the range meta-data part of AbstractHeap. It would make sense
+ there. But considering that we just use this for basically one thing (the length), it
+ feels like conflating this with the AbstractHeap would result in some
+ overengineering. We should revisit this if we ever have other ranges.
+
+ * JavaScriptCore.xcodeproj/project.pbxproj:
+ * ftl/FTLCommonValues.cpp:
+ (JSC::FTL::CommonValues::CommonValues):
+ * ftl/FTLCommonValues.h:
+ * ftl/FTLLowerDFGToLLVM.cpp:
+ (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
+ (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
+ (JSC::FTL::LowerDFGToLLVM::compileStringCharAt):
+ (JSC::FTL::LowerDFGToLLVM::compileStringCharCodeAt):
+ (JSC::FTL::LowerDFGToLLVM::compileSwitch):
+ (JSC::FTL::LowerDFGToLLVM::typedArrayLength):
+ (JSC::FTL::LowerDFGToLLVM::boolify):
+ (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
+ * ftl/FTLOutput.h:
+ (JSC::FTL::Output::ascribeRange):
+ (JSC::FTL::Output::nonNegative32):
+ (JSC::FTL::Output::load32NonNegative):
+ * ftl/FTLValueRange.cpp: Added.
+ (JSC::FTL::ValueRange::decorateInstruction):
+ * ftl/FTLValueRange.h: Added.
+ (JSC::FTL::ValueRange::ValueRange):
+ (JSC::FTL::ValueRange::begin):
+ (JSC::FTL::ValueRange::end):
+
</ins><span class="cx"> 2014-01-16 Mark Lam <mark.lam@apple.com>
</span><span class="cx">
</span><span class="cx"> Fix 32-bit C loop LLINT.
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreJavaScriptCorexcodeprojprojectpbxproj"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj (162298 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-01-20 01:18:13 UTC (rev 162298)
+++ branches/jsCStack/Source/JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -252,6 +252,8 @@
</span><span class="cx"> 0F56A1D515001CF4002992B1 /* ExecutionCounter.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F56A1D415001CF2002992B1 /* ExecutionCounter.cpp */; };
</span><span class="cx"> 0F572D4F16879FDD00E57FBD /* ThunkGenerator.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F572D4D16879FDB00E57FBD /* ThunkGenerator.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F5A52D017ADD717008ECB2D /* CopyToken.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5A52CF17ADD717008ECB2D /* CopyToken.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><ins>+ 0F5A6283188C98D40072C9DF /* FTLValueRange.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5A6281188C98D40072C9DF /* FTLValueRange.cpp */; };
+ 0F5A6284188C98D40072C9DF /* FTLValueRange.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5A6282188C98D40072C9DF /* FTLValueRange.h */; settings = {ATTRIBUTES = (Private, ); }; };
</ins><span class="cx"> 0F5EF91E16878F7A003E5C25 /* JITThunks.cpp in Sources */ = {isa = PBXBuildFile; fileRef = 0F5EF91B16878F78003E5C25 /* JITThunks.cpp */; };
</span><span class="cx"> 0F5EF91F16878F7D003E5C25 /* JITThunks.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5EF91C16878F78003E5C25 /* JITThunks.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="cx"> 0F5F08CF146C7633000472A9 /* UnconditionalFinalizer.h in Headers */ = {isa = PBXBuildFile; fileRef = 0F5F08CE146C762F000472A9 /* UnconditionalFinalizer.h */; settings = {ATTRIBUTES = (Private, ); }; };
</span><span class="lines">@@ -1588,6 +1590,8 @@
</span><span class="cx"> 0F56A1D415001CF2002992B1 /* ExecutionCounter.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ExecutionCounter.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F572D4D16879FDB00E57FBD /* ThunkGenerator.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ThunkGenerator.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F5A52CF17ADD717008ECB2D /* CopyToken.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = CopyToken.h; sourceTree = "<group>"; };
</span><ins>+ 0F5A6281188C98D40072C9DF /* FTLValueRange.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; name = FTLValueRange.cpp; path = ftl/FTLValueRange.cpp; sourceTree = "<group>"; };
+ 0F5A6282188C98D40072C9DF /* FTLValueRange.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; name = FTLValueRange.h; path = ftl/FTLValueRange.h; sourceTree = "<group>"; };
</ins><span class="cx"> 0F5EF91B16878F78003E5C25 /* JITThunks.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = JITThunks.cpp; sourceTree = "<group>"; };
</span><span class="cx"> 0F5EF91C16878F78003E5C25 /* JITThunks.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = JITThunks.h; sourceTree = "<group>"; };
</span><span class="cx"> 0F5F08CE146C762F000472A9 /* UnconditionalFinalizer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = UnconditionalFinalizer.h; sourceTree = "<group>"; };
</span><span class="lines">@@ -2949,6 +2953,8 @@
</span><span class="cx"> 0F235BCD17178E1C00690C7F /* FTLValueFormat.cpp */,
</span><span class="cx"> 0F235BCE17178E1C00690C7F /* FTLValueFormat.h */,
</span><span class="cx"> 0FDB2CC8173DA51E007B3C1B /* FTLValueFromBlock.h */,
</span><ins>+ 0F5A6281188C98D40072C9DF /* FTLValueRange.cpp */,
+ 0F5A6282188C98D40072C9DF /* FTLValueRange.h */,
</ins><span class="cx"> );
</span><span class="cx"> name = ftl;
</span><span class="cx"> sourceTree = "<group>";
</span><span class="lines">@@ -4588,6 +4594,7 @@
</span><span class="cx"> 0FEA0A241709606900BB722C /* FTLIntrinsicRepository.h in Headers */,
</span><span class="cx"> 0FEA0A0E170513DB00BB722C /* FTLJITCode.h in Headers */,
</span><span class="cx"> A78A9781179738D5009DF744 /* FTLJITFinalizer.h in Headers */,
</span><ins>+ 0F5A6284188C98D40072C9DF /* FTLValueRange.h in Headers */,
</ins><span class="cx"> 0F8F2B96172E04A3007DBDA5 /* FTLLink.h in Headers */,
</span><span class="cx"> 0FCEFAE0180738C000472CE4 /* FTLLocation.h in Headers */,
</span><span class="cx"> 0FEA0A10170513DB00BB722C /* FTLLowerDFGToLLVM.h in Headers */,
</span><span class="lines">@@ -5470,6 +5477,7 @@
</span><span class="cx"> 1428082D107EC0570013E7B2 /* CallData.cpp in Sources */,
</span><span class="cx"> 1429D8DD0ED2205B00B89619 /* CallFrame.cpp in Sources */,
</span><span class="cx"> 0F0B83B014BCF71600885B4F /* CallLinkInfo.cpp in Sources */,
</span><ins>+ 0F5A6283188C98D40072C9DF /* FTLValueRange.cpp in Sources */,
</ins><span class="cx"> 0F93329D14CA7DC30085F3C6 /* CallLinkStatus.cpp in Sources */,
</span><span class="cx"> 0F73D7AE165A142D00ACAB71 /* ClosureCallStubRoutine.cpp in Sources */,
</span><span class="cx"> 969A07960ED1D3AE00F1F681 /* CodeBlock.cpp in Sources */,
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLCommonValuescpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.cpp (162298 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.cpp 2014-01-20 01:18:13 UTC (rev 162298)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.cpp 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -61,6 +61,8 @@
</span><span class="cx"> , intPtrEight(constInt(intPtr, 8, SignExtend))
</span><span class="cx"> , intPtrPtr(constInt(intPtr, sizeof(void*), SignExtend))
</span><span class="cx"> , doubleZero(constReal(doubleType, 0))
</span><ins>+ , rangeKind(mdKindID(context, "range"))
+ , nonNegativeInt32(constInt(int32, 0, SignExtend), constInt(int32, 1ll << 31, SignExtend))
</ins><span class="cx"> , m_context(context)
</span><span class="cx"> , m_module(0)
</span><span class="cx"> {
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLCommonValuesh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.h (162298 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.h 2014-01-20 01:18:13 UTC (rev 162298)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLCommonValues.h 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -31,6 +31,7 @@
</span><span class="cx"> #if ENABLE(FTL_JIT)
</span><span class="cx">
</span><span class="cx"> #include "FTLAbbreviations.h"
</span><ins>+#include "FTLValueRange.h"
</ins><span class="cx">
</span><span class="cx"> namespace JSC { namespace FTL {
</span><span class="cx">
</span><span class="lines">@@ -74,6 +75,10 @@
</span><span class="cx"> const LValue intPtrPtr;
</span><span class="cx"> const LValue doubleZero;
</span><span class="cx">
</span><ins>+ const unsigned rangeKind;
+
+ const ValueRange nonNegativeInt32;
+
</ins><span class="cx"> LContext const m_context;
</span><span class="cx"> LModule m_module;
</span><span class="cx"> };
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLLowerDFGToLLVMcpp"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp (162298 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-01-20 01:18:13 UTC (rev 162298)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -1569,20 +1569,20 @@
</span><span class="cx"> case Array::Int32:
</span><span class="cx"> case Array::Double:
</span><span class="cx"> case Array::Contiguous: {
</span><del>- setInt32(m_out.load32(lowStorage(m_node->child2()), m_heaps.Butterfly_publicLength));
</del><ins>+ setInt32(m_out.load32NonNegative(lowStorage(m_node->child2()), m_heaps.Butterfly_publicLength));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case Array::String: {
</span><span class="cx"> LValue string = lowCell(m_node->child1());
</span><del>- setInt32(m_out.load32(string, m_heaps.JSString_length));
</del><ins>+ setInt32(m_out.load32NonNegative(string, m_heaps.JSString_length));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> if (isTypedView(m_node->arrayMode().typedArrayType())) {
</span><span class="cx"> setInt32(
</span><del>- m_out.load32(lowCell(m_node->child1()), m_heaps.JSArrayBufferView_length));
</del><ins>+ m_out.load32NonNegative(lowCell(m_node->child1()), m_heaps.JSArrayBufferView_length));
</ins><span class="cx"> return;
</span><span class="cx"> }
</span><span class="cx">
</span><span class="lines">@@ -1624,7 +1624,7 @@
</span><span class="cx">
</span><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.aboveOrEqual(
</span><del>- index, m_out.load32(storage, m_heaps.Butterfly_publicLength)),
</del><ins>+ index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
</ins><span class="cx"> slowCase, fastCase);
</span><span class="cx">
</span><span class="cx"> LBasicBlock lastNext = m_out.appendTo(fastCase, slowCase);
</span><span class="lines">@@ -1671,7 +1671,7 @@
</span><span class="cx">
</span><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.aboveOrEqual(
</span><del>- index, m_out.load32(storage, m_heaps.Butterfly_publicLength)),
</del><ins>+ index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength)),
</ins><span class="cx"> slowCase, inBounds);
</span><span class="cx">
</span><span class="cx"> LBasicBlock lastNext = m_out.appendTo(inBounds, boxPath);
</span><span class="lines">@@ -2243,7 +2243,7 @@
</span><span class="cx">
</span><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.aboveOrEqual(
</span><del>- index, m_out.load32(base, m_heaps.JSString_length)),
</del><ins>+ index, m_out.load32NonNegative(base, m_heaps.JSString_length)),
</ins><span class="cx"> slowPath, fastPath);
</span><span class="cx">
</span><span class="cx"> LBasicBlock lastNext = m_out.appendTo(fastPath, slowPath);
</span><span class="lines">@@ -2339,7 +2339,8 @@
</span><span class="cx">
</span><span class="cx"> speculate(
</span><span class="cx"> Uncountable, noValue(), 0,
</span><del>- m_out.aboveOrEqual(index, m_out.load32(base, m_heaps.JSString_length)));
</del><ins>+ m_out.aboveOrEqual(
+ index, m_out.load32NonNegative(base, m_heaps.JSString_length)));
</ins><span class="cx">
</span><span class="cx"> LValue stringImpl = m_out.loadPtr(base, m_heaps.JSString_value);
</span><span class="cx">
</span><span class="lines">@@ -2763,7 +2764,7 @@
</span><span class="cx">
</span><span class="cx"> m_out.branch(
</span><span class="cx"> m_out.notEqual(
</span><del>- m_out.load32(stringValue, m_heaps.JSString_length),
</del><ins>+ m_out.load32NonNegative(stringValue, m_heaps.JSString_length),
</ins><span class="cx"> m_out.int32One),
</span><span class="cx"> lowBlock(data->fallThrough), lengthIs1);
</span><span class="cx">
</span><span class="lines">@@ -3066,7 +3067,7 @@
</span><span class="cx"> {
</span><span class="cx"> if (JSArrayBufferView* view = m_graph.tryGetFoldableView(baseEdge.node(), arrayMode))
</span><span class="cx"> return m_out.constInt32(view->length());
</span><del>- return m_out.load32(base, m_heaps.JSArrayBufferView_length);
</del><ins>+ return m_out.load32NonNegative(base, m_heaps.JSArrayBufferView_length);
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> LValue typedArrayLength(Edge baseEdge, ArrayMode arrayMode)
</span><span class="lines">@@ -3090,7 +3091,7 @@
</span><span class="cx"> ManualOperandSpeculation));
</span><span class="cx"> case StringUse: {
</span><span class="cx"> LValue stringValue = lowString(m_node->child1());
</span><del>- LValue length = m_out.load32(stringValue, m_heaps.JSString_length);
</del><ins>+ LValue length = m_out.load32NonNegative(stringValue, m_heaps.JSString_length);
</ins><span class="cx"> return m_out.notEqual(length, m_out.int32Zero);
</span><span class="cx"> }
</span><span class="cx"> case UntypedUse: {
</span><span class="lines">@@ -3224,7 +3225,7 @@
</span><span class="cx"> LBasicBlock continuation)
</span><span class="cx"> {
</span><span class="cx"> LValue isNotInBounds = m_out.aboveOrEqual(
</span><del>- index, m_out.load32(storage, m_heaps.Butterfly_publicLength));
</del><ins>+ index, m_out.load32NonNegative(storage, m_heaps.Butterfly_publicLength));
</ins><span class="cx"> if (!m_node->arrayMode().isInBounds()) {
</span><span class="cx"> LBasicBlock notInBoundsCase =
</span><span class="cx"> FTL_NEW_BLOCK(m_out, ("PutByVal not in bounds"));
</span><span class="lines">@@ -3236,7 +3237,7 @@
</span><span class="cx"> LBasicBlock lastNext = m_out.appendTo(notInBoundsCase, performStore);
</span><span class="cx">
</span><span class="cx"> LValue isOutOfBounds = m_out.aboveOrEqual(
</span><del>- index, m_out.load32(storage, m_heaps.Butterfly_vectorLength));
</del><ins>+ index, m_out.load32NonNegative(storage, m_heaps.Butterfly_vectorLength));
</ins><span class="cx">
</span><span class="cx"> if (!m_node->arrayMode().isOutOfBounds())
</span><span class="cx"> speculate(OutOfBounds, noValue(), 0, isOutOfBounds);
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLOutputh"></a>
<div class="modfile"><h4>Modified: branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h (162298 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h 2014-01-20 01:18:13 UTC (rev 162298)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLOutput.h 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2013 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2013, 2014 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -319,6 +319,20 @@
</span><span class="cx"> void storePtr(LValue value, LValue base, const AbstractField& field) { storePtr(value, address(base, field)); }
</span><span class="cx"> void storeDouble(LValue value, LValue base, const AbstractField& field) { storeDouble(value, address(base, field)); }
</span><span class="cx">
</span><ins>+ void ascribeRange(LValue loadInstruction, const ValueRange& range)
+ {
+ range.decorateInstruction(m_context, loadInstruction, rangeKind);
+ }
+
+ LValue nonNegative32(LValue loadInstruction)
+ {
+ ascribeRange(loadInstruction, nonNegativeInt32);
+ return loadInstruction;
+ }
+
+ LValue load32NonNegative(TypedPointer pointer) { return nonNegative32(load32(pointer)); }
+ LValue load32NonNegative(LValue base, const AbstractField& field) { return nonNegative32(load32(base, field)); }
+
</ins><span class="cx"> LValue icmp(LIntPredicate cond, LValue left, LValue right) { return buildICmp(m_builder, cond, left, right); }
</span><span class="cx"> LValue equal(LValue left, LValue right) { return icmp(LLVMIntEQ, left, right); }
</span><span class="cx"> LValue notEqual(LValue left, LValue right) { return icmp(LLVMIntNE, left, right); }
</span></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLValueRangecpp"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.cpp (0 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.cpp (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.cpp 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -0,0 +1,42 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "config.h"
+#include "FTLValueRange.h"
+
+#include "FTLAbbreviations.h"
+
+namespace JSC { namespace FTL {
+
+void ValueRange::decorateInstruction(
+ LContext context, LValue loadInstruction, unsigned rangeKind) const
+{
+ if (!m_rangeMetadata)
+ m_rangeMetadata = mdNode(context, m_begin, m_end);
+ setMetadata(loadInstruction, rangeKind, m_rangeMetadata);
+}
+
+} } // namespace JSC::FTL
+
</ins></span></pre></div>
<a id="branchesjsCStackSourceJavaScriptCoreftlFTLValueRangeh"></a>
<div class="addfile"><h4>Added: branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.h (0 => 162299)</h4>
<pre class="diff"><span>
<span class="info">--- branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.h (rev 0)
+++ branches/jsCStack/Source/JavaScriptCore/ftl/FTLValueRange.h 2014-01-20 01:26:24 UTC (rev 162299)
</span><span class="lines">@@ -0,0 +1,67 @@
</span><ins>+/*
+ * Copyright (C) 2014 Apple Inc. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY APPLE INC. ``AS IS'' AND ANY
+ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL APPLE INC. OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
+ * OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef FTLValueRange_h
+#define FTLValueRange_h
+
+#if ENABLE(FTL_JIT)
+
+#include "FTLAbbreviatedTypes.h"
+
+namespace JSC { namespace FTL {
+
+class ValueRange {
+public:
+ ValueRange()
+ : m_begin(0)
+ , m_end(0)
+ , m_rangeMetadata(0)
+ {
+ }
+
+ ValueRange(LValue begin, LValue end)
+ : m_begin(begin)
+ , m_end(end)
+ , m_rangeMetadata(0)
+ {
+ }
+
+ LValue begin() const { return m_begin; }
+ LValue end() const { return m_end; }
+
+ void decorateInstruction(LContext, LValue loadInstruction, unsigned rangeKind) const;
+
+private:
+ LValue m_begin;
+ LValue m_end;
+ mutable LValue m_rangeMetadata;
+};
+
+} } // namespace JSC::FTL
+
+#endif // ENABLE(FTL_JIT)
+
+#endif // FTLValueRange_h
+
</ins></span></pre>
</div>
</div>
</body>
</html>