<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[167433] trunk/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/167433">167433</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2014-04-17 10:01:05 -0700 (Thu, 17 Apr 2014)</dd>
</dl>
<h3>Log Message</h3>
<pre>AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
https://bugs.webkit.org/show_bug.cgi?id=131764
Reviewed by Geoffrey Garen.
The attached test case can be made to not crash by deleting old code. It used to be
the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
long ago. At this point, these guards just make life difficult. So get rid of them.
* dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
* dfg/DFGSpeculativeJIT32_64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* dfg/DFGSpeculativeJIT64.cpp:
(JSC::DFG::SpeculativeJIT::compile):
* tests/stress/bug-131764.js: Added.
(test1):
(test2):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh">trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp">trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoretestsstressbug131764js">trunk/Source/JavaScriptCore/tests/stress/bug-131764.js</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (167432 => 167433)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2014-04-17 17:00:21 UTC (rev 167432)
+++ trunk/Source/JavaScriptCore/ChangeLog 2014-04-17 17:01:05 UTC (rev 167433)
</span><span class="lines">@@ -1,3 +1,24 @@
</span><ins>+2014-04-16 Filip Pizlo <fpizlo@apple.com>
+
+ AI for GetLocal should match the DFG backend, and in this case, the best way to do that is to get rid of the "exit if empty prediction" thing since it's a vestige of a time long gone
+ https://bugs.webkit.org/show_bug.cgi?id=131764
+
+ Reviewed by Geoffrey Garen.
+
+ The attached test case can be made to not crash by deleting old code. It used to be
+ the case that the DFG needed empty prediction guards, for shady reasons. We fixed that
+ long ago. At this point, these guards just make life difficult. So get rid of them.
+
+ * dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
+ * dfg/DFGSpeculativeJIT32_64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * dfg/DFGSpeculativeJIT64.cpp:
+ (JSC::DFG::SpeculativeJIT::compile):
+ * tests/stress/bug-131764.js: Added.
+ (test1):
+ (test2):
+
</ins><span class="cx"> 2014-04-17 Darin Adler <darin@apple.com>
</span><span class="cx">
</span><span class="cx"> Add separate flag for IndexedDatabase in workers since the current implementation is not threadsafe
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGAbstractInterpreterInlinesh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h (167432 => 167433)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-04-17 17:00:21 UTC (rev 167432)
+++ trunk/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h 2014-04-17 17:01:05 UTC (rev 167433)
</span><span class="lines">@@ -167,10 +167,6 @@
</span><span class="cx">
</span><span class="cx"> case GetLocal: {
</span><span class="cx"> VariableAccessData* variableAccessData = node->variableAccessData();
</span><del>- if (variableAccessData->prediction() == SpecNone) {
- m_state.setIsValid(false);
- break;
- }
</del><span class="cx"> AbstractValue value = m_state.variables().operand(variableAccessData->local().offset());
</span><span class="cx"> if (!variableAccessData->isCaptured()) {
</span><span class="cx"> if (value.isClear())
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT32_64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp (167432 => 167433)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-04-17 17:00:21 UTC (rev 167432)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT32_64.cpp 2014-04-17 17:01:05 UTC (rev 167433)
</span><span class="lines">@@ -1693,15 +1693,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetLocal: {
</span><del>- SpeculatedType prediction = node->variableAccessData()->prediction();
</del><span class="cx"> AbstractValue& value = m_state.variables().operand(node->local());
</span><span class="cx">
</span><del>- // If we have no prediction for this local, then don't attempt to compile.
- if (prediction == SpecNone) {
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
- break;
- }
-
</del><span class="cx"> // If the CFA is tracking this variable and it found that the variable
</span><span class="cx"> // cannot have been assigned, then don't attempt to proceed.
</span><span class="cx"> if (value.isClear()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoredfgDFGSpeculativeJIT64cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp (167432 => 167433)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-04-17 17:00:21 UTC (rev 167432)
+++ trunk/Source/JavaScriptCore/dfg/DFGSpeculativeJIT64.cpp 2014-04-17 17:01:05 UTC (rev 167433)
</span><span class="lines">@@ -1802,15 +1802,8 @@
</span><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> case GetLocal: {
</span><del>- SpeculatedType prediction = node->variableAccessData()->prediction();
</del><span class="cx"> AbstractValue& value = m_state.variables().operand(node->local());
</span><span class="cx">
</span><del>- // If we have no prediction for this local, then don't attempt to compile.
- if (prediction == SpecNone) {
- terminateSpeculativeExecution(InadequateCoverage, JSValueRegs(), 0);
- break;
- }
-
</del><span class="cx"> // If the CFA is tracking this variable and it found that the variable
</span><span class="cx"> // cannot have been assigned, then don't attempt to proceed.
</span><span class="cx"> if (value.isClear()) {
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoretestsstressbug131764js"></a>
<div class="addfile"><h4>Added: trunk/Source/JavaScriptCore/tests/stress/bug-131764.js (0 => 167433)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/tests/stress/bug-131764.js (rev 0)
+++ trunk/Source/JavaScriptCore/tests/stress/bug-131764.js 2014-04-17 17:01:05 UTC (rev 167433)
</span><span class="lines">@@ -0,0 +1,22 @@
</span><ins>+var result = 0;
+function test1(arr) {
+ return Array.of(...arr);
+}
+function test2() {
+ return Array(...arguments);
+}
+
+var result = 0;
+if (this.noInline) {
+ noInline(test1)
+ noInline(test2)
+}
+
+var array = [1,2,3,4,5];
+
+for (var i = 0; i < 10000; i++) {
+ result ^= test2(1,2,3,4,5,6,7).length;
+}
+
+if (result != 0)
+ throw "Error: bad result: " + result;
</ins></span></pre>
</div>
</div>
</body>
</html>