<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[197666] releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/197666">197666</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-03-07 01:56:32 -0800 (Mon, 07 Mar 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/197370">r197370</a> - OverridesHasInstance constant folding is wrong
https://bugs.webkit.org/show_bug.cgi?id=154833
Reviewed by Filip Pizlo.
The current implementation of OverridesHasInstance constant folding
is incorrect. Since it relies on OSR exit information it has been
moved to the StrengthReductionPhase. Normally, such an optimazation would be
put in FixupPhase, however, there are a number of cases where we don't
determine an edge of OverridesHasInstance is a constant until after fixup.
Performing the optimization during StrengthReductionPhase means we can defer
our decision until later.
In the future we should consider creating a version of this optimization
that does not depend on OSR exit information and move the optimization back
to ConstantFoldingPhase.
* dfg/DFGConstantFoldingPhase.cpp:
(JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
* dfg/DFGStrengthReductionPhase.cpp:
(JSC::DFG::StrengthReductionPhase::handleNode):</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGConstantFoldingPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp</a></li>
<li><a href="#releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGStrengthReductionPhasecpp">releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog (197665 => 197666)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-03-07 09:48:07 UTC (rev 197665)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/ChangeLog 2016-03-07 09:56:32 UTC (rev 197666)
</span><span class="lines">@@ -1,3 +1,27 @@
</span><ins>+2016-02-29 Keith Miller <keith_miller@apple.com>
+
+ OverridesHasInstance constant folding is wrong
+ https://bugs.webkit.org/show_bug.cgi?id=154833
+
+ Reviewed by Filip Pizlo.
+
+ The current implementation of OverridesHasInstance constant folding
+ is incorrect. Since it relies on OSR exit information it has been
+ moved to the StrengthReductionPhase. Normally, such an optimazation would be
+ put in FixupPhase, however, there are a number of cases where we don't
+ determine an edge of OverridesHasInstance is a constant until after fixup.
+ Performing the optimization during StrengthReductionPhase means we can defer
+ our decision until later.
+
+ In the future we should consider creating a version of this optimization
+ that does not depend on OSR exit information and move the optimization back
+ to ConstantFoldingPhase.
+
+ * dfg/DFGConstantFoldingPhase.cpp:
+ (JSC::DFG::ConstantFoldingPhase::foldConstants): Deleted.
+ * dfg/DFGStrengthReductionPhase.cpp:
+ (JSC::DFG::StrengthReductionPhase::handleNode):
+
</ins><span class="cx"> 2016-02-28 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> B3 should have global store elimination
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGConstantFoldingPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp (197665 => 197666)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2016-03-07 09:48:07 UTC (rev 197665)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGConstantFoldingPhase.cpp 2016-03-07 09:56:32 UTC (rev 197666)
</span><span class="lines">@@ -553,24 +553,6 @@
</span><span class="cx"> break;
</span><span class="cx"> }
</span><span class="cx">
</span><del>- case OverridesHasInstance: {
- if (!node->child2().node()->isCellConstant())
- break;
-
- if (node->child2().node()->asCell() != m_graph.globalObjectFor(node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
- m_graph.convertToConstant(node, jsBoolean(true));
- changed = true;
-
- } else if (!m_graph.hasExitSite(node->origin.semantic, BadTypeInfoFlags)) {
- // We optimistically assume that we will not see a function that has a custom instanceof operation as they should be rare.
- m_insertionSet.insertNode(indexInBlock, SpecNone, CheckTypeInfoFlags, node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(node->child1().node(), CellUse));
- m_graph.convertToConstant(node, jsBoolean(false));
- changed = true;
- }
-
- break;
- }
-
</del><span class="cx"> case Check: {
</span><span class="cx"> alreadyHandled = true;
</span><span class="cx"> m_interpreter.execute(indexInBlock);
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit212SourceJavaScriptCoredfgDFGStrengthReductionPhasecpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp (197665 => 197666)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp 2016-03-07 09:48:07 UTC (rev 197665)
+++ releases/WebKitGTK/webkit-2.12/Source/JavaScriptCore/dfg/DFGStrengthReductionPhase.cpp 2016-03-07 09:56:32 UTC (rev 197666)
</span><span class="lines">@@ -255,6 +255,26 @@
</span><span class="cx"> m_changed = true;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><ins>+
+ // FIXME: we should probably do this in constant folding but this currently relies on an OSR exit rule.
+ // https://bugs.webkit.org/show_bug.cgi?id=154832
+ case OverridesHasInstance: {
+ if (!m_node->child2().node()->isCellConstant())
+ break;
+
+ if (m_node->child2().node()->asCell() != m_graph.globalObjectFor(m_node->origin.semantic)->functionProtoHasInstanceSymbolFunction()) {
+ m_graph.convertToConstant(m_node, jsBoolean(true));
+ m_changed = true;
+
+ } else if (!m_graph.hasExitSite(m_node->origin.semantic, BadTypeInfoFlags)) {
+ // We optimistically assume that we will not see a function that has a custom instanceof operation as they should be rare.
+ m_insertionSet.insertNode(m_nodeIndex, SpecNone, CheckTypeInfoFlags, m_node->origin, OpInfo(ImplementsDefaultHasInstance), Edge(m_node->child1().node(), CellUse));
+ m_graph.convertToConstant(m_node, jsBoolean(false));
+ m_changed = true;
+ }
+
+ break;
+ }
</ins><span class="cx">
</span><span class="cx"> default:
</span><span class="cx"> break;
</span></span></pre>
</div>
</div>
</body>
</html>