<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[206739] trunk</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/206739">206739</a></dd>
<dt>Author</dt> <dd>fpizlo@apple.com</dd>
<dt>Date</dt> <dd>2016-10-03 11:36:55 -0700 (Mon, 03 Oct 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>B3 trapping memory accesses should be documented
https://bugs.webkit.org/show_bug.cgi?id=162845
Reviewed by Geoffrey Garen.
Source/JavaScriptCore:
While writing some documentation, I found some small holes in the code.
* b3/B3Effects.cpp:
(JSC::B3::Effects::operator==): Need this to write tests.
(JSC::B3::Effects::operator!=): Need this to write tests.
* b3/B3Effects.h:
* b3/B3HeapRange.h:
* b3/B3MemoryValue.cpp:
(JSC::B3::MemoryValue::dumpMeta): Sometimes the heap range dump won't show you the memory value's actual range. This makes the dump show you the actual range in that case.
* b3/B3Value.cpp:
(JSC::B3::Value::effects): While documenting this, I remembered that trapping also has to imply reading top. I fixed this.
* b3/testb3.cpp:
(JSC::B3::testTrappingLoad): Added checks for the effects of trapping loads.
(JSC::B3::testTrappingStore): Added checks for the effects of trapping stores.
(JSC::B3::testMoveConstants): Made this not crash with validation.
Websites/webkit.org:
Added documentation for the Traps flag, and factored out the documentation of the Chill flag
to a new flags section.
* docs/b3/intermediate-representation.html:</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#trunkSourceJavaScriptCoreChangeLog">trunk/Source/JavaScriptCore/ChangeLog</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3Effectscpp">trunk/Source/JavaScriptCore/b3/B3Effects.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3Effectsh">trunk/Source/JavaScriptCore/b3/B3Effects.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3HeapRangeh">trunk/Source/JavaScriptCore/b3/B3HeapRange.h</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3MemoryValuecpp">trunk/Source/JavaScriptCore/b3/B3MemoryValue.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3B3Valuecpp">trunk/Source/JavaScriptCore/b3/B3Value.cpp</a></li>
<li><a href="#trunkSourceJavaScriptCoreb3testb3cpp">trunk/Source/JavaScriptCore/b3/testb3.cpp</a></li>
<li><a href="#trunkWebsiteswebkitorgChangeLog">trunk/Websites/webkit.org/ChangeLog</a></li>
<li><a href="#trunkWebsiteswebkitorgdocsb3intermediaterepresentationhtml">trunk/Websites/webkit.org/docs/b3/intermediate-representation.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="trunkSourceJavaScriptCoreChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/ChangeLog (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/ChangeLog 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/ChangeLog 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -1,3 +1,26 @@
</span><ins>+2016-10-03 Filip Pizlo <fpizlo@apple.com>
+
+ B3 trapping memory accesses should be documented
+ https://bugs.webkit.org/show_bug.cgi?id=162845
+
+ Reviewed by Geoffrey Garen.
+
+ While writing some documentation, I found some small holes in the code.
+
+ * b3/B3Effects.cpp:
+ (JSC::B3::Effects::operator==): Need this to write tests.
+ (JSC::B3::Effects::operator!=): Need this to write tests.
+ * b3/B3Effects.h:
+ * b3/B3HeapRange.h:
+ * b3/B3MemoryValue.cpp:
+ (JSC::B3::MemoryValue::dumpMeta): Sometimes the heap range dump won't show you the memory value's actual range. This makes the dump show you the actual range in that case.
+ * b3/B3Value.cpp:
+ (JSC::B3::Value::effects): While documenting this, I remembered that trapping also has to imply reading top. I fixed this.
+ * b3/testb3.cpp:
+ (JSC::B3::testTrappingLoad): Added checks for the effects of trapping loads.
+ (JSC::B3::testTrappingStore): Added checks for the effects of trapping stores.
+ (JSC::B3::testMoveConstants): Made this not crash with validation.
+
</ins><span class="cx"> 2016-10-03 Yusuke Suzuki <utatane.tea@gmail.com>
</span><span class="cx">
</span><span class="cx"> [ES6] GeneratorFunction (a.k.a. GeneratorWrapperFunction)'s prototype object does not have constructor property
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3Effectscpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3Effects.cpp (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3Effects.cpp 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/b3/B3Effects.cpp 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -1,5 +1,5 @@
</span><span class="cx"> /*
</span><del>- * Copyright (C) 2015 Apple Inc. All rights reserved.
</del><ins>+ * Copyright (C) 2015-2016 Apple Inc. All rights reserved.
</ins><span class="cx"> *
</span><span class="cx"> * Redistribution and use in source and binary forms, with or without
</span><span class="cx"> * modification, are permitted provided that the following conditions
</span><span class="lines">@@ -76,6 +76,22 @@
</span><span class="cx"> || reads.overlaps(other.writes);
</span><span class="cx"> }
</span><span class="cx">
</span><ins>+bool Effects::operator==(const Effects& other) const
+{
+ return terminal == other.terminal
+ && exitsSideways == other.exitsSideways
+ && controlDependent == other.controlDependent
+ && writesLocalState == other.writesLocalState
+ && readsLocalState == other.readsLocalState
+ && writes == other.writes
+ && reads == other.reads;
+}
+
+bool Effects::operator!=(const Effects& other) const
+{
+ return !(*this == other);
+}
+
</ins><span class="cx"> void Effects::dump(PrintStream& out) const
</span><span class="cx"> {
</span><span class="cx"> CommaPrinter comma("|");
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3Effectsh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3Effects.h (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3Effects.h 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/b3/B3Effects.h 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -86,8 +86,11 @@
</span><span class="cx"> // Returns true if reordering instructions with these respective effects would change program
</span><span class="cx"> // behavior in an observable way.
</span><span class="cx"> bool interferes(const Effects&) const;
</span><ins>+
+ JS_EXPORT_PRIVATE bool operator==(const Effects&) const;
+ JS_EXPORT_PRIVATE bool operator!=(const Effects&) const;
</ins><span class="cx">
</span><del>- void dump(PrintStream& out) const;
</del><ins>+ JS_EXPORT_PRIVATE void dump(PrintStream& out) const;
</ins><span class="cx"> };
</span><span class="cx">
</span><span class="cx"> } } // namespace JSC::B3
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3HeapRangeh"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3HeapRange.h (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3HeapRange.h 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/b3/B3HeapRange.h 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -98,7 +98,7 @@
</span><span class="cx"> return WTF::rangesOverlap(m_begin, m_end, other.m_begin, other.m_end);
</span><span class="cx"> }
</span><span class="cx">
</span><del>- void dump(PrintStream& out) const;
</del><ins>+ JS_EXPORT_PRIVATE void dump(PrintStream& out) const;
</ins><span class="cx">
</span><span class="cx"> private:
</span><span class="cx"> unsigned m_begin;
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3MemoryValuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3MemoryValue.cpp (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3MemoryValue.cpp 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/b3/B3MemoryValue.cpp 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -59,6 +59,9 @@
</span><span class="cx"> {
</span><span class="cx"> if (m_offset)
</span><span class="cx"> out.print(comma, "offset = ", m_offset);
</span><ins>+ if ((isLoad() && effects().reads != range())
+ || (isStore() && effects().writes != range()))
+ out.print(comma, "range = ", range());
</ins><span class="cx"> }
</span><span class="cx">
</span><span class="cx"> Value* MemoryValue::cloneImpl() const
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3B3Valuecpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/B3Value.cpp (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/B3Value.cpp 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/b3/B3Value.cpp 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -635,7 +635,10 @@
</span><span class="cx"> result.terminal = true;
</span><span class="cx"> break;
</span><span class="cx"> }
</span><del>- result.exitsSideways |= traps();
</del><ins>+ if (traps()) {
+ result.exitsSideways = true;
+ result.reads = HeapRange::top();
+ }
</ins><span class="cx"> return result;
</span><span class="cx"> }
</span><span class="cx">
</span></span></pre></div>
<a id="trunkSourceJavaScriptCoreb3testb3cpp"></a>
<div class="modfile"><h4>Modified: trunk/Source/JavaScriptCore/b3/testb3.cpp (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Source/JavaScriptCore/b3/testb3.cpp 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Source/JavaScriptCore/b3/testb3.cpp 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -13113,11 +13113,19 @@
</span><span class="cx"> Procedure proc;
</span><span class="cx"> BasicBlock* root = proc.addBlock();
</span><span class="cx"> int x = 42;
</span><del>- root->appendNew<Value>(
- proc, Return, Origin(),
- root->appendNew<MemoryValue>(
- proc, trapping(Load), Int32, Origin(),
- root->appendNew<ConstPtrValue>(proc, Origin(), &x)));
</del><ins>+ MemoryValue* value = root->appendNew<MemoryValue>(
+ proc, trapping(Load), Int32, Origin(),
+ root->appendNew<ConstPtrValue>(proc, Origin(), &x));
+ Effects expectedEffects;
+ expectedEffects.exitsSideways = true;
+ expectedEffects.controlDependent= true;
+ expectedEffects.reads = HeapRange::top();
+ CHECK_EQ(value->range(), HeapRange::top());
+ CHECK_EQ(value->effects(), expectedEffects);
+ value->setRange(HeapRange(0));
+ CHECK_EQ(value->range(), HeapRange(0));
+ CHECK_EQ(value->effects(), expectedEffects); // We still reads top!
+ root->appendNew<Value>(proc, Return, Origin(), value);
</ins><span class="cx"> CHECK_EQ(compileAndRun<int>(proc), 42);
</span><span class="cx"> unsigned trapsCount = 0;
</span><span class="cx"> for (Air::BasicBlock* block : proc.code()) {
</span><span class="lines">@@ -13134,10 +13142,21 @@
</span><span class="cx"> Procedure proc;
</span><span class="cx"> BasicBlock* root = proc.addBlock();
</span><span class="cx"> int x = 42;
</span><del>- root->appendNew<MemoryValue>(
</del><ins>+ MemoryValue* value = root->appendNew<MemoryValue>(
</ins><span class="cx"> proc, trapping(Store), Origin(),
</span><span class="cx"> root->appendNew<Const32Value>(proc, Origin(), 111),
</span><span class="cx"> root->appendNew<ConstPtrValue>(proc, Origin(), &x));
</span><ins>+ Effects expectedEffects;
+ expectedEffects.exitsSideways = true;
+ expectedEffects.controlDependent= true;
+ expectedEffects.reads = HeapRange::top();
+ expectedEffects.writes = HeapRange::top();
+ CHECK_EQ(value->range(), HeapRange::top());
+ CHECK_EQ(value->effects(), expectedEffects);
+ value->setRange(HeapRange(0));
+ CHECK_EQ(value->range(), HeapRange(0));
+ expectedEffects.writes = HeapRange(0);
+ CHECK_EQ(value->effects(), expectedEffects); // We still reads top!
</ins><span class="cx"> root->appendNew<Value>(proc, Return, Origin());
</span><span class="cx"> compileAndRun<int>(proc);
</span><span class="cx"> CHECK_EQ(x, 111);
</span><span class="lines">@@ -13258,10 +13277,10 @@
</span><span class="cx"> Procedure proc;
</span><span class="cx"> BasicBlock* root = proc.addBlock();
</span><span class="cx"> Value* a = root->appendNew<MemoryValue>(
</span><del>- proc, Load, Int32, Origin(),
</del><ins>+ proc, Load, pointerType(), Origin(),
</ins><span class="cx"> root->appendNew<ConstPtrValue>(proc, Origin(), 0x123412341234));
</span><span class="cx"> Value* b = root->appendNew<MemoryValue>(
</span><del>- proc, Load, Int32, Origin(),
</del><ins>+ proc, Load, pointerType(), Origin(),
</ins><span class="cx"> root->appendNew<ConstPtrValue>(proc, Origin(), 0x123412341334));
</span><span class="cx"> root->appendNew<CCallValue>(proc, Void, Origin(), a, b);
</span><span class="cx"> root->appendNew<Value>(proc, Return, Origin());
</span></span></pre></div>
<a id="trunkWebsiteswebkitorgChangeLog"></a>
<div class="modfile"><h4>Modified: trunk/Websites/webkit.org/ChangeLog (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Websites/webkit.org/ChangeLog 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Websites/webkit.org/ChangeLog 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -1,3 +1,15 @@
</span><ins>+2016-10-03 Filip Pizlo <fpizlo@apple.com>
+
+ B3 trapping memory accesses should be documented
+ https://bugs.webkit.org/show_bug.cgi?id=162845
+
+ Reviewed by Geoffrey Garen.
+
+ Added documentation for the Traps flag, and factored out the documentation of the Chill flag
+ to a new flags section.
+
+ * docs/b3/intermediate-representation.html:
+
</ins><span class="cx"> 2016-09-30 Filip Pizlo <fpizlo@apple.com>
</span><span class="cx">
</span><span class="cx"> Air should have a way of expressing additional instruction flags
</span></span></pre></div>
<a id="trunkWebsiteswebkitorgdocsb3intermediaterepresentationhtml"></a>
<div class="modfile"><h4>Modified: trunk/Websites/webkit.org/docs/b3/intermediate-representation.html (206738 => 206739)</h4>
<pre class="diff"><span>
<span class="info">--- trunk/Websites/webkit.org/docs/b3/intermediate-representation.html 2016-10-03 18:36:12 UTC (rev 206738)
+++ trunk/Websites/webkit.org/docs/b3/intermediate-representation.html 2016-10-03 18:36:55 UTC (rev 206739)
</span><span class="lines">@@ -84,7 +84,8 @@
</span><span class="cx">
</span><span class="cx"> <p>The value kind is a combination of an opcode and optional flags. The flags allow a single
</span><span class="cx"> opcode to have many variants. For example, Div and Mod may have the Chill flag set to indicate
</span><del>- that they should not trap on corner cases.</p>
</del><ins>+ that they should not trap on corner cases. Alternatively, Load/Store opcodes may have the
+ Traps flag set to indicate that they should trap deterministically.</p>
</ins><span class="cx">
</span><span class="cx"> <p>Values also have a unique 32-bit index that is used as the name.</p>
</span><span class="cx">
</span><span class="lines">@@ -162,6 +163,9 @@
</span><span class="cx"> T)". This means that the value must take two children of the same type and returns a
</span><span class="cx"> value of that type. We use the type IntPtr to mean either Int32, or Int64, depending on
</span><span class="cx"> the platform.</p>
</span><ins>+
+ <p>Some opcodes can have some flags set. A description of flags follows the description of
+ opcodes.</p>
</ins><span class="cx">
</span><span class="cx"> <h3>Opcode descriptions</h3>
</span><span class="cx">
</span><span class="lines">@@ -236,30 +240,16 @@
</span><span class="cx"> according to the IEEE 854 spec.</dd>
</span><span class="cx">
</span><span class="cx"> <dt>T Div(T, T)</dt>
</span><del>- <dd>
- <p>Works with any type except Void. For integer types, this represents signed
- division with round-to-zero. By default, its behavior is undefined for x/0 or
- -2<sup>31</sup>/-1. For floating point types, this represents division according
- to the IEEE 854 spec.</p>
- <p>Integer Div may have the Chill flag set. You can create a Chill Div by saying
- <code>chill(Div)</code> instead of <code>Div</code>; the former creates a Kind
- that has Div as the opcode and has the Chill bit set. An operation is said to be
- chill if it returns a sensible value whenever its non-chill form would have had
- undefined behavior. Chill Div turns x/0 into 0 and -2<sup>31</sup>/-1 into
- -2<sup>31</sup>. We recognize this in IR because it's exactly the semantics of
- division on ARM64, and it's also exactly the semantics that JavaScript wants for
- "(x/y)|0".</p>
- </dd>
</del><ins>+ <dd>Works with any type except Void. For integer types, this represents signed
+ division with round-to-zero. By default, its behavior is undefined for x/0 or
+ -2<sup>31</sup>/-1. For floating point types, this represents division according
+ to the IEEE 854 spec. Integer Div may have the Chill flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>T Mod(T, T)</dt>
</span><del>- <dd>
- <p>Works with any type except Void. For integer types, this represents signed
- modulo. By default, its behavior is undefined for x%0 or -2<sup>31</sup>%-1. For
- floating point types, this represents modulo according to "fmod()".</p>
- <p>Integer Mod may have the Chill flag set. You can create a Chill Mod by saying
- <code>chill(Mod)</code>. Chill Mod turns x%0 into 0 and -2<sup>31</sup>%-1 into
- 0.</p>
- </dd>
</del><ins>+ <dd>Works with any type except Void. For integer types, this represents signed
+ modulo. By default, its behavior is undefined for x%0 or -2<sup>31</sup>%-1. For
+ floating point types, this represents modulo according to "fmod()". Integer Mod may have the
+ Chill flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>T Neg(T)</dt>
</span><span class="cx"> <dd>Works with any type except Void. For integer types, this represents twos-complement
</span><span class="lines">@@ -394,43 +384,45 @@
</span><span class="cx"> <dt>Int32 Load8Z(IntPtr, offset)</dt>
</span><span class="cx"> <dd>Loads a byte from the address, which is computed by adding the compile-time 32-bit
</span><span class="cx"> signed integer offset to the child value. Zero extends the loaded byte, so the high 24
</span><del>- bits are all zero. Must use the MemoryValue class.</dd>
</del><ins>+ bits are all zero. Must use the MemoryValue class. May have the Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Int32 Load8S(IntPtr, offset)</dt>
</span><span class="cx"> <dd>Loads a byte from the address, which is computed by adding the compile-time 32-bit
</span><span class="cx"> signed integer offset to the child value. Sign extends the loaded byte. Must use the
</span><del>- MemoryValue class.</dd>
</del><ins>+ MemoryValue class. May have the Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Int32 Load16Z(IntPtr, offset)</dt>
</span><span class="cx"> <dd>Loads a 16-bit integer from the address, which is computed by adding the compile-time
</span><span class="cx"> 32-bit signed integer offset to the child value. Zero extends the loaded 16-bit
</span><span class="cx"> integer, so the high 16 bits are all zero. Misaligned loads are not penalized. Must
</span><del>- use the MemoryValue class.</dd>
</del><ins>+ use the MemoryValue class. May have the Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Int32 Load16S(IntPtr, offset)</dt>
</span><span class="cx"> <dd>Loads a 16-bit integer from the address, which is computed by adding the compile-time
</span><span class="cx"> 32-bit signed integer offset to the child value. Sign extends the loaded 16-bit
</span><del>- integer. Misaligned loads are not penalized. Must use the MemoryValue class.</dd>
</del><ins>+ integer. Misaligned loads are not penalized. Must use the MemoryValue class. May have the
+ Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>T Load(IntPtr, offset)</dt>
</span><span class="cx"> <dd>Valid for any type except Void. Loads a value of that type from the address, which is
</span><span class="cx"> computed by adding the compile-time 32-bit signed integer offset to the child value.
</span><del>- Misaligned loads are not penalized. Must use the MemoryValue class.</dd>
</del><ins>+ Misaligned loads are not penalized. Must use the MemoryValue class. May have the Traps
+ flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Void Store8(Int32, IntPtr, offset)</dt>
</span><span class="cx"> <dd>Stores a the low byte of the first child into the address computed by adding the
</span><span class="cx"> compile-time 32-bit signed integer offset to the second child. Must use the MemoryValue
</span><del>- class.</dd>
</del><ins>+ class. May have the Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Void Store16(Int32, IntPtr, offset)</dt>
</span><span class="cx"> <dd>Stores a the low 16 bits of the first child into the address computed by adding the
</span><span class="cx"> compile-time 32-bit signed integer offset to the second child. Misaligned stores are
</span><del>- not penalized. Must use the MemoryValue class.</dd>
</del><ins>+ not penalized. Must use the MemoryValue class. May have the Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Void Store(T, IntPtr, offset)</dt>
</span><span class="cx"> <dd>Stores the value in the first child into the address computed by adding the
</span><span class="cx"> compile-time 32-bit signed integer offset to the second child. Misaligned stores are
</span><del>- not penalized. Must use the MemoryValue class.</dd>
</del><ins>+ not penalized. Must use the MemoryValue class. May have the Traps flag set.</dd>
</ins><span class="cx">
</span><span class="cx"> <dt>Void Fence()</dt>
</span><span class="cx"> <dd>Abstracts standalone data fences on x86 and ARM. Must use the FenceValue class, which has
</span><span class="lines">@@ -634,7 +626,46 @@
</span><span class="cx"> at the end of the basic block. The block must have zero successors. Note that we also use
</span><span class="cx"> the Oops opcode to mean "no such opcode" in some B3 transformations.</dd>
</span><span class="cx"> </dl>
</span><del>-
</del><ins>+
+ <h2>Flags</h2>
+
+ <p>This section describes flags. These may be set in
+ <a href="http://trac.webkit.org/browser/trunk/Source/JavaScriptCore/b3/B3Kind.h"><code>Kind</code></a>.</p>
+
+ <dl>
+ <dt>Chill</dt>
+ <dd><i>Applies to: Div, Mod.</i> You can create a chill Div/Mod by saying
+ <code>chill(Div)</code>. This creates a Kind that has the Chill flag set. This can only be
+ used with interer types. An operation is said to be chill if it returns a sensible value
+ whenever its non-chill form would have had undefined behavior. Chill Div turns x/0 into 0
+ and -2<sup>31</sup>/-1 into -2<sup>31</sup>. We recognize this in IR because it's exactly
+ the semantics of division on ARM64, and it's also exactly the semantics that JavaScript
+ wants for "(x/y)|0". Chill Mod turns x%0 into 0 and -2<sup>31</sup>%-1 into 0. This matches
+ the semantics of JavaScript "(x%y)|0".</dd>
+
+ <dt>Traps</dt>
+ <dd><i>Applies to: Load8Z, Load8S, Load16Z, Load16S, Load, Store8, Store16, Store.</i> You can
+ create a trapping Kind from an opcode by saying <code>trapping(opcode)</code>. For example,
+ <code>trapping(Load)</code>. An operation is said to be trapping if it will cause a page
+ fault when used on an invalid pointer and this page fault will be observed. This means that
+ the compiler cannot fudge when the page fault happens. This is logically equivalent to what
+ B3 calls <code>Effects::exitsSideways</code>, but further implies that if any of the B3
+ values used to fuse an Air instruction were trapping, then the Air instruction must have its
+ <code>Air::Kind::traps</code> flag set. The compiler won't help you identify where you
+ trapped. Even if you use the compiler's origin facility to track down the trap location, you
+ may get the origin of any B3 value that was incorporated into the fused instruction that
+ caused the trap. For example, "Add(Load&lt;Traps&gt;(ptr), $1)" may claim to trap at the Add
+ rather than the Load on x86, because this pattern is a perfect candidate for add-load
+ fusion. Nevertheless, you are guaranteed to get the trap and the trap will be observed at
+ the point you intended. For example, the compiler will not hoist a trapping load past any
+ effects, even those outside of its read range, because the trap is presumed to read top. The
+ compiler will not attempt to DCE a trapping load. The compiler will not attempt to sink or
+ eliminate any trapping stores, even if they are dead because of a guaranteed subsequent
+ store to the same address, because we conservatively assume that the store was done for the
+ trap effect. This feature is meant to support high throughput memory safety checks in
+ WebAssembly.</dd>
+ </dl>
+
</ins><span class="cx"> </div>
</span><span class="cx"> </body>
</span><span class="cx"> </html>
</span></span></pre>
</div>
</div>
</body>
</html>