[Webkit-unassigned] [Bug 129051] GetMyArgumentsByLength in FTL doesn't work with inline code

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Feb 21 12:33:21 PST 2014


https://bugs.webkit.org/show_bug.cgi?id=129051


Filip Pizlo <fpizlo at apple.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #224890|review?, commit-queue?      |review-, commit-queue-
               Flag|                            |




--- Comment #8 from Filip Pizlo <fpizlo at apple.com>  2014-02-21 12:30:31 PST ---
(From update of attachment 224890)
View in context: https://bugs.webkit.org/attachment.cgi?id=224890&action=review

> Source/JavaScriptCore/ftl/FTLLowerDFGToLLVM.cpp:300
> +        case GetMyArgumentsLengthSafe:

I don't think you want to combine these two.  The purpose of GetMyArgumenstLengthSafe is to have a slow path, rather than a speculation, for the arguments-created case.  See what the DFG does, notice the slow path call:

    case GetMyArgumentsLengthSafe: {
        GPRTemporary result(this);
        GPRReg resultGPR = result.gpr();

        JITCompiler::Jump created = m_jit.branchTest64(
            JITCompiler::NonZero,
            JITCompiler::addressFor(
                m_jit.graph().machineArgumentsRegisterFor(node->origin.semantic)));

        if (node->origin.semantic.inlineCallFrame) {
            m_jit.move(
                Imm64(JSValue::encode(jsNumber(node->origin.semantic.inlineCallFrame->arguments.size() - 1))),
                resultGPR);
        } else {
            m_jit.load32(JITCompiler::payloadFor(JSStack::ArgumentCount), resultGPR);
            m_jit.sub32(TrustedImm32(1), resultGPR);
            m_jit.or64(GPRInfo::tagTypeNumberRegister, resultGPR);
        }

        // FIXME: the slow path generator should perform a forward speculation that the
        // result is an integer. For now we postpone the speculation by having this return
        // a JSValue.

        addSlowPathGenerator(
            slowPathCall(
                created, this, operationGetArgumentsLength, resultGPR,
                m_jit.graph().machineArgumentsRegisterFor(node->origin.semantic).offset()));

        jsValueResult(resultGPR, node);
        break;
    }

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.


More information about the webkit-unassigned mailing list