DFG is too aggressive eliding overflow checks for additions involving large constants

https://bugs.webkit.org/show_bug.cgi?id=105239 Reviewed by Gavin Barraclough. Source/JavaScriptCore: If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate, then make sure that the non-constant child of the addition knows that he's got to do an overflow check, by flowing the UsedAsNumber property at him. * dfg/DFGGraph.h: (JSC::DFG::Graph::addSpeculationMode): (Graph): (JSC::DFG::Graph::addShouldSpeculateInteger): (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-int-overflow-large-constants-in-a-line-expected.txt: Added. * fast/js/dfg-int-overflow-large-constants-in-a-line.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-int-overflow-large-constants-in-a-line.js: Added. (foo): Change-Id: If9f7c71050b6f07fc024e6e9f42083d7d3ca71f6 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137980 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte <jocelyn.turcotte@digia.com>
author: Filip Pizlo <fpizlo@apple.com> 2013-03-21 18:21:26 +0100
committer: The Qt Project <gerrit-noreply@qt-project.org> 2013-03-26 20:26:05 +0100
commit: 909c9942ce927c3dac5f850d9bc110a66a72d397 (patch)
tree: ad16cc153c10f1171fb1c931d7872a313ec67a89 /Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
parent: 728f3b433309b1737accae9092f7e5662216f285 (diff)
download: qtwebkit-909c9942ce927c3dac5f850d9bc110a66a72d397.tar.gz
1 files changed, 18 insertions, 3 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
index 67270101e..5b6c28ff7 100644
--- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
+++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
@@ -285,9 +285,11 @@ private:
             SpeculatedType left = m_graph[node.child1()].prediction();
             SpeculatedType right = m_graph[node.child2()].prediction();
             
+            AddSpeculationMode mode = DontSpeculateInteger;
+            
             if (left && right) {
                 if (isNumberSpeculationExpectingDefined(left) && isNumberSpeculationExpectingDefined(right)) {
-                    if (m_graph.addShouldSpeculateInteger(node))
+                    if ((mode = m_graph.addSpeculationMode(node)) != DontSpeculateInteger)
                         changed |= mergePrediction(SpecInt32);
                     else
                         changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
@@ -303,6 +305,9 @@ private:
             if (m_graph[node.child1()].hasNumberResult() || m_graph[node.child2()].hasNumberResult())
                 flags &= ~NodeUsedAsOther;
             
+            if (mode != SpeculateInteger)
+                flags |= NodeUsedAsNumber;
+            
             changed |= m_graph[node.child1()].mergeFlags(flags);
             changed |= m_graph[node.child2()].mergeFlags(flags);
             break;
@@ -312,8 +317,10 @@ private:
             SpeculatedType left = m_graph[node.child1()].prediction();
             SpeculatedType right = m_graph[node.child2()].prediction();
             
+            AddSpeculationMode mode = DontSpeculateInteger;
+            
             if (left && right) {
-                if (m_graph.addShouldSpeculateInteger(node))
+                if ((mode = m_graph.addSpeculationMode(node)) != DontSpeculateInteger)
                     changed |= mergePrediction(SpecInt32);
                 else
                     changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
@@ -323,6 +330,9 @@ private:
                 flags &= ~NodeNeedsNegZero;
             flags &= ~NodeUsedAsOther;
             
+            if (mode != SpeculateInteger)
+                flags |= NodeUsedAsNumber;
+            
             changed |= m_graph[node.child1()].mergeFlags(flags);
             changed |= m_graph[node.child2()].mergeFlags(flags);
             break;
@@ -332,8 +342,10 @@ private:
             SpeculatedType left = m_graph[node.child1()].prediction();
             SpeculatedType right = m_graph[node.child2()].prediction();
             
+            AddSpeculationMode mode = DontSpeculateInteger;
+            
             if (left && right) {
-                if (m_graph.addShouldSpeculateInteger(node))
+                if ((mode = m_graph.addSpeculationMode(node)) != DontSpeculateInteger)
                     changed |= mergePrediction(SpecInt32);
                 else
                     changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right));
@@ -343,6 +355,9 @@ private:
                 flags &= ~NodeNeedsNegZero;
             flags &= ~NodeUsedAsOther;
             
+            if (mode != SpeculateInteger)
+                flags |= NodeUsedAsNumber;
+            
             changed |= m_graph[node.child1()].mergeFlags(flags);
             changed |= m_graph[node.child2()].mergeFlags(flags);
             break;
author	Filip Pizlo <fpizlo@apple.com>	2013-03-21 18:21:26 +0100
committer	The Qt Project <gerrit-noreply@qt-project.org>	2013-03-26 20:26:05 +0100
commit	909c9942ce927c3dac5f850d9bc110a66a72d397 (patch)
tree	ad16cc153c10f1171fb1c931d7872a313ec67a89 /Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp
parent	728f3b433309b1737accae9092f7e5662216f285 (diff)
download	qtwebkit-909c9942ce927c3dac5f850d9bc110a66a72d397.tar.gz