diff options
Diffstat (limited to 'Source/JavaScriptCore/dfg')
| -rw-r--r-- | Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp | 17 | ||||
| -rw-r--r-- | Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 14 | ||||
| -rw-r--r-- | Source/JavaScriptCore/dfg/DFGRepatch.cpp | 4 | ||||
| -rw-r--r-- | Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 7 |
4 files changed, 25 insertions, 17 deletions
diff --git a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp index b02e0112c..35c553cf8 100644 --- a/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGArgumentsSimplificationPhase.cpp @@ -621,26 +621,27 @@ public: continue; for (unsigned indexInBlock = 0; indexInBlock < block->size(); ++indexInBlock) { NodeIndex nodeIndex = block->at(indexInBlock); - Node& node = m_graph[nodeIndex]; - if (node.op() != CreateArguments) + Node* nodePtr = &m_graph[nodeIndex]; + if (nodePtr->op() != CreateArguments) continue; // If this is a CreateArguments for an InlineCallFrame* that does // not create arguments, then replace it with a PhantomArguments. // PhantomArguments is a non-executing node that just indicates // that the node should be reified as an arguments object on OSR // exit. - if (m_createsArguments.contains(node.codeOrigin.inlineCallFrame)) + if (m_createsArguments.contains(nodePtr->codeOrigin.inlineCallFrame)) continue; - if (node.shouldGenerate()) { - Node phantom(Phantom, node.codeOrigin); - phantom.children = node.children; + if (nodePtr->shouldGenerate()) { + Node phantom(Phantom, nodePtr->codeOrigin); + phantom.children = nodePtr->children; phantom.ref(); NodeIndex phantomNodeIndex = m_graph.size(); m_graph.append(phantom); insertionSet.append(indexInBlock, phantomNodeIndex); + nodePtr = &m_graph[nodeIndex]; } - node.setOpAndDefaultFlags(PhantomArguments); - node.children.reset(); + nodePtr->setOpAndDefaultFlags(PhantomArguments); + nodePtr->children.reset(); changed = true; } insertionSet.execute(*block); diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp index 1ba40def3..b98d824f5 100644 --- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp @@ -317,8 +317,8 @@ private: && node.canSpeculateInteger()) { if (isX86()) break; - fixDoubleEdge(0); - fixDoubleEdge(1); + injectInt32ToDoubleNode(0); + injectInt32ToDoubleNode(1); Node& oldDivision = m_graph[m_compileIndex]; @@ -540,11 +540,19 @@ private: Node& source = m_graph[m_compileIndex]; Edge& edge = m_graph.child(source, childIndex); - if (!m_graph[edge].shouldSpeculateInteger()) { + if (m_graph[edge].prediction() & SpecDouble) { edge.setUseKind(DoubleUse); return; } + injectInt32ToDoubleNode(childIndex); + } + + void injectInt32ToDoubleNode(unsigned childIndex) + { + Node& source = m_graph[m_compileIndex]; + Edge& edge = m_graph.child(source, childIndex); + NodeIndex resultIndex = (NodeIndex)m_graph.size(); #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE) diff --git a/Source/JavaScriptCore/dfg/DFGRepatch.cpp b/Source/JavaScriptCore/dfg/DFGRepatch.cpp index 9a7e7df70..bba3a5b43 100644 --- a/Source/JavaScriptCore/dfg/DFGRepatch.cpp +++ b/Source/JavaScriptCore/dfg/DFGRepatch.cpp @@ -1214,12 +1214,12 @@ void dfgLinkClosureCall(ExecState* exec, CallLinkInfo& callLinkInfo, CodeBlock* JITCompiler::Jump done = stubJit.jump(); slowPath.link(&stubJit); - stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2); - stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2); stubJit.move(calleeGPR, GPRInfo::nonArgGPR0); #if USE(JSVALUE32_64) stubJit.move(CCallHelpers::TrustedImm32(JSValue::CellTag), GPRInfo::nonArgGPR1); #endif + stubJit.move(CCallHelpers::TrustedImmPtr(callLinkInfo.callReturnLocation.executableAddress()), GPRInfo::nonArgGPR2); + stubJit.restoreReturnAddressBeforeReturn(GPRInfo::nonArgGPR2); JITCompiler::Jump slow = stubJit.jump(); LinkBuffer patchBuffer(*globalData, &stubJit, callerCodeBlock); diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp index d7f7b2fab..4f2889b8f 100644 --- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp +++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp @@ -2250,8 +2250,7 @@ void SpeculativeJIT::compileInt32ToDouble(Node& node) // than a int->double conversion. On 32_64, unfortunately, we currently don't have // any such mechanism - though we could have it, if we just provisioned some memory // in CodeBlock for the double form of integer constants. - if (at(node.child1()).hasConstant()) { - ASSERT(isInt32Constant(node.child1().index())); + if (isInt32Constant(node.child1().index())) { FPRTemporary result(this); GPRTemporary temp(this); m_jit.move(MacroAssembler::Imm64(reinterpretDoubleToInt64(valueOfNumberConstant(node.child1().index()))), temp.gpr()); @@ -3097,11 +3096,11 @@ void SpeculativeJIT::compileIntegerArithDivForX86(Node& node) speculationCheck(Overflow, JSValueRegs(), NoNode, m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1))); } else { JITCompiler::Jump zero = m_jit.branchTest32(JITCompiler::Zero, op2GPR); - JITCompiler::Jump notNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); + JITCompiler::Jump isNeg2ToThe31 = m_jit.branch32(JITCompiler::Equal, op1GPR, TrustedImm32(-2147483647-1)); zero.link(&m_jit); m_jit.move(TrustedImm32(0), eax.gpr()); + isNeg2ToThe31.link(&m_jit); done = m_jit.jump(); - notNeg2ToThe31.link(&m_jit); } safeDenominator.link(&m_jit); |