From 7b17fd4f1afe569e92757e2b41fbaf01a285cc7b Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 13:55:51 +0200 Subject: Fix up of ArithDiv nodes for non-x86 CPUs is broken https://bugs.webkit.org/show_bug.cgi?id=107309 Reviewed by Filip Pizlo. Changed the logic so that we insert an Int32ToDouble node when the existing edge is not SpecDouble. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixDoubleEdge): Change-Id: I8e73ad242feb65c143857d3a4190e095aa5e9d06 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140201 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp') diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp index 1ba40def3..556904aca 100644 --- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp @@ -540,7 +540,7 @@ private: Node& source = m_graph[m_compileIndex]; Edge& edge = m_graph.child(source, childIndex); - if (!m_graph[edge].shouldSpeculateInteger()) { + if (m_graph[edge].prediction() & SpecDouble) { edge.setUseKind(DoubleUse); return; } -- cgit v1.2.1 From d549f4b4ab324e2d4871db8cbf83c27af4ba7866 Mon Sep 17 00:00:00 2001 From: Michael Saboff Date: Thu, 4 Apr 2013 13:57:06 +0200 Subject: Harden ArithDiv of integers fix-up by inserting Int32ToDouble node directly https://bugs.webkit.org/show_bug.cgi?id=107321 Reviewed by Filip Pizlo. Split out the Int32ToDouble node insertion from fixDoubleEdge() and used it directly when we're fixing up an ArithDiv node with integer inputs and output for platforms that don't have integer division. Since we are checking that our inputs should be ints, we can just insert the Int32ToDouble node without any further checks. * dfg/DFGFixupPhase.cpp: (JSC::DFG::FixupPhase::fixupNode): (JSC::DFG::FixupPhase::fixDoubleEdge): (FixupPhase): (JSC::DFG::FixupPhase::injectInt32ToDoubleNode): Change-Id: Ic79f2823a7cfb9ce52bb935536972f48508579fd git-svn-id: http://svn.webkit.org/repository/webkit/trunk@140203 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- Source/JavaScriptCore/dfg/DFGFixupPhase.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'Source/JavaScriptCore/dfg/DFGFixupPhase.cpp') diff --git a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp index 556904aca..b98d824f5 100644 --- a/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGFixupPhase.cpp @@ -317,8 +317,8 @@ private: && node.canSpeculateInteger()) { if (isX86()) break; - fixDoubleEdge(0); - fixDoubleEdge(1); + injectInt32ToDoubleNode(0); + injectInt32ToDoubleNode(1); Node& oldDivision = m_graph[m_compileIndex]; @@ -545,6 +545,14 @@ private: return; } + injectInt32ToDoubleNode(childIndex); + } + + void injectInt32ToDoubleNode(unsigned childIndex) + { + Node& source = m_graph[m_compileIndex]; + Edge& edge = m_graph.child(source, childIndex); + NodeIndex resultIndex = (NodeIndex)m_graph.size(); #if DFG_ENABLE(DEBUG_PROPAGATION_VERBOSE) -- cgit v1.2.1