From 909c9942ce927c3dac5f850d9bc110a66a72d397 Mon Sep 17 00:00:00 2001 From: Filip Pizlo Date: Thu, 21 Mar 2013 18:21:26 +0100 Subject: DFG is too aggressive eliding overflow checks for additions involving large constants https://bugs.webkit.org/show_bug.cgi?id=105239 Reviewed by Gavin Barraclough. Source/JavaScriptCore: If we elide overflow checks on an addition (or subtraction) involving a larger-than-2^32 immediate, then make sure that the non-constant child of the addition knows that he's got to do an overflow check, by flowing the UsedAsNumber property at him. * dfg/DFGGraph.h: (JSC::DFG::Graph::addSpeculationMode): (Graph): (JSC::DFG::Graph::addShouldSpeculateInteger): (JSC::DFG::Graph::addImmediateShouldSpeculateInteger): * dfg/DFGPredictionPropagationPhase.cpp: (JSC::DFG::PredictionPropagationPhase::propagate): LayoutTests: * fast/js/dfg-int-overflow-large-constants-in-a-line-expected.txt: Added. * fast/js/dfg-int-overflow-large-constants-in-a-line.html: Added. * fast/js/jsc-test-list: * fast/js/script-tests/dfg-int-overflow-large-constants-in-a-line.js: Added. (foo): Change-Id: If9f7c71050b6f07fc024e6e9f42083d7d3ca71f6 git-svn-id: http://svn.webkit.org/repository/webkit/trunk@137980 268f45cc-cd09-0410-ab3c-d52691b4dbfc Reviewed-by: Jocelyn Turcotte --- .../dfg/DFGPredictionPropagationPhase.cpp | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) (limited to 'Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp') diff --git a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp index 67270101e..5b6c28ff7 100644 --- a/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp +++ b/Source/JavaScriptCore/dfg/DFGPredictionPropagationPhase.cpp @@ -285,9 +285,11 @@ private: SpeculatedType left = m_graph[node.child1()].prediction(); SpeculatedType right = m_graph[node.child2()].prediction(); + AddSpeculationMode mode = DontSpeculateInteger; + if (left && right) { if (isNumberSpeculationExpectingDefined(left) && isNumberSpeculationExpectingDefined(right)) { - if (m_graph.addShouldSpeculateInteger(node)) + if ((mode = m_graph.addSpeculationMode(node)) != DontSpeculateInteger) changed |= mergePrediction(SpecInt32); else changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right)); @@ -303,6 +305,9 @@ private: if (m_graph[node.child1()].hasNumberResult() || m_graph[node.child2()].hasNumberResult()) flags &= ~NodeUsedAsOther; + if (mode != SpeculateInteger) + flags |= NodeUsedAsNumber; + changed |= m_graph[node.child1()].mergeFlags(flags); changed |= m_graph[node.child2()].mergeFlags(flags); break; @@ -312,8 +317,10 @@ private: SpeculatedType left = m_graph[node.child1()].prediction(); SpeculatedType right = m_graph[node.child2()].prediction(); + AddSpeculationMode mode = DontSpeculateInteger; + if (left && right) { - if (m_graph.addShouldSpeculateInteger(node)) + if ((mode = m_graph.addSpeculationMode(node)) != DontSpeculateInteger) changed |= mergePrediction(SpecInt32); else changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right)); @@ -323,6 +330,9 @@ private: flags &= ~NodeNeedsNegZero; flags &= ~NodeUsedAsOther; + if (mode != SpeculateInteger) + flags |= NodeUsedAsNumber; + changed |= m_graph[node.child1()].mergeFlags(flags); changed |= m_graph[node.child2()].mergeFlags(flags); break; @@ -332,8 +342,10 @@ private: SpeculatedType left = m_graph[node.child1()].prediction(); SpeculatedType right = m_graph[node.child2()].prediction(); + AddSpeculationMode mode = DontSpeculateInteger; + if (left && right) { - if (m_graph.addShouldSpeculateInteger(node)) + if ((mode = m_graph.addSpeculationMode(node)) != DontSpeculateInteger) changed |= mergePrediction(SpecInt32); else changed |= mergePrediction(speculatedDoubleTypeForPredictions(left, right)); @@ -343,6 +355,9 @@ private: flags &= ~NodeNeedsNegZero; flags &= ~NodeUsedAsOther; + if (mode != SpeculateInteger) + flags |= NodeUsedAsNumber; + changed |= m_graph[node.child1()].mergeFlags(flags); changed |= m_graph[node.child2()].mergeFlags(flags); break; -- cgit v1.2.1