Bug 126600

Summary: DFG fixup phase should be responsible for inserting ValueToInt32's as needed and it should use Phantom to keep the original values alive in case of OSR exit
Product: WebKit Reporter: Filip Pizlo <fpizlo>
Component: JavaScriptCoreAssignee: Filip Pizlo <fpizlo>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, mark.lam, mhahnenberg, msaboff, nrotem, oliver, sam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
Bug Depends on:    
Bug Blocks: 126590    
Attachments:
Description Flags
the patch msaboff: review+

Filip Pizlo
Reported 2014-01-07 14:22:56 PST
Patch forthcoming.
Attachments
the patch (16.83 KB, patch)
2014-01-07 14:30 PST, Filip Pizlo 		msaboff: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Filip Pizlo
Comment 1 2014-01-07 14:30:39 PST
Created attachment 220550 [details] the patch
Michael Saboff
Comment 2 2014-01-07 14:47:09 PST
Comment on attachment 220550 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=220550&action=review r+ with comments. > Source/JavaScriptCore/ChangeLog:10 > + was the only exception to that rule, and that was one of the reasons why we had this bug. Provide a description of what you did. > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1558 > + Node* charCode = addToGraph(StringCharCodeAt, OpInfo(ArrayMode(Array::String).asWord()), get(VirtualRegister(thisOperand)), get(indexOperand)); Why the VirtualRegister(thisOperand)? Use thisOperand directly. > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1570 > + Node* charCode = addToGraph(StringCharAt, OpInfo(ArrayMode(Array::String).asWord()), get(VirtualRegister(thisOperand)), get(indexOperand)); Why the VirtualRegister(thisOperand)? Use thisOperand directly. > Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1618 > + fixIntEdge(m_currentNode->child1()) | fixIntEdge(m_currentNode->child2()); You really want a binary OR (|) and not a logical OR (||)?
Filip Pizlo
Comment 3 2014-01-07 14:49:26 PST
(In reply to comment #2) > (From update of attachment 220550 [details]) > View in context: https://bugs.webkit.org/attachment.cgi?id=220550&action=review > > r+ with comments. > > > Source/JavaScriptCore/ChangeLog:10 > > + was the only exception to that rule, and that was one of the reasons why we had this bug. > > Provide a description of what you did. OK! > > > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1558 > > + Node* charCode = addToGraph(StringCharCodeAt, OpInfo(ArrayMode(Array::String).asWord()), get(VirtualRegister(thisOperand)), get(indexOperand)); > > Why the VirtualRegister(thisOperand)? Use thisOperand directly. Oops. > > > Source/JavaScriptCore/dfg/DFGByteCodeParser.cpp:1570 > > + Node* charCode = addToGraph(StringCharAt, OpInfo(ArrayMode(Array::String).asWord()), get(VirtualRegister(thisOperand)), get(indexOperand)); > > Why the VirtualRegister(thisOperand)? Use thisOperand directly. Oops. > > > Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1618 > > + fixIntEdge(m_currentNode->child1()) | fixIntEdge(m_currentNode->child2()); > > You really want a binary OR (|) and not a logical OR (||)? Yes. I want to call fixIntEdge() on both edges. And then if either one of those calls returns true, I want to do the Phantom thing.
Michael Saboff
Comment 4 2014-01-07 14:53:11 PST
(In reply to comment #3) > (In reply to comment #2) > > (From update of attachment 220550 [details] [details]) > > View in context: https://bugs.webkit.org/attachment.cgi?id=220550&action=review > > > Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1618 > > > + fixIntEdge(m_currentNode->child1()) | fixIntEdge(m_currentNode->child2()); > > > > You really want a binary OR (|) and not a logical OR (||)? > > Yes. I want to call fixIntEdge() on both edges. And then if either one of those calls returns true, I want to do the Phantom thing. Okay. Then it may make sense to put a comment so someone doesn't come along and ruin things by turning it into a "||". Something about making sure both calls are made instead of the compiler optimizing out the second call.
Filip Pizlo
Comment 5 2014-01-07 14:55:09 PST
(In reply to comment #4) > (In reply to comment #3) > > (In reply to comment #2) > > > (From update of attachment 220550 [details] [details] [details]) > > > View in context: https://bugs.webkit.org/attachment.cgi?id=220550&action=review > > > > > Source/JavaScriptCore/dfg/DFGFixupPhase.cpp:1618 > > > > + fixIntEdge(m_currentNode->child1()) | fixIntEdge(m_currentNode->child2()); > > > > > > You really want a binary OR (|) and not a logical OR (||)? > > > > Yes. I want to call fixIntEdge() on both edges. And then if either one of those calls returns true, I want to do the Phantom thing. > > Okay. Then it may make sense to put a comment so someone doesn't come along and ruin things by turning it into a "||". Something about making sure both calls are made instead of the compiler optimizing out the second call. Added.
Filip Pizlo
Comment 6 2014-01-07 16:23:36 PST
Landed in http://trac.webkit.org/changeset/161465
Note You need to log in before you can comment on or make changes to this bug.