RESOLVED FIXED 228146
speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch 
https://bugs.webkit.org/show_bug.cgi?id=228146
Summary speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType...
Keith Miller
Reported 2021-07-21 07:19:01 PDT
speculateNeitherDoubleNorStringNorHeapBigInt should only have a single JSType branch
Attachments
Patch (3.63 KB, patch)
2021-07-21 07:20 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Patch for landing (3.79 KB, patch)
2021-07-21 10:21 PDT, Keith Miller 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Keith Miller
Comment 1 2021-07-21 07:20:31 PDT
Created attachment 433934 [details] Patch
Keith Miller
Comment 2 2021-07-21 08:47:46 PDT
Comment on attachment 433934 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433934&action=review > Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:11792 > + DFG_TYPE_CHECK(regs, edge, ~(SpecString | SpecHeapBigInt), m_jit.branchIfType(regs.payloadGPR(), JSTypeRange { StringType, HeapBigIntType })); It seems like this should be SpecAnyString but maybe I was missing something?
Keith Miller
Comment 3 2021-07-21 10:09:38 PDT
Comment on attachment 433934 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433934&action=review >> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:11792 >> + DFG_TYPE_CHECK(regs, edge, ~(SpecString | SpecHeapBigInt), m_jit.branchIfType(regs.payloadGPR(), JSTypeRange { StringType, HeapBigIntType })); > > It seems like this should be SpecAnyString but maybe I was missing something? Nvm, I confused myself, I was thinking that SpecString independent from SpecStringIdent and SpecStringVar...
Robin Morisset
Comment 4 2021-07-21 10:14:01 PDT
Comment on attachment 433934 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433934&action=review r=me > Source/JavaScriptCore/ChangeLog:7 > + Maybe add some small comment here explaining your trick for people scanning through the Changelog. >> Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:11792 >> + DFG_TYPE_CHECK(regs, edge, ~(SpecString | SpecHeapBigInt), m_jit.branchIfType(regs.payloadGPR(), JSTypeRange { StringType, HeapBigIntType })); > > It seems like this should be SpecAnyString but maybe I was missing something? SpecAnyString does not exist, SpecString = SpecStringIdent | SpecStringVar is the union type. > Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:-19012 > - return m_out.equal( I think I would have kept this version of isType intact, and called it from the JSTypeRange version when range.last == range.first, but I'm ok with your approach even if I find it less intuitive.
Keith Miller
Comment 5 2021-07-21 10:17:18 PDT
Comment on attachment 433934 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=433934&action=review >> Source/JavaScriptCore/ChangeLog:7 >> + > > Maybe add some small comment here explaining your trick for people scanning through the Changelog. Sure. >> Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:-19012 >> - return m_out.equal( > > I think I would have kept this version of isType intact, and called it from the JSTypeRange version when range.last == range.first, but I'm ok with your approach even if I find it less intuitive. I just followed how the AssemblyHelpers version did it for consistency. I don't have strong feelings either way though.
Keith Miller
Comment 6 2021-07-21 10:21:11 PDT
Created attachment 433942 [details] Patch for landing
EWS
Comment 7 2021-07-21 10:49:03 PDT
Committed r280149 (239846@main): <https://commits.webkit.org/239846@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 433942 [details].
Radar WebKit Bug Importer
Comment 8 2021-07-21 10:50:17 PDT
<rdar://problem/80906151>
Note You need to log in before you can comment on or make changes to this bug.