Commit 5dba3f1b authored by fpizlo@apple.com's avatar fpizlo@apple.com

FTL should support hole/OOB array accesses

https://bugs.webkit.org/show_bug.cgi?id=118077

Reviewed by Oliver Hunt and Mark Hahnenberg.

Source/JavaScriptCore: 

* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::baseIndex):

LayoutTests: 

* js/regress/double-get-by-val-out-of-bounds-expected.txt: Added.
* js/regress/double-get-by-val-out-of-bounds.html: Added.
* js/regress/get-by-val-out-of-bounds-expected.txt: Added.
* js/regress/get-by-val-out-of-bounds.html: Added.
* js/regress/script-tests/double-get-by-val-out-of-bounds.js: Added.
(foo):
* js/regress/script-tests/get-by-val-out-of-bounds.js: Added.
(foo):



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@160246 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 2da1741d
2013-12-06 Filip Pizlo <fpizlo@apple.com>
FTL should support hole/OOB array accesses
https://bugs.webkit.org/show_bug.cgi?id=118077
Reviewed by Oliver Hunt and Mark Hahnenberg.
* js/regress/double-get-by-val-out-of-bounds-expected.txt: Added.
* js/regress/double-get-by-val-out-of-bounds.html: Added.
* js/regress/get-by-val-out-of-bounds-expected.txt: Added.
* js/regress/get-by-val-out-of-bounds.html: Added.
* js/regress/script-tests/double-get-by-val-out-of-bounds.js: Added.
(foo):
* js/regress/script-tests/get-by-val-out-of-bounds.js: Added.
(foo):
2013-12-06 Rob Buis <rob.buis@samsung.com>
[CSS Shapes] ShapeOutsideInfo needs to use the parent's writing mode when calculating offsets
JSRegress/double-get-by-val-out-of-bounds
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS no exception thrown
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="../../resources/js-test-pre.js"></script>
</head>
<body>
<script src="resources/regress-pre.js"></script>
<script src="script-tests/double-get-by-val-out-of-bounds.js"></script>
<script src="resources/regress-post.js"></script>
<script src="../../resources/js-test-post.js"></script>
</body>
</html>
JSRegress/get-by-val-out-of-bounds
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS no exception thrown
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<script src="../../resources/js-test-pre.js"></script>
</head>
<body>
<script src="resources/regress-pre.js"></script>
<script src="script-tests/get-by-val-out-of-bounds.js"></script>
<script src="resources/regress-post.js"></script>
<script src="../../resources/js-test-post.js"></script>
</body>
</html>
function foo(a) {
return a[1];
}
noInline(foo);
for (var i = 0; i < 100000; ++i) {
var result = foo([42.5]);
if (result !== void 0)
throw "Error: bad value: " + result;
}
function foo(a) {
return a[1];
}
noInline(foo);
for (var i = 0; i < 100000; ++i) {
var result = foo([42]);
if (result !== void 0)
throw "Error: bad value: " + result;
}
2013-12-06 Filip Pizlo <fpizlo@apple.com>
FTL should support hole/OOB array accesses
https://bugs.webkit.org/show_bug.cgi?id=118077
Reviewed by Oliver Hunt and Mark Hahnenberg.
* ftl/FTLCapabilities.cpp:
(JSC::FTL::canCompile):
* ftl/FTLIntrinsicRepository.h:
* ftl/FTLLowerDFGToLLVM.cpp:
(JSC::FTL::LowerDFGToLLVM::compileGetByVal):
(JSC::FTL::LowerDFGToLLVM::baseIndex):
2013-12-06 Michael Saboff <msaboff@apple.com>
Split sizing of VarArgs frames from loading arguments for the frame
......
......@@ -158,13 +158,6 @@ inline CapabilityLevel canCompile(Node* node)
return CanCompileAndOSREnter;
return CannotCompile;
}
switch (node->arrayMode().speculation()) {
case Array::SaneChain:
case Array::InBounds:
break;
default:
return CannotCompile;
}
break;
case PutByVal:
case PutByValAlias:
......
......@@ -54,6 +54,7 @@ namespace JSC { namespace FTL {
macro(C_JITOperation_ESt, functionType(intPtr, intPtr, intPtr)) \
macro(I_JITOperation_EJss, functionType(intPtr, intPtr, intPtr)) \
macro(J_JITOperation_E, functionType(int64, intPtr)) \
macro(J_JITOperation_EAZ, functionType(int64, intPtr, intPtr, int32)) \
macro(J_JITOperation_EJssZ, functionType(int64, intPtr, intPtr, int32)) \
macro(J_JITOperation_ESsiJI, functionType(int64, intPtr, intPtr, int64, intPtr)) \
macro(Jss_JITOperation_EZ, functionType(intPtr, intPtr, int32)) \
......
......@@ -1482,25 +1482,45 @@ private:
LValue index = lowInt32(m_node->child2());
LValue storage = lowStorage(m_node->child3());
IndexedAbstractHeap& heap = m_node->arrayMode().type() == Array::Int32 ?
m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties;
if (m_node->arrayMode().isInBounds()) {
speculate(
OutOfBounds, noValue(), 0,
m_out.aboveOrEqual(
index, m_out.load32(storage, m_heaps.Butterfly_publicLength)));
LValue result = m_out.load64(m_out.baseIndex(
m_node->arrayMode().type() == Array::Int32 ?
m_heaps.indexedInt32Properties : m_heaps.indexedContiguousProperties,
storage, m_out.zeroExt(index, m_out.intPtr),
m_state.forNode(m_node->child2()).m_value));
LValue result = m_out.load64(baseIndex(heap, storage, index, m_node->child2()));
speculate(LoadFromHole, noValue(), 0, m_out.isZero64(result));
setJSValue(result);
return;
}
// FIXME: Implement hole/OOB loads in the FTL.
// https://bugs.webkit.org/show_bug.cgi?id=118077
RELEASE_ASSERT_NOT_REACHED();
LValue base = lowCell(m_node->child1());
LBasicBlock fastCase = FTL_NEW_BLOCK(m_out, ("GetByVal int/contiguous fast case"));
LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("GetByVal int/contiguous slow case"));
LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetByVal int/contiguous continuation"));
m_out.branch(
m_out.aboveOrEqual(
index, m_out.load32(storage, m_heaps.Butterfly_publicLength)),
slowCase, fastCase);
LBasicBlock lastNext = m_out.appendTo(fastCase, slowCase);
ValueFromBlock fastResult = m_out.anchor(
m_out.load64(baseIndex(heap, storage, index, m_node->child2())));
m_out.branch(m_out.isZero64(fastResult.value()), slowCase, continuation);
m_out.appendTo(slowCase, continuation);
ValueFromBlock slowResult = m_out.anchor(
vmCall(m_out.operation(operationGetByValArrayInt), m_callFrame, base, index));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);
setJSValue(m_out.phi(m_out.int64, fastResult, slowResult));
return;
}
......@@ -1508,16 +1528,16 @@ private:
LValue index = lowInt32(m_node->child2());
LValue storage = lowStorage(m_node->child3());
IndexedAbstractHeap& heap = m_heaps.indexedDoubleProperties;
if (m_node->arrayMode().isInBounds()) {
speculate(
OutOfBounds, noValue(), 0,
m_out.aboveOrEqual(
index, m_out.load32(storage, m_heaps.Butterfly_publicLength)));
LValue result = m_out.loadDouble(m_out.baseIndex(
m_heaps.indexedDoubleProperties,
storage, m_out.zeroExt(index, m_out.intPtr),
m_state.forNode(m_node->child2()).m_value));
LValue result = m_out.loadDouble(
baseIndex(heap, storage, index, m_node->child2()));
if (!m_node->arrayMode().isSaneChain()) {
speculate(
......@@ -1528,9 +1548,35 @@ private:
break;
}
// FIXME: Implement hole/OOB loads in the FTL.
// https://bugs.webkit.org/show_bug.cgi?id=118077
RELEASE_ASSERT_NOT_REACHED();
LValue base = lowCell(m_node->child1());
LBasicBlock inBounds = FTL_NEW_BLOCK(m_out, ("GetByVal double in bounds"));
LBasicBlock boxPath = FTL_NEW_BLOCK(m_out, ("GetByVal double boxing"));
LBasicBlock slowCase = FTL_NEW_BLOCK(m_out, ("GetByVal double slow case"));
LBasicBlock continuation = FTL_NEW_BLOCK(m_out, ("GetByVal double continuation"));
m_out.branch(
m_out.aboveOrEqual(
index, m_out.load32(storage, m_heaps.Butterfly_publicLength)),
slowCase, inBounds);
LBasicBlock lastNext = m_out.appendTo(inBounds, boxPath);
LValue doubleValue = m_out.loadDouble(
baseIndex(heap, storage, index, m_node->child2()));
m_out.branch(
m_out.doubleNotEqualOrUnordered(doubleValue, doubleValue), slowCase, boxPath);
m_out.appendTo(boxPath, slowCase);
ValueFromBlock fastResult = m_out.anchor(boxDouble(doubleValue));
m_out.jump(continuation);
m_out.appendTo(slowCase, continuation);
ValueFromBlock slowResult = m_out.anchor(
vmCall(m_out.operation(operationGetByValArrayInt), m_callFrame, base, index));
m_out.jump(continuation);
m_out.appendTo(continuation, lastNext);
setJSValue(m_out.phi(m_out.int64, fastResult, slowResult));
return;
}
......@@ -2715,6 +2761,13 @@ private:
info.m_isInvalidationPoint = true;
}
TypedPointer baseIndex(IndexedAbstractHeap& heap, LValue storage, LValue index, Edge edge)
{
return m_out.baseIndex(
heap, storage, m_out.zeroExt(index, m_out.intPtr),
m_state.forNode(edge).m_value);
}
LValue allocateCell(LValue allocator, LValue structure, LBasicBlock slowPath)
{
LBasicBlock success = FTL_NEW_BLOCK(m_out, ("object allocation success"));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment