Commit fc502ee5 authored by oliver@apple.com's avatar oliver@apple.com

2010-05-19 Oliver Hunt <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        emitJumpIfNotJSCell should special case constant immediate values
        https://bugs.webkit.org/show_bug.cgi?id=39392
        <rdar://problem/8001324>

        Make emitJumpSlowCaseIfNotJSCell special case constant immediate
        values, in addition to the immediate JSCell optimisation.

        Also add assertions to make sure no one else produces code that
        attempts to load constants from the register file.

        * jit/JITInlineMethods.h:
        (JSC::JIT::emitJumpSlowCaseIfNotJSCell):
        * jit/JSInterfaceJIT.h:
        (JSC::JSInterfaceJIT::emitJumpIfNotJSCell):
        (JSC::JSInterfaceJIT::emitLoadInt32):
        (JSC::JSInterfaceJIT::tagFor):
        (JSC::JSInterfaceJIT::payloadFor):
        (JSC::JSInterfaceJIT::emitLoadDouble):
        (JSC::JSInterfaceJIT::addressFor):
        * jit/ThunkGenerators.cpp:
2010-05-19  Oliver Hunt  <oliver@apple.com>

        Reviewed by Geoffrey Garen.

        emitJumpIfNotJSCell should special case constant immediate values
        https://bugs.webkit.org/show_bug.cgi?id=39392

        Add tests for immediate constants being used where cells are expected.

        * fast/js/immediate-constant-instead-of-cell-expected.txt: Added.
        * fast/js/immediate-constant-instead-of-cell.html: Added.
        * fast/js/script-tests/immediate-constant-instead-of-cell.js: Added.
        ():

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@59798 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent b9a7ac12
2010-05-19 Oliver Hunt <oliver@apple.com>
Reviewed by Geoffrey Garen.
emitJumpIfNotJSCell should special case constant immediate values
https://bugs.webkit.org/show_bug.cgi?id=39392
<rdar://problem/8001324>
Make emitJumpSlowCaseIfNotJSCell special case constant immediate
values, in addition to the immediate JSCell optimisation.
Also add assertions to make sure no one else produces code that
attempts to load constants from the register file.
* jit/JITInlineMethods.h:
(JSC::JIT::emitJumpSlowCaseIfNotJSCell):
* jit/JSInterfaceJIT.h:
(JSC::JSInterfaceJIT::emitJumpIfNotJSCell):
(JSC::JSInterfaceJIT::emitLoadInt32):
(JSC::JSInterfaceJIT::tagFor):
(JSC::JSInterfaceJIT::payloadFor):
(JSC::JSInterfaceJIT::emitLoadDouble):
(JSC::JSInterfaceJIT::addressFor):
* jit/ThunkGenerators.cpp:
2010-05-19 Geoffrey Garen <ggaren@apple.com>
Reviewed by Sam Weinig.
......
......@@ -559,14 +559,22 @@ inline bool JIT::getMappedTag(unsigned virtualRegisterIndex, RegisterID& tag)
inline void JIT::emitJumpSlowCaseIfNotJSCell(unsigned virtualRegisterIndex)
{
if (!m_codeBlock->isKnownNotImmediate(virtualRegisterIndex))
addSlowCase(emitJumpIfNotJSCell(virtualRegisterIndex));
if (!m_codeBlock->isKnownNotImmediate(virtualRegisterIndex)) {
if (m_codeBlock->isConstantRegisterIndex(virtualRegisterIndex))
addSlowCase(jump());
else
addSlowCase(emitJumpIfNotJSCell(virtualRegisterIndex));
}
}
inline void JIT::emitJumpSlowCaseIfNotJSCell(unsigned virtualRegisterIndex, RegisterID tag)
{
if (!m_codeBlock->isKnownNotImmediate(virtualRegisterIndex))
addSlowCase(branch32(NotEqual, tag, Imm32(JSValue::CellTag)));
if (!m_codeBlock->isKnownNotImmediate(virtualRegisterIndex)) {
if (m_codeBlock->isConstantRegisterIndex(virtualRegisterIndex))
addSlowCase(jump());
else
addSlowCase(branch32(NotEqual, tag, Imm32(JSValue::CellTag)));
}
}
inline void JIT::linkSlowCaseIfNotJSCell(Vector<SlowCaseEntry>::iterator& iter, unsigned virtualRegisterIndex)
......
......@@ -191,27 +191,32 @@ namespace JSC {
inline JSInterfaceJIT::Jump JSInterfaceJIT::emitJumpIfNotJSCell(unsigned virtualRegisterIndex)
{
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
return branch32(NotEqual, tagFor(virtualRegisterIndex), Imm32(JSValue::CellTag));
}
inline JSInterfaceJIT::Jump JSInterfaceJIT::emitLoadInt32(unsigned virtualRegisterIndex, RegisterID dst)
{
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
loadPtr(payloadFor(virtualRegisterIndex), dst);
return branch32(NotEqual, tagFor(virtualRegisterIndex), Imm32(JSValue::Int32Tag));
}
inline JSInterfaceJIT::Address JSInterfaceJIT::tagFor(unsigned index, RegisterID base)
inline JSInterfaceJIT::Address JSInterfaceJIT::tagFor(unsigned virtualRegisterIndex, RegisterID base)
{
return Address(base, (index * sizeof(Register)) + OBJECT_OFFSETOF(JSValue, u.asBits.tag));
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
return Address(base, (virtualRegisterIndex * sizeof(Register)) + OBJECT_OFFSETOF(JSValue, u.asBits.tag));
}
inline JSInterfaceJIT::Address JSInterfaceJIT::payloadFor(unsigned index, RegisterID base)
inline JSInterfaceJIT::Address JSInterfaceJIT::payloadFor(unsigned virtualRegisterIndex, RegisterID base)
{
return Address(base, (index * sizeof(Register)) + OBJECT_OFFSETOF(JSValue, u.asBits.payload));
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
return Address(base, (virtualRegisterIndex * sizeof(Register)) + OBJECT_OFFSETOF(JSValue, u.asBits.payload));
}
inline JSInterfaceJIT::Jump JSInterfaceJIT::emitLoadDouble(unsigned virtualRegisterIndex, FPRegisterID dst, RegisterID scratch)
{
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
loadPtr(tagFor(virtualRegisterIndex), scratch);
Jump isDouble = branch32(Below, scratch, Imm32(JSValue::LowestTag));
Jump notInt = branch32(NotEqual, scratch, Imm32(JSValue::Int32Tag));
......@@ -297,15 +302,17 @@ namespace JSC {
#endif
#if !USE(JSVALUE32_64)
inline JSInterfaceJIT::Address JSInterfaceJIT::payloadFor(unsigned index, RegisterID base)
inline JSInterfaceJIT::Address JSInterfaceJIT::payloadFor(unsigned virtualRegisterIndex, RegisterID base)
{
return addressFor(index, base);
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
return addressFor(virtualRegisterIndex, base);
}
#endif
inline JSInterfaceJIT::Address JSInterfaceJIT::addressFor(unsigned index, RegisterID base)
inline JSInterfaceJIT::Address JSInterfaceJIT::addressFor(unsigned virtualRegisterIndex, RegisterID base)
{
return Address(base, (index * sizeof(Register)));
ASSERT(static_cast<int>(virtualRegisterIndex) < FirstConstantRegisterIndex);
return Address(base, (virtualRegisterIndex * sizeof(Register)));
}
}
......
......@@ -25,8 +25,9 @@
#include "config.h"
#include "ThunkGenerators.h"
#include <wtf/text/StringImpl.h>
#include "CodeBlock.h"
#include <wtf/text/StringImpl.h>
#include "SpecializedThunkJIT.h"
#if ENABLE(JIT)
......
2010-05-19 Oliver Hunt <oliver@apple.com>
Reviewed by Geoffrey Garen.
emitJumpIfNotJSCell should special case constant immediate values
https://bugs.webkit.org/show_bug.cgi?id=39392
Add tests for immediate constants being used where cells are expected.
* fast/js/immediate-constant-instead-of-cell-expected.txt: Added.
* fast/js/immediate-constant-instead-of-cell.html: Added.
* fast/js/script-tests/immediate-constant-instead-of-cell.js: Added.
():
2010-05-19 Jian Li <jianli@chromium.org>
Reviewed by Alexey Proskuryakov.
Test immediate constants where objects are expects. Should not crash.
On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
PASS successfullyParsed is true
TEST COMPLETE
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<link rel="stylesheet" href="resources/js-test-style.css">
<script src="resources/js-test-pre.js"></script>
</head>
<body>
<p id="description"></p>
<div id="console"></div>
<script src="script-tests/immediate-constant-instead-of-cell.js"></script>
<script src="resources/js-test-post.js"></script>
</body>
</html>
description("Test immediate constants where objects are expects. Should not crash.");
tests = [];
function createTest(expr) {
tests.push(new Function(expr.replace("%value%", "true")));
tests.push(new Function(expr.replace("%value%", "(-0)")));
tests.push(new Function(expr.replace("%value%", "(0)")));
tests.push(new Function(expr.replace("%value%", "(1)")));
tests.push(new Function(expr.replace("%value%", "null")));
tests.push(new Function(expr.replace("%value%", "undefined")));
}
num=1;
createTest("%value% instanceof Object");
createTest("Object instanceof %value%");
createTest("%value%.toString");
createTest("'toString' in %value%");
createTest("%value% in Object");
createTest("num << %value%");
createTest("%value% << num");
createTest("num >> %value%");
createTest("%value% >> num");
createTest("num >>> %value%");
createTest("%value% >>> num");
createTest("num ^ %value%");
createTest("%value% ^ num");
createTest("num | %value%");
createTest("%value% | num");
createTest("num & %value%");
createTest("%value% & num");
createTest("num + %value%");
createTest("%value% + num");
createTest("num - %value%");
createTest("%value% - num");
createTest("num * %value%");
createTest("%value% * num");
createTest("num / %value%");
createTest("%value% / num");
createTest("num % %value%");
createTest("%value% % num");
createTest("num || %value%");
createTest("%value% || num");
createTest("num && %value%");
createTest("%value% && num");
createTest("%value%()");
createTest("%value%.toString()");
createTest("Object[%value%]()");
createTest("for(var i in %value%) { }");
createTest("var o = {a:1, b:2, c:3}; for(var i in o) { o = %value%; o[i]; }");
for (var i = 0; i < tests.length; i++) {
try { tests[i](); } catch(e) {}
}
var successfullyParsed = true;
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment