1 2013-07-25 Ryuan Choi <ryuan.choi@samsung.com>
3 Unreviewed, build fix on the EFL port.
6 Added SourceCode.cpp and removed BlackBerry file.
8 (JSC::JITCode::nextTierJIT):
9 Fixed to build break because of -Werror=return-type
10 * parser/Lexer.cpp: Includes JSFunctionInlines.h
13 Fixed to build break because of -Werror=return-type
15 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
17 Unreviewed build fixing after FTL upstream.
19 * runtime/Executable.cpp:
20 (JSC::FunctionExecutable::produceCodeBlockFor):
22 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
24 Add missing implementation of bxxxnz in sh4 LLINT.
25 https://bugs.webkit.org/show_bug.cgi?id=119079
27 Reviewed by Allan Sandfeld Jensen.
31 2013-07-25 Gabor Rapcsanyi <rgabor@webkit.org>
33 Unreviewed, build fix on the Qt port.
35 * Target.pri: Add additional build files for the FTL.
37 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
39 Unreviewed buildfix after FTL upstream..
41 * interpreter/StackIterator.cpp:
42 (JSC::StackIterator::Frame::codeType):
43 (JSC::StackIterator::Frame::functionName):
44 (JSC::StackIterator::Frame::sourceURL):
45 (JSC::StackIterator::Frame::logicalFrame):
47 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
51 * heap/CopyVisitor.cpp: Include CopiedSpaceInlines header so the CopiedSpace::recycleEvacuatedBlock
52 method is not left undefined, causing build failures on (at least) the GTK port.
54 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
56 Unreviewed, further build fixing on the GTK port.
58 * GNUmakefile.list.am: Add CompilationResult source files to the build.
60 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
62 Unreviewed GTK build fixing.
64 * GNUmakefile.am: Make the shared libjsc library depend on any changes to the build target list.
65 * GNUmakefile.list.am: Add additional build targets for files that were introduced by the FTL branch merge.
67 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
69 Buildfix after this error:
70 error: 'pathName' may be used uninitialized in this function [-Werror=uninitialized]
73 (JSC::DFG::Plan::compileInThread):
75 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
77 One more buildfix after FTL upstream.
79 Return a dummy value after RELEASE_ASSERT_NOT_REACHED() to make GCC happy.
81 * dfg/DFGLazyJSValue.cpp:
82 (JSC::DFG::LazyJSValue::getValue):
83 (JSC::DFG::LazyJSValue::strictEqual):
85 2013-07-25 Julien Brianceau <jbrianceau@nds.com>
87 Fix "Unhandled opcode localAnnotation" build error in sh4 and mips LLINT.
88 https://bugs.webkit.org/show_bug.cgi?id=119076
90 Reviewed by Allan Sandfeld Jensen.
95 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
97 Unreviewed GTK build fix.
99 * GNUmakefile.list.am: Adding JSCTestRunnerUtils files to the build.
101 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
103 Unreviewed. Further build fixing for the GTK port. Adding the forwarding header
104 for JSCTestRunnerUtils.h as required by the DumpRenderTree compilation.
106 * ForwardingHeaders/JavaScriptCore/JSCTestRunnerUtils.h: Added.
108 2013-07-25 Zan Dobersek <zdobersek@igalia.com>
110 Unreviewed. Fixing the GTK build after the FTL merging by updating the build targets list.
113 * GNUmakefile.list.am:
115 2013-07-25 Ádám Kallai <kadam@inf.u-szeged.hu>
117 Unreviewed buildfix after FTL upstream.
120 (JSC::needsVarInjectionChecks):
122 2013-07-25 Csaba Osztrogonác <ossy@webkit.org>
124 One more fix after FTL upstream.
127 * bytecode/CodeBlock.h:
128 * bytecode/GetByIdStatus.h:
129 (JSC::GetByIdStatus::GetByIdStatus):
131 2013-07-24 Csaba Osztrogonác <ossy@webkit.org>
133 Unreviewed buildfix after FTL upstream.
135 Add ftl directory as include path.
138 * JavaScriptCore.pri:
140 2013-07-24 Csaba Osztrogonác <ossy@webkit.org>
142 Unreviewed buildfix after FTL upstream for non C++11 builds.
144 * interpreter/CallFrame.h:
145 * interpreter/StackIteratorPrivate.h:
146 (JSC::StackIterator::end):
148 2013-07-24 Oliver Hunt <oliver@apple.com>
150 Endeavour to fix CMakelist builds
154 2013-07-24 Filip Pizlo <fpizlo@apple.com>
156 fourthTier: DFG IR dumps should be easier to read
157 https://bugs.webkit.org/show_bug.cgi?id=119050
159 Reviewed by Mark Hahnenberg.
161 Added a DumpContext that includes support for printing an endnote
162 that describes all structures in full, while the main flow of the
163 dump just uses made-up names for the structures. This is helpful
164 since Structure::dump() may print a lot. The stuff it prints is
165 useful, but if it's all inline with the surrounding thing you're
166 dumping (often, a node in the DFG), then you get a ridiculously
167 long print-out. All classes that dump structures (including
168 Structure itself) now have dumpInContext() methods that use
169 inContext() for dumping anything that might transitively print a
170 structure. If Structure::dumpInContext() is called with a NULL
171 context, it just uses dump() like before. Hence you don't have to
172 know anything about DumpContext unless you want to.
174 inContext(*structure, context) dumps something like %B4:Array,
175 and the endnote will have something like:
177 %B4:Array = 0x10e91a180:[Array, {Edge:100, Normal:101, Line:102, NumPx:103, LastPx:104}, ArrayWithContiguous, Proto:0x10e99ffe0]
179 where B4 is the inferred name that StringHashDumpContext came up
182 Also shortened a bunch of other dumps, removing information that
185 * JavaScriptCore.xcodeproj/project.pbxproj:
186 * bytecode/ArrayProfile.cpp:
187 (JSC::dumpArrayModes):
188 * bytecode/CodeBlockHash.cpp:
190 (JSC::CodeBlockHash::CodeBlockHash):
191 (JSC::CodeBlockHash::dump):
192 * bytecode/CodeOrigin.cpp:
193 (JSC::CodeOrigin::dumpInContext):
195 (JSC::InlineCallFrame::dumpInContext):
196 (JSC::InlineCallFrame::dump):
197 * bytecode/CodeOrigin.h:
200 * bytecode/Operands.h:
201 (JSC::OperandValueTraits::isEmptyForDump):
203 (JSC::Operands::dump):
205 * bytecode/OperandsInlines.h: Added.
207 (JSC::::dumpInContext):
208 * bytecode/StructureSet.h:
209 (JSC::StructureSet::dumpInContext):
210 (JSC::StructureSet::dump):
212 * dfg/DFGAbstractValue.cpp:
213 (JSC::DFG::AbstractValue::dump):
215 (JSC::DFG::AbstractValue::dumpInContext):
216 * dfg/DFGAbstractValue.h:
217 (JSC::DFG::AbstractValue::operator!):
219 * dfg/DFGCFAPhase.cpp:
220 (JSC::DFG::CFAPhase::performBlockCFA):
223 (JSC::DFG::NodePointerTraits::isEmptyForDump):
224 * dfg/DFGDisassembler.cpp:
225 (JSC::DFG::Disassembler::createDumpList):
226 * dfg/DFGDisassembler.h:
228 * dfg/DFGFlushFormat.h:
231 * dfg/DFGFlushLivenessAnalysisPhase.cpp:
233 (JSC::DFG::Graph::dumpCodeOrigin):
234 (JSC::DFG::Graph::dump):
235 (JSC::DFG::Graph::dumpBlockHeader):
238 * dfg/DFGLazyJSValue.cpp:
239 (JSC::DFG::LazyJSValue::dumpInContext):
240 (JSC::DFG::LazyJSValue::dump):
242 * dfg/DFGLazyJSValue.h:
245 (JSC::DFG::nodeMapDump):
248 * dfg/DFGOSRExitCompiler32_64.cpp:
249 (JSC::DFG::OSRExitCompiler::compileExit):
250 * dfg/DFGOSRExitCompiler64.cpp:
251 (JSC::DFG::OSRExitCompiler::compileExit):
252 * dfg/DFGStructureAbstractValue.h:
253 (JSC::DFG::StructureAbstractValue::dumpInContext):
254 (JSC::DFG::StructureAbstractValue::dump):
255 (StructureAbstractValue):
256 * ftl/FTLExitValue.cpp:
257 (JSC::FTL::ExitValue::dumpInContext):
258 (JSC::FTL::ExitValue::dump):
260 * ftl/FTLExitValue.h:
262 * ftl/FTLLowerDFGToLLVM.cpp:
263 * ftl/FTLValueSource.cpp:
264 (JSC::FTL::ValueSource::dumpInContext):
266 * ftl/FTLValueSource.h:
268 * runtime/DumpContext.cpp: Added.
270 (JSC::DumpContext::DumpContext):
271 (JSC::DumpContext::~DumpContext):
272 (JSC::DumpContext::isEmpty):
273 (JSC::DumpContext::dump):
274 * runtime/DumpContext.h: Added.
277 * runtime/JSCJSValue.cpp:
278 (JSC::JSValue::dump):
280 (JSC::JSValue::dumpInContext):
281 * runtime/JSCJSValue.h:
284 * runtime/Structure.cpp:
285 (JSC::Structure::dumpInContext):
287 (JSC::Structure::dumpBrief):
288 (JSC::Structure::dumpContextHeader):
289 * runtime/Structure.h:
293 2013-07-22 Filip Pizlo <fpizlo@apple.com>
295 fourthTier: DFG should do a high-level LICM before going to FTL
296 https://bugs.webkit.org/show_bug.cgi?id=118749
298 Reviewed by Oliver Hunt.
300 Implements LICM hoisting for nodes that never write anything and never read
301 things that are clobbered by the loop. There are some other preconditions for
302 hoisting, see DFGLICMPhase.cpp.
304 Also did a few fixes:
306 - ClobberSet::add was failing to switch Super entries to Direct entries in
309 - DFGClobberize.cpp needed to #include "Operations.h".
311 - DCEPhase needs to process the graph in reverse DFS order, when we're in SSA.
313 - AbstractInterpreter can now execute a Node without knowing its indexInBlock.
314 Knowing the indexInBlock is an optional optimization that all other clients
315 of AI still opt into, but LICM doesn't.
317 This makes the FTL a 2.19x speed-up on imaging-gaussian-blur.
319 * JavaScriptCore.xcodeproj/project.pbxproj:
320 * dfg/DFGAbstractInterpreter.h:
321 (AbstractInterpreter):
322 * dfg/DFGAbstractInterpreterInlines.h:
323 (JSC::DFG::::executeEffects):
324 (JSC::DFG::::execute):
326 (JSC::DFG::::clobberWorld):
327 (JSC::DFG::::clobberStructures):
328 * dfg/DFGAtTailAbstractState.cpp: Added.
330 (JSC::DFG::AtTailAbstractState::AtTailAbstractState):
331 (JSC::DFG::AtTailAbstractState::~AtTailAbstractState):
332 (JSC::DFG::AtTailAbstractState::createValueForNode):
333 (JSC::DFG::AtTailAbstractState::forNode):
334 * dfg/DFGAtTailAbstractState.h: Added.
336 (AtTailAbstractState):
337 (JSC::DFG::AtTailAbstractState::initializeTo):
338 (JSC::DFG::AtTailAbstractState::forNode):
339 (JSC::DFG::AtTailAbstractState::variables):
340 (JSC::DFG::AtTailAbstractState::block):
341 (JSC::DFG::AtTailAbstractState::isValid):
342 (JSC::DFG::AtTailAbstractState::setDidClobber):
343 (JSC::DFG::AtTailAbstractState::setIsValid):
344 (JSC::DFG::AtTailAbstractState::setBranchDirection):
345 (JSC::DFG::AtTailAbstractState::setFoundConstants):
346 (JSC::DFG::AtTailAbstractState::haveStructures):
347 (JSC::DFG::AtTailAbstractState::setHaveStructures):
348 * dfg/DFGBasicBlock.h:
349 (JSC::DFG::BasicBlock::insertBeforeLast):
350 * dfg/DFGBasicBlockInlines.h:
352 * dfg/DFGClobberSet.cpp:
353 (JSC::DFG::ClobberSet::add):
354 (JSC::DFG::ClobberSet::addAll):
355 * dfg/DFGClobberize.cpp:
356 (JSC::DFG::doesWrites):
357 * dfg/DFGClobberize.h:
359 * dfg/DFGDCEPhase.cpp:
360 (JSC::DFG::DCEPhase::DCEPhase):
361 (JSC::DFG::DCEPhase::run):
362 (JSC::DFG::DCEPhase::fixupBlock):
364 * dfg/DFGEdgeDominates.h: Added.
367 (JSC::DFG::EdgeDominates::EdgeDominates):
368 (JSC::DFG::EdgeDominates::operator()):
369 (JSC::DFG::EdgeDominates::result):
370 (JSC::DFG::edgesDominate):
371 * dfg/DFGFixupPhase.cpp:
372 (JSC::DFG::FixupPhase::fixupNode):
373 (JSC::DFG::FixupPhase::checkArray):
374 * dfg/DFGLICMPhase.cpp: Added.
376 (JSC::DFG::LICMPhase::LICMPhase):
377 (JSC::DFG::LICMPhase::run):
378 (JSC::DFG::LICMPhase::attemptHoist):
380 (JSC::DFG::performLICM):
381 * dfg/DFGLICMPhase.h: Added.
384 (JSC::DFG::Plan::compileInThreadImpl):
386 2013-07-21 Filip Pizlo <fpizlo@apple.com>
388 fourthTier: DFG Nodes should be able to abstractly tell you what they read and what they write
389 https://bugs.webkit.org/show_bug.cgi?id=118910
391 Reviewed by Sam Weinig.
393 Add the notion of AbstractHeap to the DFG. This is analogous to the AbstractHeap in
394 the FTL, except that the FTL's AbstractHeaps are used during LLVM lowering and are
395 engineered to obey LLVM TBAA logic. The FTL's AbstractHeaps are also engineered to
396 be inexpensive to use (they just give you a TBAA node) but expensive to create (you
397 create them all up front). FTL AbstractHeaps also don't actually give you the
398 ability to reason about aliasing; they are *just* a mechanism for lowering to TBAA.
399 The DFG's AbstractHeaps are engineered to be both cheap to create and cheap to use.
400 They also give you aliasing machinery. The DFG AbstractHeaps are represented
401 internally by a int64_t. Many comparisons between them are just integer comaprisons.
402 AbstractHeaps form a three-level hierarchy (World is the supertype of everything,
403 Kind with a TOP payload is a direct subtype of World, and Kind with a non-TOP
404 payload is the direct subtype of its corresponding TOP Kind).
406 Add the notion of a ClobberSet. This is the set of AbstractHeaps that you had
407 clobbered. It represents the set that results from unifying a bunch of
408 AbstractHeaps, and is intended to quickly answer overlap questions: does the given
409 AbstractHeap overlap any AbstractHeap in the ClobberSet? To this end, if you add an
410 AbstractHeap to a set, it "directly" adds the heap itself, and "super" adds all of
411 its ancestors. An AbstractHeap is said to overlap a set if any direct or super
412 member is equal to it, or if any of its ancestors are equal to a direct member.
416 - I add Variables(5). I.e. Variables is the Kind and 5 is the payload. This
417 is a subtype of Variables, which is a subtype of World.
418 - You query Variables. I.e. Variables with a TOP payload, which is the
419 supertype of Variables(X) for any X, and a subtype of World.
421 The set will have Variables(5) as a direct member, and Variables and World as
422 super members. The Variables query will immediately return true, because
423 Variables is indeed a super member.
428 - You query NamedProperties
430 NamedProperties is not a member at all (neither direct or super). We next
431 query World. World is a member, but it's a super member, so we return false.
436 - You query Variables(5)
438 The set will have Variables as a direct member, and World as a super member.
439 The Variables(5) query will not find Variables(5) in the set, but then it
440 will query Variables. Variables is a direct member, so we return true.
445 - You query NamedProperties(5)
447 Neither NamedProperties nor NamedProperties(5) are members. We next query
448 World. World is a member, but it's a super member, so we return false.
450 Overlap queries require that either the heap being queried is in the set (either
451 direct or super), or that one of its ancestors is a direct member. Another way to
452 think about how this works is that two heaps A and B are said to overlap if
453 A.isSubtypeOf(B) or B.isSubtypeOf(A). This is sound since heaps form a
454 single-inheritance heirarchy. Consider that we wanted to implement a set that holds
455 heaps and answers the question, "is any member in the set an ancestor (i.e.
456 supertype) of some other heap". We would have the set contain the heaps themselves,
457 and we would satisfy the query "A.isSubtypeOfAny(set)" by walking the ancestor
458 chain of A, and repeatedly querying its membership in the set. This is what the
459 "direct" members of our set do. Now consider the other part, where we want to ask if
460 any member of the set is a descendent of a heap, or "A.isSupertypeOfAny(set)". We
461 would implement this by implementing set.add(B) as adding not just B but also all of
462 B's ancestors; then we would answer A.isSupertypeOfAny(set) by just checking if A is
463 in the set. With two such sets - one that answers isSubtypeOfAny() and another that
464 answers isSupertypeOfAny() - we could answer the "do any of my heaps overlap your
465 heap" question. ClobberSet does this, but combines the two sets into a single
466 HashMap. The HashMap's value, "direct", means that the key is a member of both the
467 supertype set and the subtype set; if it's false then it's only a member of one of
470 Finally, this adds a functorized clobberize() method that adds the read and write
471 clobbers of a DFG::Node to read and write functors. Common functors for adding to
472 ClobberSets, querying overlap, and doing nothing are provided. Convenient wrappers
473 are also provided. This allows you to say things like:
476 addWrites(graph, node1, set);
477 if (readsOverlap(graph, node2, set))
478 // We know that node1 may write to something that node2 may read from.
480 Currently this facility is only used to improve graph dumping, but it will be
481 instrumental in both LICM and GVN. In the future, I want to completely kill the
482 NodeClobbersWorld and NodeMightClobber flags, and eradicate CSEPhase's hackish way
483 of accomplishing almost exactly what AbstractHeap gives you.
485 * JavaScriptCore.xcodeproj/project.pbxproj:
486 * dfg/DFGAbstractHeap.cpp: Added.
488 (JSC::DFG::AbstractHeap::Payload::dump):
489 (JSC::DFG::AbstractHeap::dump):
491 (WTF::printInternal):
492 * dfg/DFGAbstractHeap.h: Added.
496 (JSC::DFG::AbstractHeap::Payload::Payload):
497 (JSC::DFG::AbstractHeap::Payload::top):
498 (JSC::DFG::AbstractHeap::Payload::isTop):
499 (JSC::DFG::AbstractHeap::Payload::value):
500 (JSC::DFG::AbstractHeap::Payload::valueImpl):
501 (JSC::DFG::AbstractHeap::Payload::operator==):
502 (JSC::DFG::AbstractHeap::Payload::operator!=):
503 (JSC::DFG::AbstractHeap::Payload::operator<):
504 (JSC::DFG::AbstractHeap::Payload::isDisjoint):
505 (JSC::DFG::AbstractHeap::Payload::overlaps):
506 (JSC::DFG::AbstractHeap::AbstractHeap):
507 (JSC::DFG::AbstractHeap::operator!):
508 (JSC::DFG::AbstractHeap::kind):
509 (JSC::DFG::AbstractHeap::payload):
510 (JSC::DFG::AbstractHeap::isDisjoint):
511 (JSC::DFG::AbstractHeap::overlaps):
512 (JSC::DFG::AbstractHeap::supertype):
513 (JSC::DFG::AbstractHeap::hash):
514 (JSC::DFG::AbstractHeap::operator==):
515 (JSC::DFG::AbstractHeap::operator!=):
516 (JSC::DFG::AbstractHeap::operator<):
517 (JSC::DFG::AbstractHeap::isHashTableDeletedValue):
518 (JSC::DFG::AbstractHeap::payloadImpl):
519 (JSC::DFG::AbstractHeap::encode):
520 (JSC::DFG::AbstractHeapHash::hash):
521 (JSC::DFG::AbstractHeapHash::equal):
524 * dfg/DFGClobberSet.cpp: Added.
526 (JSC::DFG::ClobberSet::ClobberSet):
527 (JSC::DFG::ClobberSet::~ClobberSet):
528 (JSC::DFG::ClobberSet::add):
529 (JSC::DFG::ClobberSet::addAll):
530 (JSC::DFG::ClobberSet::contains):
531 (JSC::DFG::ClobberSet::overlaps):
532 (JSC::DFG::ClobberSet::clear):
533 (JSC::DFG::ClobberSet::direct):
534 (JSC::DFG::ClobberSet::super):
535 (JSC::DFG::ClobberSet::dump):
536 (JSC::DFG::ClobberSet::setOf):
537 (JSC::DFG::addReads):
538 (JSC::DFG::addWrites):
539 (JSC::DFG::addReadsAndWrites):
540 (JSC::DFG::readsOverlap):
541 (JSC::DFG::writesOverlap):
542 * dfg/DFGClobberSet.h: Added.
545 (JSC::DFG::ClobberSet::isEmpty):
547 (JSC::DFG::ClobberSetAdd::ClobberSetAdd):
548 (JSC::DFG::ClobberSetAdd::operator()):
549 (ClobberSetOverlaps):
550 (JSC::DFG::ClobberSetOverlaps::ClobberSetOverlaps):
551 (JSC::DFG::ClobberSetOverlaps::operator()):
552 (JSC::DFG::ClobberSetOverlaps::result):
553 * dfg/DFGClobberize.cpp: Added.
555 (JSC::DFG::didWrites):
556 * dfg/DFGClobberize.h: Added.
558 (JSC::DFG::clobberize):
560 (JSC::DFG::NoOpClobberize::NoOpClobberize):
561 (JSC::DFG::NoOpClobberize::operator()):
563 (JSC::DFG::CheckClobberize::CheckClobberize):
564 (JSC::DFG::CheckClobberize::operator()):
565 (JSC::DFG::CheckClobberize::result):
567 (JSC::DFG::Graph::dump):
569 2013-07-21 Filip Pizlo <fpizlo@apple.com>
571 fourthTier: It should be easy to figure out which blocks nodes belong to
572 https://bugs.webkit.org/show_bug.cgi?id=118957
574 Reviewed by Sam Weinig.
578 (JSC::DFG::Graph::initializeNodeOwners):
583 2013-07-21 Filip Pizlo <fpizlo@apple.com>
585 fourthTier: NodeExitsForward shouldn't be duplicated in NodeType
586 https://bugs.webkit.org/show_bug.cgi?id=118956
588 Reviewed by Sam Weinig.
590 We had two way of expressing that something exits forward: the NodeExitsForward
591 flag and the word 'Forward' in the NodeType. That's kind of dumb. This patch
592 makes it just be a flag.
594 * dfg/DFGAbstractInterpreterInlines.h:
595 (JSC::DFG::::executeEffects):
596 * dfg/DFGArgumentsSimplificationPhase.cpp:
597 (JSC::DFG::ArgumentsSimplificationPhase::run):
598 * dfg/DFGCSEPhase.cpp:
599 (JSC::DFG::CSEPhase::int32ToDoubleCSE):
600 (JSC::DFG::CSEPhase::checkStructureElimination):
601 (JSC::DFG::CSEPhase::structureTransitionWatchpointElimination):
602 (JSC::DFG::CSEPhase::putStructureStoreElimination):
603 (JSC::DFG::CSEPhase::checkArrayElimination):
604 (JSC::DFG::CSEPhase::performNodeCSE):
605 * dfg/DFGConstantFoldingPhase.cpp:
606 (JSC::DFG::ConstantFoldingPhase::foldConstants):
607 * dfg/DFGFixupPhase.cpp:
608 (JSC::DFG::FixupPhase::fixupNode):
609 (JSC::DFG::FixupPhase::injectInt32ToDoubleNode):
610 * dfg/DFGMinifiedNode.h:
611 (JSC::DFG::belongsInMinifiedGraph):
612 (JSC::DFG::MinifiedNode::hasChild):
614 (JSC::DFG::Node::convertToStructureTransitionWatchpoint):
615 (JSC::DFG::Node::hasStructureSet):
616 (JSC::DFG::Node::hasStructure):
617 (JSC::DFG::Node::hasArrayMode):
618 (JSC::DFG::Node::willHaveCodeGenOrOSR):
621 (JSC::DFG::needsOSRForwardRewiring):
622 * dfg/DFGPredictionPropagationPhase.cpp:
623 (JSC::DFG::PredictionPropagationPhase::propagate):
624 * dfg/DFGSafeToExecute.h:
625 (JSC::DFG::safeToExecute):
626 * dfg/DFGSpeculativeJIT.cpp:
627 (JSC::DFG::SpeculativeJIT::compileInt32ToDouble):
628 * dfg/DFGSpeculativeJIT32_64.cpp:
629 (JSC::DFG::SpeculativeJIT::compile):
630 * dfg/DFGSpeculativeJIT64.cpp:
631 (JSC::DFG::SpeculativeJIT::compile):
632 * dfg/DFGTypeCheckHoistingPhase.cpp:
633 (JSC::DFG::TypeCheckHoistingPhase::run):
634 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
635 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
636 * dfg/DFGVariableEventStream.cpp:
637 (JSC::DFG::VariableEventStream::reconstruct):
638 * ftl/FTLCapabilities.cpp:
639 (JSC::FTL::canCompile):
640 * ftl/FTLLowerDFGToLLVM.cpp:
641 (JSC::FTL::LowerDFGToLLVM::compileNode):
642 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
644 2013-07-21 Filip Pizlo <fpizlo@apple.com>
646 fourthTier: It should be possible for a DFG::Node to claim to exit to one CodeOrigin, but then claim that it belongs to a different CodeOrigin for all other purposes
647 https://bugs.webkit.org/show_bug.cgi?id=118946
649 Reviewed by Geoffrey Garen.
651 We want to decouple the exit target code origin of a node from the code origin
652 for all other purposes. The purposes of code origins are:
654 - Where the node will exit, if it exits. The exit target should be consistent with
655 the surrounding nodes, in that if you just looked at the code origins of nodes in
656 the graph, they would be consistent with the code origins in bytecode. This is
657 necessary for live-at-bytecode analyses to work, and to preserve the original
658 bytecode semantics when exiting.
660 - What kind of code the node came from, for semantics thingies. For example, we
661 might use the code origin to find the node's global object for doing an original
662 array check. Or we might use it to determine if the code is in strict mode. Or
663 other similar things. When we use the code origin in this way, we're basically
664 using it as a way of describing the node's meta-data without putting it into the
665 node directly, to save space. In the absurd extreme you could imagine nodes not
666 even having NodeTypes or NodeFlags, and just using the CodeOrigin to determine
667 what bytecode the node originated from. We won't do that, but you can think of
668 this use of code origins as just a way of compressing meta-data.
670 - What code origin we should supply profiling to, if we exit. This is closely
671 related to the semantics thingies, in that the exit profiling is a persistent
672 kind of semantic meta-data that survives between recompiles, and the only way to
673 do that is to ascribe it to the original bytecode via the code origin.
675 If we hoist a node, we need to change the exit target code origin, but we must not
676 change the code origin for other purposes. The best way to do this is to decouple
677 the two kinds of code origin.
679 OSR exit data structures already do this, because they may edit the exit target
680 code origin while keeping the code origin for profiling intact. This happens for
681 forward exits. So, we just need to thread separation all the way back to DFG::Node.
682 That's what this patch does.
685 (JSC::DFG::Node::Node):
687 * dfg/DFGOSRExit.cpp:
688 (JSC::DFG::OSRExit::OSRExit):
689 * dfg/DFGOSRExitBase.h:
690 (JSC::DFG::OSRExitBase::OSRExitBase):
691 * dfg/DFGSpeculativeJIT.cpp:
692 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
693 (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
694 * dfg/DFGSpeculativeJIT.h:
696 * ftl/FTLLowerDFGToLLVM.cpp:
697 (JSC::FTL::LowerDFGToLLVM::compileNode):
698 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
700 * ftl/FTLOSRExit.cpp:
701 (JSC::FTL::OSRExit::OSRExit):
705 2013-07-20 Filip Pizlo <fpizlo@apple.com>
707 fourthTier: each DFG node that relies on other nodes to do their type checks should be able to tell you if those type checks happened
708 https://bugs.webkit.org/show_bug.cgi?id=118866
710 Reviewed by Sam Weinig.
712 Adds a safeToExecute() method that takes a node and an abstract state and tells you
713 if the node will run without crashing under that state.
715 * JavaScriptCore.xcodeproj/project.pbxproj:
716 * bytecode/CodeBlock.cpp:
717 (JSC::CodeBlock::CodeBlock):
718 * dfg/DFGCFAPhase.cpp:
720 (JSC::DFG::CFAPhase::CFAPhase):
721 (JSC::DFG::CFAPhase::run):
722 (JSC::DFG::CFAPhase::performBlockCFA):
723 (JSC::DFG::CFAPhase::performForwardCFA):
724 * dfg/DFGSafeToExecute.h: Added.
727 (JSC::DFG::SafeToExecuteEdge::SafeToExecuteEdge):
728 (JSC::DFG::SafeToExecuteEdge::operator()):
729 (JSC::DFG::SafeToExecuteEdge::result):
730 (JSC::DFG::safeToExecute):
731 * dfg/DFGStructureAbstractValue.h:
732 (JSC::DFG::StructureAbstractValue::isValidOffset):
733 (StructureAbstractValue):
737 2013-07-20 Filip Pizlo <fpizlo@apple.com>
739 fourthTier: FTL should be able to generate LLVM IR that uses an intrinsic for OSR exit
740 https://bugs.webkit.org/show_bug.cgi?id=118948
742 Reviewed by Sam Weinig.
744 - Add the ability to generate LLVM IR but then not use it, via --llvmAlwaysFails=true.
745 This allows doing "what if" experiments with IR generation, even if the generated IR
748 - Add an OSR exit path that just calls an intrinsic that combines the branch and the
751 * JavaScriptCore.xcodeproj/project.pbxproj:
753 (JSC::DFG::Plan::compileInThreadImpl):
754 * ftl/FTLFail.cpp: Added.
757 * ftl/FTLFail.h: Added.
759 * ftl/FTLIntrinsicRepository.h:
761 * ftl/FTLLowerDFGToLLVM.cpp:
762 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
763 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
767 2013-07-19 Filip Pizlo <fpizlo@apple.com>
769 fourthTier: StringObjectUse uses structures, and CSE should know that
770 https://bugs.webkit.org/show_bug.cgi?id=118940
772 Reviewed by Geoffrey Garen.
774 This is asymptomatic right now, but we should fix it.
776 * JavaScriptCore.xcodeproj/project.pbxproj:
777 * dfg/DFGCSEPhase.cpp:
778 (JSC::DFG::CSEPhase::putStructureStoreElimination):
779 * dfg/DFGEdgeUsesStructure.h: Added.
782 (JSC::DFG::EdgeUsesStructure::EdgeUsesStructure):
783 (JSC::DFG::EdgeUsesStructure::operator()):
784 (JSC::DFG::EdgeUsesStructure::result):
785 (JSC::DFG::edgesUseStructure):
788 (JSC::DFG::usesStructure):
790 2013-07-19 Filip Pizlo <fpizlo@apple.com>
792 fourthTier: String GetByVal out-of-bounds handling is so wrong
793 https://bugs.webkit.org/show_bug.cgi?id=118935
795 Reviewed by Geoffrey Garen.
797 Bunch of String GetByVal out-of-bounds fixes:
799 - Even if the string proto chain is sane, we need to watch out for negative
800 indices. They may get values or call getters in the prototypes, since proto
801 sanity doesn't check for negative indexed properties, as they are not
802 technically indexed properties.
804 - GetByVal String out-of-bounds does in fact clobberWorld(). CSE should be
805 given this information.
807 - GetByVal String out-of-bounds does in fact clobberWorld(). CFA should be
808 given this information.
810 Also fixed some other things:
812 - If the DFG is disabled, the testRunner should pretend that we've done a
813 bunch of DFG compiles. That's necessary to prevent the tests from timing
816 - Disassembler shouldn't try to dump source code since it's not safe in the
819 * API/JSCTestRunnerUtils.cpp:
820 (JSC::numberOfDFGCompiles):
821 * JavaScriptCore.xcodeproj/project.pbxproj:
822 * dfg/DFGAbstractInterpreterInlines.h:
823 (JSC::DFG::::executeEffects):
824 * dfg/DFGDisassembler.cpp:
825 (JSC::DFG::Disassembler::dumpHeader):
827 (JSC::DFG::Graph::byValIsPure):
828 * dfg/DFGSaneStringGetByValSlowPathGenerator.h: Added.
830 (SaneStringGetByValSlowPathGenerator):
831 (JSC::DFG::SaneStringGetByValSlowPathGenerator::SaneStringGetByValSlowPathGenerator):
832 (JSC::DFG::SaneStringGetByValSlowPathGenerator::generateInternal):
833 * dfg/DFGSpeculativeJIT.cpp:
834 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
836 2013-07-19 Filip Pizlo <fpizlo@apple.com>
838 fourthTier: Structure::isValidOffset() should be able to tell you if you're loading a valid JSValue, and not just not crashing
839 https://bugs.webkit.org/show_bug.cgi?id=118911
841 Reviewed by Geoffrey Garen.
843 We could also have a separate method like "willNotCrash(offset)", but that's not
844 what isValidOffset() is intended to mean.
846 * runtime/Structure.h:
847 (JSC::Structure::isValidOffset):
849 2013-07-19 Filip Pizlo <fpizlo@apple.com>
851 fourthTier: Structure should be able to tell you if it's valid to load at a given offset from any object with that structure
852 https://bugs.webkit.org/show_bug.cgi?id=118878
854 Reviewed by Oliver Hunt.
856 - Change Structure::isValidOffset() to actually answer the question "If I attempted
857 to load from an object of this structure, at this offset, would I commit suicide
858 or would I get back some kind of value?"
860 - Change StorageAccessData::offset to use a PropertyOffset. It should have been that
863 - Fix PutStructure so that it sets haveStructures in all of the cases that it should.
865 - Make GetByOffset also reference the base object in addition to the butterfly.
867 The future use of this power will be to answer questions like "If I hoisted this
868 GetByOffset or PutByOffset to this point, would it cause crashes, or would it be
871 I don't currently plan to use this power to perform validation, since the CSE has
872 the power to eliminate CheckStructure's that the CFA wouldn't be smart enough to
873 remove - both in the case of StructureSets where size >= 2 and in the case of
874 CheckStructures that match across PutStructures. At first I tried to write a
875 validator that was aware of this, but the validation code got way too complicated
876 and I started having nightmares of spurious assertion bugs being filed against me.
878 This also changes some of the code for how we hash FunctionExecutable's for debug
879 dumps, since that code still had some thread-safety issues. Basically, the
880 concurrent JIT needs to use the CodeBlock's precomputed hash and never call anything
881 that could transitively try to compute the hash from the source code. The source
882 code is a string that may be lazily computed, and that involves all manner of thread
885 * bytecode/CodeOrigin.cpp:
886 (JSC::InlineCallFrame::hash):
887 * dfg/DFGAbstractInterpreterInlines.h:
888 (JSC::DFG::::executeEffects):
889 * dfg/DFGByteCodeParser.cpp:
890 (JSC::DFG::ByteCodeParser::handleGetByOffset):
891 (JSC::DFG::ByteCodeParser::handlePutByOffset):
892 (JSC::DFG::ByteCodeParser::parseBlock):
893 * dfg/DFGCFAPhase.cpp:
894 (JSC::DFG::CFAPhase::performBlockCFA):
895 * dfg/DFGConstantFoldingPhase.cpp:
896 (JSC::DFG::ConstantFoldingPhase::foldConstants):
897 * dfg/DFGFixupPhase.cpp:
898 (JSC::DFG::FixupPhase::fixupNode):
902 (JSC::DFG::Node::convertToGetByOffset):
903 * dfg/DFGSpeculativeJIT64.cpp:
904 (JSC::DFG::SpeculativeJIT::compile):
905 * ftl/FTLLowerDFGToLLVM.cpp:
906 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
907 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
908 * runtime/FunctionExecutableDump.cpp:
909 (JSC::FunctionExecutableDump::dump):
910 * runtime/Structure.h:
912 (JSC::Structure::isValidOffset):
914 2013-07-18 Filip Pizlo <fpizlo@apple.com>
916 fourthTier: AbstractInterpreter should explicitly ask AbstractState to create new AbstractValues for newly born nodes
917 https://bugs.webkit.org/show_bug.cgi?id=118880
919 Reviewed by Sam Weinig.
921 It should be possible to have an AbstractState that is backed by a HashMap. But to
922 do this, the AbstractInterpreter should explicitly ask for new nodes to be added to
923 the map, since otherwise the idiom of getting a reference to the AbstractValue
924 returned by forNode() would cause really subtle memory corruption bugs.
926 * dfg/DFGAbstractInterpreterInlines.h:
927 (JSC::DFG::::executeEffects):
928 * dfg/DFGInPlaceAbstractState.h:
929 (JSC::DFG::InPlaceAbstractState::createValueForNode):
930 (InPlaceAbstractState):
932 2013-07-18 Filip Pizlo <fpizlo@apple.com>
934 fourthTier: Decouple the way that CFA stores its state from the way it does abstract interpretation
935 https://bugs.webkit.org/show_bug.cgi?id=118835
937 Reviewed by Oliver Hunt.
939 This separates AbstractState into two things:
941 - InPlaceAbstractState, which can tell you the abstract state of anything you
942 might care about, and uses the old AbstractState's algorithms and data
943 structures for doing so.
945 - AbstractInterpreter<AbstractStateType>, which can execute a DFG::Node* with
946 respect to an AbstractStateType. Currently we always use
947 AbstractStateType = InPlaceAbstractState. But we could drop in an other
948 class that supports basic primitives like forNode() and variables().
950 This is important because:
952 - We want to hoist things out of loops.
954 - We don't know what things rely on what type checks.
956 - We only want to hoist type checks out of loops if they aren't clobbered.
958 - We may want to still hoist things that depended on those type checks, if it's
959 safe to do those things based on the CFA state at the tail of the loop
962 - We don't want things to rely on their type checks by way of a token, because
965 So, we want to be able to have a special form of the CFA that can
966 incrementally update a basic block's state-at-tail, and we want to be able to
967 do this for multiple blocks simultaneously. This requires *not* storing the
968 per-node state in the nodes themselves, but instead using the at-tail HashMap
971 Hence we need to have a way of making the abstract interpreter (i.e.
972 AbstractState::execute) polymorphic with respect to state representation. Put
973 another way, we need to separate the way that abstract state is represented
974 from the way DFG IR is abstractly interpreted.
976 * JavaScriptCore.xcodeproj/project.pbxproj:
977 * dfg/DFGAbstractInterpreter.h: Added.
979 (AbstractInterpreter):
980 (JSC::DFG::AbstractInterpreter::forNode):
981 (JSC::DFG::AbstractInterpreter::variables):
982 (JSC::DFG::AbstractInterpreter::needsTypeCheck):
983 (JSC::DFG::AbstractInterpreter::filterEdgeByUse):
984 (JSC::DFG::AbstractInterpreter::filter):
985 (JSC::DFG::AbstractInterpreter::filterArrayModes):
986 (JSC::DFG::AbstractInterpreter::filterByValue):
987 (JSC::DFG::AbstractInterpreter::trySetConstant):
988 (JSC::DFG::AbstractInterpreter::filterByType):
989 * dfg/DFGAbstractInterpreterInlines.h: Added.
991 (JSC::DFG::::AbstractInterpreter):
992 (JSC::DFG::::~AbstractInterpreter):
993 (JSC::DFG::::booleanResult):
994 (JSC::DFG::::startExecuting):
995 (JSC::DFG::::executeEdges):
996 (JSC::DFG::::verifyEdge):
997 (JSC::DFG::::verifyEdges):
998 (JSC::DFG::::executeEffects):
999 (JSC::DFG::::execute):
1000 (JSC::DFG::::clobberWorld):
1001 (JSC::DFG::::clobberCapturedVars):
1002 (JSC::DFG::::clobberStructures):
1004 (JSC::DFG::::filter):
1005 (JSC::DFG::::filterArrayModes):
1006 (JSC::DFG::::filterByValue):
1007 * dfg/DFGAbstractState.cpp: Removed.
1008 * dfg/DFGAbstractState.h: Removed.
1009 * dfg/DFGArgumentsSimplificationPhase.cpp:
1010 * dfg/DFGCFAPhase.cpp:
1011 (JSC::DFG::CFAPhase::CFAPhase):
1012 (JSC::DFG::CFAPhase::performBlockCFA):
1014 * dfg/DFGCFGSimplificationPhase.cpp:
1015 * dfg/DFGConstantFoldingPhase.cpp:
1016 (JSC::DFG::ConstantFoldingPhase::ConstantFoldingPhase):
1017 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1018 (ConstantFoldingPhase):
1019 * dfg/DFGInPlaceAbstractState.cpp: Added.
1021 (JSC::DFG::InPlaceAbstractState::InPlaceAbstractState):
1022 (JSC::DFG::InPlaceAbstractState::~InPlaceAbstractState):
1023 (JSC::DFG::InPlaceAbstractState::beginBasicBlock):
1024 (JSC::DFG::setLiveValues):
1025 (JSC::DFG::InPlaceAbstractState::initialize):
1026 (JSC::DFG::InPlaceAbstractState::endBasicBlock):
1027 (JSC::DFG::InPlaceAbstractState::reset):
1028 (JSC::DFG::InPlaceAbstractState::mergeStateAtTail):
1029 (JSC::DFG::InPlaceAbstractState::merge):
1030 (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1031 (JSC::DFG::InPlaceAbstractState::mergeVariableBetweenBlocks):
1032 * dfg/DFGInPlaceAbstractState.h: Added.
1034 (InPlaceAbstractState):
1035 (JSC::DFG::InPlaceAbstractState::forNode):
1036 (JSC::DFG::InPlaceAbstractState::variables):
1037 (JSC::DFG::InPlaceAbstractState::block):
1038 (JSC::DFG::InPlaceAbstractState::didClobber):
1039 (JSC::DFG::InPlaceAbstractState::isValid):
1040 (JSC::DFG::InPlaceAbstractState::setDidClobber):
1041 (JSC::DFG::InPlaceAbstractState::setIsValid):
1042 (JSC::DFG::InPlaceAbstractState::setBranchDirection):
1043 (JSC::DFG::InPlaceAbstractState::setFoundConstants):
1044 (JSC::DFG::InPlaceAbstractState::haveStructures):
1045 (JSC::DFG::InPlaceAbstractState::setHaveStructures):
1046 * dfg/DFGMergeMode.h: Added.
1048 * dfg/DFGSpeculativeJIT.cpp:
1049 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
1050 (JSC::DFG::SpeculativeJIT::backwardTypeCheck):
1051 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1052 (JSC::DFG::SpeculativeJIT::compileToStringOnCell):
1053 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
1054 (JSC::DFG::SpeculativeJIT::speculateStringObject):
1055 (JSC::DFG::SpeculativeJIT::speculateStringOrStringObject):
1056 * dfg/DFGSpeculativeJIT.h:
1057 (JSC::DFG::SpeculativeJIT::needsTypeCheck):
1059 * dfg/DFGSpeculativeJIT32_64.cpp:
1060 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1061 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1062 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1063 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1064 * dfg/DFGSpeculativeJIT64.cpp:
1065 (JSC::DFG::SpeculativeJIT::fillSpeculateIntInternal):
1066 (JSC::DFG::SpeculativeJIT::fillSpeculateDouble):
1067 (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
1068 (JSC::DFG::SpeculativeJIT::fillSpeculateBoolean):
1069 * ftl/FTLLowerDFGToLLVM.cpp:
1071 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1072 (JSC::FTL::LowerDFGToLLVM::compileNode):
1073 (JSC::FTL::LowerDFGToLLVM::appendTypeCheck):
1074 (JSC::FTL::LowerDFGToLLVM::speculate):
1075 (JSC::FTL::LowerDFGToLLVM::speculateNumber):
1076 (JSC::FTL::LowerDFGToLLVM::speculateRealNumber):
1079 2013-07-18 Filip Pizlo <fpizlo@apple.com>
1081 fourthTier: DFG shouldn't create CheckStructures for array accesses except if the ArrayMode implies an original array access
1082 https://bugs.webkit.org/show_bug.cgi?id=118867
1084 Reviewed by Mark Hahnenberg.
1086 This allows us to kill off a bunch of code in the parser, in fixup, and to simplify
1089 It also makes it easier to ask any array-using node how to create its type check.
1091 Doing this required fixing a bug in LowLevelInterpreter64, where it was storing into
1092 an array profile, thinking that it was storing into a value profile. Reshuffling the
1093 fields in ArrayProfile revealed this.
1095 * bytecode/ArrayProfile.cpp:
1096 (JSC::ArrayProfile::computeUpdatedPrediction):
1097 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
1098 * bytecode/ArrayProfile.h:
1099 (JSC::ArrayProfile::ArrayProfile):
1101 * bytecode/CodeBlock.cpp:
1102 (JSC::CodeBlock::updateAllArrayPredictions):
1103 (JSC::CodeBlock::updateAllPredictions):
1104 * bytecode/CodeBlock.h:
1106 (JSC::CodeBlock::updateAllArrayPredictions):
1107 * dfg/DFGArrayMode.h:
1109 * dfg/DFGByteCodeParser.cpp:
1110 (JSC::DFG::ByteCodeParser::getArrayModeConsideringSlowPath):
1111 (JSC::DFG::ByteCodeParser::parseBlock):
1112 * dfg/DFGFixupPhase.cpp:
1113 (JSC::DFG::FixupPhase::fixupNode):
1115 (JSC::DFG::FixupPhase::checkArray):
1116 (JSC::DFG::FixupPhase::blessArrayOperation):
1117 * llint/LowLevelInterpreter64.asm:
1119 2013-07-18 Filip Pizlo <fpizlo@apple.com>
1121 fourthTier: CFA should consider live-at-head for clobbering and dumping
1122 https://bugs.webkit.org/show_bug.cgi?id=118857
1124 Reviewed by Mark Hahnenberg.
1126 - clobberStructures() was not considering nodes live-at-head when in SSA
1127 form. This means it would fail to clobber some structures.
1129 - dump() was not considering nodes live-at-head when in SSA form. This
1130 means it wouldn't dump everything that you might be interested in.
1132 - AbstractState::m_currentNode is a useless variable and we should get
1135 * dfg/DFGAbstractState.cpp:
1136 (JSC::DFG::AbstractState::AbstractState):
1137 (JSC::DFG::AbstractState::beginBasicBlock):
1138 (JSC::DFG::AbstractState::reset):
1139 (JSC::DFG::AbstractState::startExecuting):
1140 (JSC::DFG::AbstractState::clobberStructures):
1141 (JSC::DFG::AbstractState::dump):
1142 * dfg/DFGAbstractState.h:
1145 2013-07-16 Filip Pizlo <fpizlo@apple.com>
1147 fourthTier: Add a phase to create loop pre-headers
1148 https://bugs.webkit.org/show_bug.cgi?id=118778
1150 Reviewed by Oliver Hunt.
1152 Add a loop pre-header creation phase. Any loop that doesn't already have
1153 just one predecessor that isn't part of the loop has a pre-header
1154 prepended. All non-loop predecessors then jump to that pre-header.
1156 Also fix a handful of bugs:
1158 - DFG::Analysis should set m_valid before running the analysis, since that
1159 makes it easier to use ASSERT(m_valid) in the analysis' methods, which
1160 may be called by the analysis before the analysis completes. NaturalLoops
1161 does this with loopsOf().
1163 - NaturalLoops::headerOf() was missing a check for innerMostLoopOf()
1164 returning 0, since that'll happen if the block isn't in any loop.
1166 - Change BlockInsertionSet to dethread the graph, since anyone using it
1169 - Change dethreading to ignore SSA form graphs.
1171 This also adds NaturalLoops::belongsTo(), which I always used in the
1172 pre-header creation phase. I didn't end up using it but I'll probably use
1173 it in the near future.
1175 * JavaScriptCore.xcodeproj/project.pbxproj:
1176 * dfg/DFGAnalysis.h:
1177 (JSC::DFG::Analysis::computeIfNecessary):
1178 * dfg/DFGBlockInsertionSet.cpp:
1179 (JSC::DFG::BlockInsertionSet::execute):
1180 * dfg/DFGCriticalEdgeBreakingPhase.cpp:
1181 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1183 (JSC::DFG::Graph::dethread):
1184 * dfg/DFGLoopPreHeaderCreationPhase.cpp: Added.
1186 (LoopPreHeaderCreationPhase):
1187 (JSC::DFG::LoopPreHeaderCreationPhase::LoopPreHeaderCreationPhase):
1188 (JSC::DFG::LoopPreHeaderCreationPhase::run):
1189 (JSC::DFG::performLoopPreHeaderCreation):
1190 * dfg/DFGLoopPreHeaderCreationPhase.h: Added.
1192 * dfg/DFGNaturalLoops.h:
1194 (JSC::DFG::NaturalLoops::headerOf):
1195 (JSC::DFG::NaturalLoops::innerMostLoopOf):
1196 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
1197 (JSC::DFG::NaturalLoops::belongsTo):
1200 (JSC::DFG::Plan::compileInThreadImpl):
1202 2013-07-16 Filip Pizlo <fpizlo@apple.com>
1204 fourthTier: Rationalize Node::replacement
1205 https://bugs.webkit.org/show_bug.cgi?id=118774
1207 Reviewed by Oliver Hunt.
1209 - Clearing of replacements is now done in Graph::clearReplacements().
1211 - New nodes now have replacement set to 0.
1213 - Node::replacement is now part of a 'misc' union. I'll be putting at least
1214 one other field into that union as part of LICM work (see
1215 https://bugs.webkit.org/show_bug.cgi?id=118749).
1217 * dfg/DFGCPSRethreadingPhase.cpp:
1218 (JSC::DFG::CPSRethreadingPhase::run):
1219 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1220 (JSC::DFG::CPSRethreadingPhase::canonicalizeGetLocalFor):
1221 * dfg/DFGCSEPhase.cpp:
1222 (JSC::DFG::CSEPhase::run):
1223 (JSC::DFG::CSEPhase::setReplacement):
1224 (JSC::DFG::CSEPhase::performBlockCSE):
1227 (JSC::DFG::Graph::clearReplacements):
1229 (JSC::DFG::Graph::performSubstitutionForEdge):
1232 (JSC::DFG::Node::Node):
1233 * dfg/DFGSSAConversionPhase.cpp:
1234 (JSC::DFG::SSAConversionPhase::run):
1236 2013-07-16 Filip Pizlo <fpizlo@apple.com>
1238 fourthTier: NaturalLoops should be able to quickly answer questions like "what loops own this basic block"
1239 https://bugs.webkit.org/show_bug.cgi?id=118750
1241 Reviewed by Mark Hahnenberg.
1243 * dfg/DFGBasicBlock.h:
1245 * dfg/DFGNaturalLoops.cpp:
1246 (JSC::DFG::NaturalLoops::compute):
1247 (JSC::DFG::NaturalLoops::loopsOf):
1248 * dfg/DFGNaturalLoops.h:
1250 (JSC::DFG::NaturalLoop::NaturalLoop):
1252 (JSC::DFG::NaturalLoop::index):
1253 (JSC::DFG::NaturalLoop::isOuterMostLoop):
1254 (JSC::DFG::NaturalLoop::addBlock):
1255 (JSC::DFG::NaturalLoops::headerOf):
1256 (JSC::DFG::NaturalLoops::innerMostLoopOf):
1258 (JSC::DFG::NaturalLoops::innerMostOuterLoop):
1260 (JSC::DFG::Plan::compileInThreadImpl):
1262 2013-07-16 Filip Pizlo <fpizlo@apple.com>
1264 fourthTier: don't GC when shutting down the VM
1265 https://bugs.webkit.org/show_bug.cgi?id=118751
1267 Reviewed by Mark Hahnenberg.
1274 2013-07-12 Filip Pizlo <fpizlo@apple.com>
1276 fourthTier: DFG should have an SSA form for use by FTL
1277 https://bugs.webkit.org/show_bug.cgi?id=118338
1279 Reviewed by Mark Hahnenberg.
1281 Adds an SSA form to the DFG. We can convert ThreadedCPS form into SSA form
1282 after breaking critical edges. The conversion algorithm follows Aycock and
1283 Horspool, and the SSA form itself follows something I've done before, where
1284 instead of having Phi functions specify input nodes corresponding to block
1285 predecessors, we instead have Upsilon functions in the predecessors that
1286 specify which value in that block goes into which subsequent Phi. Upsilons
1287 don't have to dominate Phis (usually they don't) and they correspond to a
1288 non-SSA "mov" into the Phi's "variable". This gives all of the good
1289 properties of SSA, while ensuring that a bunch of CFG transformations don't
1290 have to be SSA-aware.
1292 So far the only DFG phases that are SSA-aware are DCE and CFA. CFG
1293 simplification is probably SSA-aware by default, though I haven't tried it.
1294 Constant folding probably needs a few tweaks, but is likely ready. Ditto
1295 for CSE, though it's not clear that we'd want to use block-local CSE when
1296 we could be doing GVN.
1298 Currently only the FTL can generate code from the SSA form, and there is no
1299 way to convert from SSA to ThreadedCPS or LoadStore. There probably will
1300 never be such a capability.
1302 In order to handle OSR exit state in the SSA, we place MovHints at Phi
1303 points. Other than that, you can reconstruct state-at-exit by forward
1304 propagating MovHints. Note that MovHint is the new SetLocal in SSA.
1305 SetLocal and GetLocal only survive into SSA if they are on captured
1306 variables, or in the case of flushes. A "live SetLocal" will be
1307 NodeMustGenerate and will always correspond to a flush. Computing the
1308 state-at-exit requires running SSA liveness analysis, OSR availability
1309 analysis, and flush liveness analysis. The FTL runs all of these prior to
1310 generating code. While OSR exit continues to be tricky, much of the logic
1311 is now factored into separate phases and the backend has to do less work
1312 to reason about what happened outside of the basic block that is being
1315 Conversion from DFG SSA to LLVM SSA is done by ensuring that we generate
1316 code in depth-first order, thus guaranteeing that a node will always be
1317 lowered (and hence have a LValue) before any of the blocks dominated by
1318 that node's block have code generated. For Upsilon/Phi, we just use
1319 alloca's. We could do something more clever there, but it's probably not
1320 worth it, at least not now.
1322 Finally, while the SSA form is currently only being converted to LLVM IR,
1323 there is nothing that prevents us from considering other backends in the
1324 future - with the caveat that this form is designed to be first lowered to
1325 a lower-level SSA before actual machine code generation commences. So we
1326 ought to either use LLVM (the intended path) or we will have to write our
1327 own SSA low-level backend.
1329 This runs all of the code that the FTL was known to run previously. No
1330 change in performance for now. But it does open some exciting
1333 * JavaScriptCore.xcodeproj/project.pbxproj:
1334 * bytecode/Operands.h:
1335 (JSC::OperandValueTraits::dump):
1336 (JSC::Operands::fill):
1338 (JSC::Operands::clear):
1339 (JSC::Operands::operator==):
1340 * dfg/DFGAbstractState.cpp:
1341 (JSC::DFG::AbstractState::beginBasicBlock):
1342 (JSC::DFG::setLiveValues):
1344 (JSC::DFG::AbstractState::initialize):
1345 (JSC::DFG::AbstractState::endBasicBlock):
1346 (JSC::DFG::AbstractState::executeEffects):
1347 (JSC::DFG::AbstractState::mergeStateAtTail):
1348 (JSC::DFG::AbstractState::merge):
1349 * dfg/DFGAbstractState.h:
1351 * dfg/DFGAdjacencyList.h:
1352 (JSC::DFG::AdjacencyList::justOneChild):
1354 * dfg/DFGBasicBlock.cpp: Added.
1356 (JSC::DFG::BasicBlock::BasicBlock):
1357 (JSC::DFG::BasicBlock::~BasicBlock):
1358 (JSC::DFG::BasicBlock::ensureLocals):
1359 (JSC::DFG::BasicBlock::isInPhis):
1360 (JSC::DFG::BasicBlock::isInBlock):
1361 (JSC::DFG::BasicBlock::removePredecessor):
1362 (JSC::DFG::BasicBlock::replacePredecessor):
1363 (JSC::DFG::BasicBlock::dump):
1364 (JSC::DFG::BasicBlock::SSAData::SSAData):
1365 (JSC::DFG::BasicBlock::SSAData::~SSAData):
1366 * dfg/DFGBasicBlock.h:
1368 (JSC::DFG::BasicBlock::operator[]):
1369 (JSC::DFG::BasicBlock::successor):
1370 (JSC::DFG::BasicBlock::successorForCondition):
1372 * dfg/DFGBasicBlockInlines.h:
1374 * dfg/DFGBlockInsertionSet.cpp: Added.
1376 (JSC::DFG::BlockInsertionSet::BlockInsertionSet):
1377 (JSC::DFG::BlockInsertionSet::~BlockInsertionSet):
1378 (JSC::DFG::BlockInsertionSet::insert):
1379 (JSC::DFG::BlockInsertionSet::insertBefore):
1380 (JSC::DFG::BlockInsertionSet::execute):
1381 * dfg/DFGBlockInsertionSet.h: Added.
1383 (BlockInsertionSet):
1384 * dfg/DFGCFAPhase.cpp:
1385 (JSC::DFG::CFAPhase::run):
1386 * dfg/DFGCFGSimplificationPhase.cpp:
1387 * dfg/DFGCPSRethreadingPhase.cpp:
1388 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlock):
1389 * dfg/DFGCommon.cpp:
1390 (WTF::printInternal):
1392 (JSC::DFG::doesKill):
1394 (JSC::DFG::killStatusForDoesKill):
1395 * dfg/DFGConstantFoldingPhase.cpp:
1396 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1397 (JSC::DFG::ConstantFoldingPhase::isCapturedAtOrAfter):
1398 * dfg/DFGCriticalEdgeBreakingPhase.cpp: Added.
1400 (CriticalEdgeBreakingPhase):
1401 (JSC::DFG::CriticalEdgeBreakingPhase::CriticalEdgeBreakingPhase):
1402 (JSC::DFG::CriticalEdgeBreakingPhase::run):
1403 (JSC::DFG::CriticalEdgeBreakingPhase::breakCriticalEdge):
1404 (JSC::DFG::performCriticalEdgeBreaking):
1405 * dfg/DFGCriticalEdgeBreakingPhase.h: Added.
1407 * dfg/DFGDCEPhase.cpp:
1408 (JSC::DFG::DCEPhase::run):
1409 (JSC::DFG::DCEPhase::findTypeCheckRoot):
1410 (JSC::DFG::DCEPhase::countNode):
1412 (JSC::DFG::DCEPhase::countEdge):
1413 (JSC::DFG::DCEPhase::eliminateIrrelevantPhantomChildren):
1414 * dfg/DFGDriver.cpp:
1415 (JSC::DFG::compile):
1417 (JSC::DFG::Edge::dump):
1419 (JSC::DFG::Edge::Edge):
1420 (JSC::DFG::Edge::setNode):
1421 (JSC::DFG::Edge::useKindUnchecked):
1422 (JSC::DFG::Edge::setUseKind):
1423 (JSC::DFG::Edge::setProofStatus):
1424 (JSC::DFG::Edge::willNotHaveCheck):
1425 (JSC::DFG::Edge::willHaveCheck):
1427 (JSC::DFG::Edge::killStatusUnchecked):
1428 (JSC::DFG::Edge::killStatus):
1429 (JSC::DFG::Edge::setKillStatus):
1430 (JSC::DFG::Edge::doesKill):
1431 (JSC::DFG::Edge::doesNotKill):
1432 (JSC::DFG::Edge::shift):
1433 (JSC::DFG::Edge::makeWord):
1434 * dfg/DFGFixupPhase.cpp:
1435 (JSC::DFG::FixupPhase::fixupNode):
1436 * dfg/DFGFlushFormat.cpp: Added.
1438 (WTF::printInternal):
1439 * dfg/DFGFlushFormat.h: Added.
1441 (JSC::DFG::resultFor):
1442 (JSC::DFG::useKindFor):
1444 * dfg/DFGFlushLivenessAnalysisPhase.cpp: Added.
1446 (FlushLivenessAnalysisPhase):
1447 (JSC::DFG::FlushLivenessAnalysisPhase::FlushLivenessAnalysisPhase):
1448 (JSC::DFG::FlushLivenessAnalysisPhase::run):
1449 (JSC::DFG::FlushLivenessAnalysisPhase::process):
1450 (JSC::DFG::FlushLivenessAnalysisPhase::setForNode):
1451 (JSC::DFG::FlushLivenessAnalysisPhase::flushFormat):
1452 (JSC::DFG::performFlushLivenessAnalysis):
1453 * dfg/DFGFlushLivenessAnalysisPhase.h: Added.
1456 (JSC::DFG::Graph::dump):
1457 (JSC::DFG::Graph::dumpBlockHeader):
1459 (JSC::DFG::Graph::addForDepthFirstSort):
1460 (JSC::DFG::Graph::getBlocksInDepthFirstOrder):
1462 (JSC::DFG::Graph::convertToConstant):
1463 (JSC::DFG::Graph::valueProfileFor):
1465 * dfg/DFGInsertionSet.h:
1467 (JSC::DFG::InsertionSet::execute):
1468 * dfg/DFGLivenessAnalysisPhase.cpp: Added.
1470 (LivenessAnalysisPhase):
1471 (JSC::DFG::LivenessAnalysisPhase::LivenessAnalysisPhase):
1472 (JSC::DFG::LivenessAnalysisPhase::run):
1473 (JSC::DFG::LivenessAnalysisPhase::process):
1474 (JSC::DFG::LivenessAnalysisPhase::addChildUse):
1475 (JSC::DFG::performLivenessAnalysis):
1476 * dfg/DFGLivenessAnalysisPhase.h: Added.
1479 (JSC::DFG::Node::hasVariableAccessData):
1484 (JSC::DFG::Node::hasLocal):
1485 (JSC::DFG::Node::variableAccessData):
1486 (JSC::DFG::Node::hasPhi):
1487 (JSC::DFG::Node::phi):
1488 (JSC::DFG::Node::takenBlock):
1489 (JSC::DFG::Node::notTakenBlock):
1490 (JSC::DFG::Node::successor):
1491 (JSC::DFG::Node::successorForCondition):
1492 (JSC::DFG::nodeComparator):
1493 (JSC::DFG::nodeListDump):
1494 (JSC::DFG::nodeMapDump):
1495 * dfg/DFGNodeFlags.cpp:
1496 (JSC::DFG::dumpNodeFlags):
1497 * dfg/DFGNodeType.h:
1499 * dfg/DFGOSRAvailabilityAnalysisPhase.cpp: Added.
1501 (OSRAvailabilityAnalysisPhase):
1502 (JSC::DFG::OSRAvailabilityAnalysisPhase::OSRAvailabilityAnalysisPhase):
1503 (JSC::DFG::OSRAvailabilityAnalysisPhase::run):
1504 (JSC::DFG::performOSRAvailabilityAnalysis):
1505 * dfg/DFGOSRAvailabilityAnalysisPhase.h: Added.
1508 (JSC::DFG::Plan::compileInThreadImpl):
1509 * dfg/DFGPredictionInjectionPhase.cpp:
1510 (JSC::DFG::PredictionInjectionPhase::run):
1511 * dfg/DFGPredictionPropagationPhase.cpp:
1512 (JSC::DFG::PredictionPropagationPhase::propagate):
1513 * dfg/DFGSSAConversionPhase.cpp: Added.
1515 (SSAConversionPhase):
1516 (JSC::DFG::SSAConversionPhase::SSAConversionPhase):
1517 (JSC::DFG::SSAConversionPhase::run):
1518 (JSC::DFG::SSAConversionPhase::forwardPhiChildren):
1519 (JSC::DFG::SSAConversionPhase::forwardPhi):
1520 (JSC::DFG::SSAConversionPhase::forwardPhiEdge):
1521 (JSC::DFG::SSAConversionPhase::deduplicateChildren):
1522 (JSC::DFG::SSAConversionPhase::addFlushedLocalOp):
1523 (JSC::DFG::SSAConversionPhase::addFlushedLocalEdge):
1524 (JSC::DFG::performSSAConversion):
1525 * dfg/DFGSSAConversionPhase.h: Added.
1527 * dfg/DFGSpeculativeJIT32_64.cpp:
1528 (JSC::DFG::SpeculativeJIT::compile):
1529 * dfg/DFGSpeculativeJIT64.cpp:
1530 (JSC::DFG::SpeculativeJIT::compile):
1531 * dfg/DFGValidate.cpp:
1532 (JSC::DFG::Validate::validate):
1534 (JSC::DFG::Validate::validateCPS):
1535 * dfg/DFGVariableAccessData.h:
1536 (JSC::DFG::VariableAccessData::flushFormat):
1537 (VariableAccessData):
1538 * ftl/FTLCapabilities.cpp:
1539 (JSC::FTL::canCompile):
1540 * ftl/FTLLowerDFGToLLVM.cpp:
1541 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1542 (JSC::FTL::LowerDFGToLLVM::lower):
1543 (JSC::FTL::LowerDFGToLLVM::createPhiVariables):
1544 (JSC::FTL::LowerDFGToLLVM::compileBlock):
1545 (JSC::FTL::LowerDFGToLLVM::compileNode):
1546 (JSC::FTL::LowerDFGToLLVM::compileUpsilon):
1548 (JSC::FTL::LowerDFGToLLVM::compilePhi):
1549 (JSC::FTL::LowerDFGToLLVM::compileJSConstant):
1550 (JSC::FTL::LowerDFGToLLVM::compileWeakJSConstant):
1551 (JSC::FTL::LowerDFGToLLVM::compileGetArgument):
1552 (JSC::FTL::LowerDFGToLLVM::compileGetLocal):
1553 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
1554 (JSC::FTL::LowerDFGToLLVM::compileAdd):
1555 (JSC::FTL::LowerDFGToLLVM::compileArithSub):
1556 (JSC::FTL::LowerDFGToLLVM::compileArithMul):
1557 (JSC::FTL::LowerDFGToLLVM::compileArithDiv):
1558 (JSC::FTL::LowerDFGToLLVM::compileArithMod):
1559 (JSC::FTL::LowerDFGToLLVM::compileArithMinOrMax):
1560 (JSC::FTL::LowerDFGToLLVM::compileArithAbs):
1561 (JSC::FTL::LowerDFGToLLVM::compileArithNegate):
1562 (JSC::FTL::LowerDFGToLLVM::compileBitAnd):
1563 (JSC::FTL::LowerDFGToLLVM::compileBitOr):
1564 (JSC::FTL::LowerDFGToLLVM::compileBitXor):
1565 (JSC::FTL::LowerDFGToLLVM::compileBitRShift):
1566 (JSC::FTL::LowerDFGToLLVM::compileBitLShift):
1567 (JSC::FTL::LowerDFGToLLVM::compileBitURShift):
1568 (JSC::FTL::LowerDFGToLLVM::compileUInt32ToNumber):
1569 (JSC::FTL::LowerDFGToLLVM::compileInt32ToDouble):
1570 (JSC::FTL::LowerDFGToLLVM::compileGetButterfly):
1571 (JSC::FTL::LowerDFGToLLVM::compileGetArrayLength):
1572 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
1573 (JSC::FTL::LowerDFGToLLVM::compileGetByOffset):
1574 (JSC::FTL::LowerDFGToLLVM::compileGetGlobalVar):
1575 (JSC::FTL::LowerDFGToLLVM::compileCompareEqConstant):
1576 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEq):
1577 (JSC::FTL::LowerDFGToLLVM::compileCompareStrictEqConstant):
1578 (JSC::FTL::LowerDFGToLLVM::compileCompareLess):
1579 (JSC::FTL::LowerDFGToLLVM::compileCompareLessEq):
1580 (JSC::FTL::LowerDFGToLLVM::compileCompareGreater):
1581 (JSC::FTL::LowerDFGToLLVM::compileCompareGreaterEq):
1582 (JSC::FTL::LowerDFGToLLVM::compileLogicalNot):
1583 (JSC::FTL::LowerDFGToLLVM::speculateBackward):
1584 (JSC::FTL::LowerDFGToLLVM::lowInt32):
1585 (JSC::FTL::LowerDFGToLLVM::lowCell):
1586 (JSC::FTL::LowerDFGToLLVM::lowBoolean):
1587 (JSC::FTL::LowerDFGToLLVM::lowDouble):
1588 (JSC::FTL::LowerDFGToLLVM::lowJSValue):
1589 (JSC::FTL::LowerDFGToLLVM::lowStorage):
1590 (JSC::FTL::LowerDFGToLLVM::speculate):
1591 (JSC::FTL::LowerDFGToLLVM::speculateBoolean):
1592 (JSC::FTL::LowerDFGToLLVM::isLive):
1593 (JSC::FTL::LowerDFGToLLVM::use):
1594 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
1595 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1596 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1597 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
1598 (JSC::FTL::LowerDFGToLLVM::linkOSRExitsAndCompleteInitializationBlocks):
1599 (JSC::FTL::LowerDFGToLLVM::setInt32):
1600 (JSC::FTL::LowerDFGToLLVM::setJSValue):
1601 (JSC::FTL::LowerDFGToLLVM::setBoolean):
1602 (JSC::FTL::LowerDFGToLLVM::setStorage):
1603 (JSC::FTL::LowerDFGToLLVM::setDouble):
1604 (JSC::FTL::LowerDFGToLLVM::isValid):
1605 * ftl/FTLLoweredNodeValue.h: Added.
1608 (JSC::FTL::LoweredNodeValue::LoweredNodeValue):
1609 (JSC::FTL::LoweredNodeValue::isSet):
1610 (JSC::FTL::LoweredNodeValue::operator!):
1611 (JSC::FTL::LoweredNodeValue::value):
1612 (JSC::FTL::LoweredNodeValue::block):
1613 * ftl/FTLValueFromBlock.h:
1614 (JSC::FTL::ValueFromBlock::ValueFromBlock):
1616 * ftl/FTLValueSource.cpp:
1617 (JSC::FTL::ValueSource::dump):
1618 * ftl/FTLValueSource.h:
1620 2013-07-11 Mark Lam <mark.lam@apple.com>
1622 Resurrect the CLoop LLINT on the FTL branch.
1623 https://bugs.webkit.org/show_bug.cgi?id=118144.
1625 Reviewed by Mark Hahnenberg.
1627 * bytecode/CodeBlock.h:
1628 (JSC::CodeBlock::jitType):
1629 - Fix the CodeBlock jitType to be InterpreterThunk when !ENABLE_JIT.
1630 * bytecode/JumpTable.h:
1631 (JSC::SimpleJumpTable::clear):
1632 * interpreter/StackIterator.cpp:
1633 (JSC::StackIterator::Frame::bytecodeOffset):
1634 (JSC::StackIterator::Frame::print):
1637 * jit/JITExceptions.cpp:
1638 (JSC::getExceptionLocation):
1639 * llint/LowLevelInterpreter.cpp:
1640 * offlineasm/cloop.rb:
1641 * runtime/Structure.cpp:
1643 2013-07-08 Filip Pizlo <fpizlo@apple.com>
1645 NaturalLoops + Profiler = Crash
1646 https://bugs.webkit.org/show_bug.cgi?id=118486
1648 Reviewed by Geoffrey Garen.
1650 I borked dominators in:
1651 http://trac.webkit.org/changeset/152431/branches/dfgFourthTier/Source/JavaScriptCore/dfg/DFGDominators.h
1653 This patch also adds some debug support, and fixes the loop that adds a block to
1654 an already-existing natural loop. Note that we currently don't take that path in
1655 most programs, but it will arise, for example if you use 'continue' - though you'd
1656 have to use it rather cleverly since the bytecode will not jump to the loop header
1657 in most uses of 'continue'.
1659 * dfg/DFGDominators.cpp:
1660 (JSC::DFG::Dominators::dump):
1662 * dfg/DFGDominators.h:
1663 (JSC::DFG::Dominators::dominates):
1665 * dfg/DFGNaturalLoops.cpp:
1666 (JSC::DFG::NaturalLoops::compute):
1668 2013-07-08 Filip Pizlo <fpizlo@apple.com>
1670 fourthTier: DFG::AbstractState::beginBasicBlock() should set m_haveStructures if any of the valuesAtHead have either a current known structure or a non-top/non-bottom array modes
1671 https://bugs.webkit.org/show_bug.cgi?id=118489
1673 Reviewed by Mark Hahnenberg.
1675 * bytecode/ArrayProfile.h:
1676 (JSC::arrayModesAreClearOrTop):
1678 * dfg/DFGAbstractState.cpp:
1679 (JSC::DFG::AbstractState::beginBasicBlock):
1680 * dfg/DFGAbstractValue.h:
1681 (JSC::DFG::AbstractValue::hasClobberableState):
1684 2013-07-08 Mark Hahnenberg <mhahnenberg@apple.com>
1686 CheckArray should call the right version of filterArrayModes
1687 https://bugs.webkit.org/show_bug.cgi?id=118488
1689 Reviewed by Filip Pizlo.
1691 Currently in the CFA CheckArray doesn't call the right filterArrayMode which can cause
1692 the CFA to ignore when it sees a contradiction.
1694 * dfg/DFGAbstractState.cpp:
1695 (JSC::DFG::AbstractState::executeEffects):
1697 2013-07-07 Filip Pizlo <fpizlo@apple.com>
1699 fourthTier: Graph::clearAndDerefChild() makes no sense anymore, and neither does Nop
1700 https://bugs.webkit.org/show_bug.cgi?id=118452
1702 Reviewed by Sam Weinig.
1704 Noticed that ArgumentsSimplificationPhase was converting something to a Nop and then
1705 resetting its children using clearAndDerefChild(). Using Nop instead of Phantom is a
1706 holdover from back when we needed a no-MustGenerate no-op. We don't anymore. Using
1707 clearAndDerefChild() was necessary back when we did eager reference counting. We
1708 don't need to do that anymore, and in fact clearAndDerefChild() appeared to not do
1709 any reference counting, so it was badly named to begin with.
1711 * dfg/DFGAbstractState.cpp:
1712 (JSC::DFG::AbstractState::executeEffects):
1713 * dfg/DFGArgumentsSimplificationPhase.cpp:
1714 (JSC::DFG::ArgumentsSimplificationPhase::run):
1715 * dfg/DFGCPSRethreadingPhase.cpp:
1716 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1717 * dfg/DFGCSEPhase.cpp:
1718 (JSC::DFG::CSEPhase::performNodeCSE):
1719 * dfg/DFGFixupPhase.cpp:
1720 (JSC::DFG::FixupPhase::fixupNode):
1724 (JSC::DFG::Node::willHaveCodeGenOrOSR):
1725 * dfg/DFGNodeType.h:
1727 * dfg/DFGPredictionPropagationPhase.cpp:
1728 (JSC::DFG::PredictionPropagationPhase::propagate):
1729 * dfg/DFGSpeculativeJIT32_64.cpp:
1730 (JSC::DFG::SpeculativeJIT::compile):
1731 * dfg/DFGSpeculativeJIT64.cpp:
1732 (JSC::DFG::SpeculativeJIT::compile):
1734 2013-07-04 Filip Pizlo <fpizlo@apple.com>
1736 fourthTier: FTL should better report its compile-times and it should be able to run in a mode where it doesn't spend time generating OSR exits
1737 https://bugs.webkit.org/show_bug.cgi?id=118401
1739 Reviewed by Sam Weinig.
1741 Add two new OSR exit modes, which are useful only for playing with compile times:
1743 - All OSR exits are llvm.trap().
1745 - OSR exits don't take arguments and have no exit value marshaling.
1748 (JSC::DFG::Plan::compileInThread):
1749 (JSC::DFG::Plan::compileInThreadImpl):
1752 * ftl/FTLIntrinsicRepository.h:
1754 * ftl/FTLLowerDFGToLLVM.cpp:
1755 (JSC::FTL::LowerDFGToLLVM::appendOSRExit):
1757 (JSC::FTL::LowerDFGToLLVM::emitOSRExitCall):
1759 (JSC::FTL::Output::trap):
1760 * runtime/Options.h:
1763 2013-07-04 Filip Pizlo <fpizlo@apple.com>
1765 fourthTier: DFG should refer to BasicBlocks by BasicBlock* and not BlockIndex
1766 https://bugs.webkit.org/show_bug.cgi?id=118339
1768 Reviewed by Michael Saboff.
1770 This accomplishes two goals:
1772 1) Simplifies a bunch of code. You can now much more directly get to a successor
1773 or predecessor, since you just get the pointer directly. The backend(s) always
1774 hold onto a pointer to the block they're on, so you don't have to do work to
1775 get the block from the index.
1777 2) It allows for the possibility of inserting blocks into the program.
1778 Previously, if you did that, you'd have to edit all references to blocks since
1779 those references would have outdated indexing after an insertion. Now, if you
1780 change the indexing, you just have to invalidate some analyses and make sure
1781 that you change each block's BasicBlock::index accordingly.
1783 * dfg/DFGAbstractState.cpp:
1784 (JSC::DFG::AbstractState::initialize):
1785 (JSC::DFG::AbstractState::endBasicBlock):
1786 (JSC::DFG::AbstractState::mergeToSuccessors):
1787 * dfg/DFGAbstractState.h:
1789 * dfg/DFGArgumentsSimplificationPhase.cpp:
1790 (JSC::DFG::ArgumentsSimplificationPhase::run):
1791 * dfg/DFGBackwardsPropagationPhase.cpp:
1792 (JSC::DFG::BackwardsPropagationPhase::run):
1793 * dfg/DFGBasicBlock.h:
1795 (JSC::DFG::BasicBlock::BasicBlock):
1796 (JSC::DFG::BasicBlock::size):
1797 (JSC::DFG::BasicBlock::isEmpty):
1798 (JSC::DFG::BasicBlock::at):
1799 (JSC::DFG::BasicBlock::operator[]):
1800 (JSC::DFG::BasicBlock::last):
1801 (JSC::DFG::BasicBlock::resize):
1802 (JSC::DFG::BasicBlock::grow):
1804 (JSC::DFG::BasicBlock::append):
1805 (JSC::DFG::BasicBlock::numSuccessors):
1806 (JSC::DFG::BasicBlock::successor):
1807 (JSC::DFG::BasicBlock::successorForCondition):
1808 (JSC::DFG::BasicBlock::dump):
1810 (JSC::DFG::UnlinkedBlock::UnlinkedBlock):
1811 (JSC::DFG::getBytecodeBeginForBlock):
1812 (JSC::DFG::blockForBytecodeOffset):
1813 * dfg/DFGByteCodeParser.cpp:
1816 (JSC::DFG::ByteCodeParser::handleInlining):
1817 (JSC::DFG::ByteCodeParser::parseBlock):
1818 (JSC::DFG::ByteCodeParser::linkBlock):
1819 (JSC::DFG::ByteCodeParser::linkBlocks):
1820 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
1821 (JSC::DFG::ByteCodeParser::parseCodeBlock):
1822 (JSC::DFG::ByteCodeParser::parse):
1823 * dfg/DFGCFAPhase.cpp:
1824 (JSC::DFG::CFAPhase::performBlockCFA):
1825 (JSC::DFG::CFAPhase::performForwardCFA):
1826 * dfg/DFGCFGSimplificationPhase.cpp:
1827 (JSC::DFG::CFGSimplificationPhase::run):
1828 (JSC::DFG::CFGSimplificationPhase::convertToJump):
1829 * dfg/DFGCPSRethreadingPhase.cpp:
1830 (JSC::DFG::CPSRethreadingPhase::freeUnnecessaryNodes):
1831 (JSC::DFG::CPSRethreadingPhase::canonicalizeLocalsInBlocks):
1832 (JSC::DFG::CPSRethreadingPhase::propagatePhis):
1833 (CPSRethreadingPhase):
1834 * dfg/DFGCSEPhase.cpp:
1835 (JSC::DFG::CSEPhase::run):
1836 * dfg/DFGConstantFoldingPhase.cpp:
1837 (JSC::DFG::ConstantFoldingPhase::run):
1838 (JSC::DFG::ConstantFoldingPhase::foldConstants):
1839 * dfg/DFGDCEPhase.cpp:
1840 (JSC::DFG::DCEPhase::run):
1841 * dfg/DFGDisassembler.cpp:
1842 (JSC::DFG::Disassembler::Disassembler):
1843 (JSC::DFG::Disassembler::createDumpList):
1844 * dfg/DFGDisassembler.h:
1845 (JSC::DFG::Disassembler::setForBlockIndex):
1846 * dfg/DFGDominators.cpp:
1847 (JSC::DFG::Dominators::compute):
1848 (JSC::DFG::Dominators::iterateForBlock):
1849 * dfg/DFGDominators.h:
1850 (JSC::DFG::Dominators::dominates):
1851 * dfg/DFGFixupPhase.cpp:
1852 (JSC::DFG::FixupPhase::run):
1853 (JSC::DFG::FixupPhase::fixupNode):
1855 (JSC::DFG::Graph::dump):
1856 (JSC::DFG::Graph::dumpBlockHeader):
1857 (JSC::DFG::Graph::handleSuccessor):
1858 (JSC::DFG::Graph::determineReachability):
1859 (JSC::DFG::Graph::resetReachability):
1861 (JSC::DFG::Graph::numBlocks):
1862 (JSC::DFG::Graph::block):
1863 (JSC::DFG::Graph::lastBlock):
1865 (JSC::DFG::Graph::appendBlock):
1866 (JSC::DFG::Graph::killBlock):
1868 * dfg/DFGJITCompiler.cpp:
1869 (JSC::DFG::JITCompiler::JITCompiler):
1870 (JSC::DFG::JITCompiler::link):
1871 * dfg/DFGJITCompiler.h:
1872 (JSC::DFG::JITCompiler::setForBlockIndex):
1873 * dfg/DFGNaturalLoops.cpp:
1874 (JSC::DFG::NaturalLoop::dump):
1875 (JSC::DFG::NaturalLoops::compute):
1876 (JSC::DFG::NaturalLoops::loopsOf):
1877 * dfg/DFGNaturalLoops.h:
1878 (JSC::DFG::NaturalLoop::NaturalLoop):
1879 (JSC::DFG::NaturalLoop::addBlock):
1880 (JSC::DFG::NaturalLoop::header):
1881 (JSC::DFG::NaturalLoop::at):
1882 (JSC::DFG::NaturalLoop::operator[]):
1883 (JSC::DFG::NaturalLoop::contains):
1885 (JSC::DFG::NaturalLoops::headerOf):
1889 (JSC::DFG::SwitchCase::SwitchCase):
1890 (JSC::DFG::SwitchCase::withBytecodeIndex):
1892 (JSC::DFG::SwitchCase::targetBytecodeIndex):
1893 (JSC::DFG::SwitchData::SwitchData):
1894 (JSC::DFG::SwitchData::setFallThroughBytecodeIndex):
1895 (JSC::DFG::SwitchData::fallThroughBytecodeIndex):
1897 (JSC::DFG::Node::setTakenBlock):
1898 (JSC::DFG::Node::setNotTakenBlock):
1899 (JSC::DFG::Node::takenBlock):
1900 (JSC::DFG::Node::notTakenBlock):
1901 (JSC::DFG::Node::successor):
1902 (JSC::DFG::Node::successorForCondition):
1903 * dfg/DFGPredictionInjectionPhase.cpp:
1904 (JSC::DFG::PredictionInjectionPhase::run):
1905 * dfg/DFGPredictionPropagationPhase.cpp:
1906 (JSC::DFG::PredictionPropagationPhase::propagateForward):
1907 (JSC::DFG::PredictionPropagationPhase::propagateBackward):
1908 (JSC::DFG::PredictionPropagationPhase::doRoundOfDoubleVoting):
1909 * dfg/DFGSpeculativeJIT.cpp:
1910 (JSC::DFG::SpeculativeJIT::convertLastOSRExitToForward):
1911 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompare):
1912 (JSC::DFG::SpeculativeJIT::nonSpeculativeStrictEq):
1913 (JSC::DFG::SpeculativeJIT::compilePeepHoleDoubleBranch):
1914 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectEquality):
1915 (JSC::DFG::SpeculativeJIT::compilePeepHoleIntegerBranch):
1916 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
1917 (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1918 (JSC::DFG::SpeculativeJIT::compile):
1919 (JSC::DFG::SpeculativeJIT::createOSREntries):
1920 (JSC::DFG::SpeculativeJIT::linkOSREntries):
1921 (JSC::DFG::SpeculativeJIT::compileStrictEqForConstant):
1922 (JSC::DFG::SpeculativeJIT::compileStrictEq):
1923 (JSC::DFG::SpeculativeJIT::compileRegExpExec):
1924 (JSC::DFG::SpeculativeJIT::addBranch):
1925 (JSC::DFG::SpeculativeJIT::linkBranches):
1926 * dfg/DFGSpeculativeJIT.h:
1927 (JSC::DFG::SpeculativeJIT::nextBlock):
1929 (JSC::DFG::SpeculativeJIT::detectPeepHoleBranch):
1930 (JSC::DFG::SpeculativeJIT::branchDouble):
1931 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
1932 (JSC::DFG::SpeculativeJIT::branch32):
1933 (JSC::DFG::SpeculativeJIT::branchTest32):
1934 (JSC::DFG::SpeculativeJIT::branch64):
1935 (JSC::DFG::SpeculativeJIT::branch8):
1936 (JSC::DFG::SpeculativeJIT::branchPtr):
1937 (JSC::DFG::SpeculativeJIT::branchTestPtr):
1938 (JSC::DFG::SpeculativeJIT::branchTest8):
1939 (JSC::DFG::SpeculativeJIT::jump):
1940 (JSC::DFG::SpeculativeJIT::addBranch):
1941 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
1943 (JSC::DFG::SpeculativeJIT::BranchRecord::BranchRecord):
1945 * dfg/DFGSpeculativeJIT32_64.cpp:
1946 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1947 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1948 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1949 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1950 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1951 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1952 (JSC::DFG::SpeculativeJIT::emitBranch):
1953 (JSC::DFG::SpeculativeJIT::compile):
1954 * dfg/DFGSpeculativeJIT64.cpp:
1955 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNull):
1956 (JSC::DFG::SpeculativeJIT::nonSpeculativeCompareNull):
1957 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
1958 (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
1959 (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
1960 (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
1961 (JSC::DFG::SpeculativeJIT::emitBranch):
1962 (JSC::DFG::SpeculativeJIT::compile):
1963 * dfg/DFGTypeCheckHoistingPhase.cpp:
1964 (JSC::DFG::TypeCheckHoistingPhase::run):
1965 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1966 (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1967 (JSC::DFG::TypeCheckHoistingPhase::disableHoistingAcrossOSREntries):
1968 * dfg/DFGUnificationPhase.cpp:
1969 (JSC::DFG::UnificationPhase::run):
1970 * dfg/DFGValidate.cpp:
1971 (JSC::DFG::Validate::validate):
1972 (JSC::DFG::Validate::checkOperand):
1973 (JSC::DFG::Validate::reportValidationContext):
1974 * dfg/DFGVirtualRegisterAllocationPhase.cpp:
1975 (JSC::DFG::VirtualRegisterAllocationPhase::run):
1976 * ftl/FTLCapabilities.cpp:
1977 (JSC::FTL::canCompile):
1978 * ftl/FTLLowerDFGToLLVM.cpp:
1979 (JSC::FTL::LowerDFGToLLVM::LowerDFGToLLVM):
1980 (JSC::FTL::LowerDFGToLLVM::lower):
1981 (JSC::FTL::LowerDFGToLLVM::compileBlock):
1982 (JSC::FTL::LowerDFGToLLVM::compileJump):
1983 (JSC::FTL::LowerDFGToLLVM::compileBranch):
1984 (JSC::FTL::LowerDFGToLLVM::lowBlock):
1986 2013-07-04 Filip Pizlo <fpizlo@apple.com>
1988 Unreviewed, add a helpful comment for why DCE is needed in the FTL.
1990 I believe I've now twice down the experiment of disabling DCE in the FTL,
1991 only to realize that this can't work, and that DCE is needed. I'd kind of
1992 like to not make that mistake again.
1995 (JSC::DFG::Plan::compileInThreadImpl):
1997 2013-07-02 Filip Pizlo <fpizlo@apple.com>
1999 fourthTier: DFG::Node::m_opInfo2 should also be a uintptr_t
2000 https://bugs.webkit.org/show_bug.cgi?id=118340
2002 Reviewed by Sam Weinig.
2005 (JSC::DFG::Node::Node):
2007 2013-07-02 Filip Pizlo <fpizlo@apple.com>
2009 Unreviewed, fix 32-bit build.
2011 * assembler/MacroAssembler.h:
2012 (JSC::MacroAssembler::comparePtr):
2014 * dfg/DFGBinarySwitch.cpp:
2015 (JSC::DFG::BinarySwitch::advance):
2016 * dfg/DFGBinarySwitch.h:
2017 (JSC::DFG::BinarySwitch::caseValue):
2019 2013-07-02 Filip Pizlo <fpizlo@apple.com>
2021 fourthTier: Have fewer Arrayify's
2022 https://bugs.webkit.org/show_bug.cgi?id=118335
2024 Reviewed by Mark Hahnenberg.
2026 A lot of Arrayify's arise because some program saw Int32 arrays early on in
2027 execution, but then they all got converted to Double arrays and the program
2028 will never see Int32 arrays ever again. Prior to this change you would always
2029 have an Arrayify in this case. But with this change, the first time that an
2030 ArrayProfile is about to go polymorphic in computeUpdatedPrediction(), it
2031 instead forcibly monomorphises itself to the latest-seen structure.
2032 Thereafter it will never again perform this monomorphisation. This is
2033 controlled by ArrayProfile::m_didPerformFirstRunPruning. This is a 5%
2034 speed-up on Kraken/imaging-gaussian-blur with the FTL enabled, and it
2035 unblocks a bunch of stuff we want to do in the future because it makes a
2036 bunch of loops effect-free.
2038 We will still want to implement Arrayify hoisting in the future, but this is
2039 great anyway because it's better to not have Arrayifications than it is to
2040 have hoisted Arrayifications.
2042 * bytecode/ArrayProfile.cpp:
2043 (JSC::ArrayProfile::computeUpdatedPrediction):
2044 (JSC::ArrayProfile::briefDescription):
2046 (JSC::ArrayProfile::briefDescriptionWithoutUpdating):
2047 * bytecode/ArrayProfile.h:
2048 (JSC::ArrayProfile::ArrayProfile):
2051 2013-07-02 Filip Pizlo <fpizlo@apple.com>
2053 fourthTier: add option to disable OSR entry in loops
2054 https://bugs.webkit.org/show_bug.cgi?id=118329
2056 Reviewed by Mark Hahnenberg.
2058 This adds that option, and also makes the OSR exit reoptimization trigger rely less on
2059 OSR entry failing. Now even if we never attempt OSR entry but our execution counter gets
2060 high after a small number of OSR exits, we will recompile.
2062 * dfg/DFGOSRExitCompilerCommon.cpp:
2063 (JSC::DFG::handleExitCounts):
2064 * dfg/DFGOperations.cpp:
2065 * jit/JITOpcodes.cpp:
2066 (JSC::JIT::emit_op_loop_hint):
2067 (JSC::JIT::emitSlow_op_loop_hint):
2068 * runtime/Options.h:
2071 2013-07-02 Filip Pizlo <fpizlo@apple.com>
2073 fourthTier: since the FTL disassembly hacks cannot distinguish between code and data, the LLVM disassembler symbol table callback should be able to deal gracefully with arbitrary garbage
2074 https://bugs.webkit.org/show_bug.cgi?id=118313
2076 Reviewed by Mark Hahnenberg.
2078 Give it a mode where we can still crash on unrecognized reference types, so that we might
2079 implement them in the future, but by default just print some stuff and keep going.
2081 * disassembler/LLVMDisassembler.cpp:
2083 (JSC::symbolLookupCallback):
2085 2013-07-02 Filip Pizlo <fpizlo@apple.com>
2087 fourthTier: FTL should use the equivalent of llvm opt -O2 by default
2088 https://bugs.webkit.org/show_bug.cgi?id=118311
2090 Reviewed by Mark Hahnenberg.
2092 Use a PassManagerBuilder instead of rolling our own.
2094 This boosts our speed-up by another 5% or so.
2096 * ftl/FTLCompile.cpp:
2097 (JSC::FTL::compile):
2098 * runtime/Options.h:
2101 2013-07-01 Filip Pizlo <fpizlo@apple.com>
2103 fourthTier: FTL should run LICM after AA setup
2104 https://bugs.webkit.org/show_bug.cgi?id=118277
2106 Reviewed by Maciej Stachowiak.
2108 LICM queries alias analysis. Hence, just like GVN, it should run after
2109 we have set up the alias analysis.
2111 * ftl/FTLCompile.cpp:
2112 (JSC::FTL::compile):
2114 2013-07-01 Filip Pizlo <fpizlo@apple.com>
2116 fourthTier: FTL should run AA passes before GVN
2117 https://bugs.webkit.org/show_bug.cgi?id=118276
2119 Rubber stamped by Geoffrey Garen.
2121 These enable load elimination in GVN.
2123 Immediately gives us a speed-up on a bunch of benchmarks I hacked to run
2124 properly in the FTL. One example is 20% on imaging-gaussian-blur. (Fair
2125 warning: the stock version of that benchmark won't see speed-ups -
2126 probably slow-downs instead - because the FTL can't do OSR entry yet.)
2127 Another example is the findGraphNode function, which now sees a 7%
2128 speed-up, and that's without even doing LICM or other good things.
2130 * ftl/FTLCompile.cpp:
2131 (JSC::FTL::compile):
2133 2013-06-27 Filip Pizlo <fpizlo@apple.com>
2135 Make Graph::substituteGetLocal() out-of-line
2137 Rubber stamped by Geoffrey Garen.
2140 (JSC::DFG::Graph::substituteGetLocal):
2145 2013-06-27 Filip Pizlo <fpizlo@apple.com>
2147 fourthTier: DFG should know how to find natural loops
2148 https://bugs.webkit.org/show_bug.cgi?id=118152
2150 Reviewed by Mark Hahnenberg.
2152 There are a bunch of things we can do when we know where the loops are.
2153 Previously we didn't. With this patch, we do.
2155 This patch adds the classic dominator based natural loop finder.
2157 The only client of this right now is the DFG::Disassembler. It prints out
2158 a summary of the analysis for each block.
2160 This will become more important when I do
2161 https://bugs.webkit.org/show_bug.cgi?id=118151, which definitely requires
2162 this kind of analysis, at least if we want to do the optimization over
2163 DFG IR (and I'm pretty sure we do).
2165 * JavaScriptCore.xcodeproj/project.pbxproj:
2166 * dfg/DFGAnalysis.h: Added.
2169 (JSC::DFG::Analysis::Analysis):
2170 (JSC::DFG::Analysis::invalidate):
2171 (JSC::DFG::Analysis::computeIfNecessary):
2172 (JSC::DFG::Analysis::isValid):
2173 * dfg/DFGCFGSimplificationPhase.cpp:
2174 (JSC::DFG::CFGSimplificationPhase::run):
2175 * dfg/DFGDisassembler.cpp:
2176 (JSC::DFG::Disassembler::createDumpList):
2177 * dfg/DFGDominators.cpp:
2178 (JSC::DFG::Dominators::Dominators):
2179 (JSC::DFG::Dominators::compute):
2180 * dfg/DFGDominators.h:
2183 (JSC::DFG::Graph::dumpBlockHeader):
2184 (JSC::DFG::Graph::invalidateCFG):
2188 * dfg/DFGNaturalLoops.cpp: Added.
2190 (JSC::DFG::NaturalLoop::dump):
2191 (JSC::DFG::NaturalLoops::NaturalLoops):
2192 (JSC::DFG::NaturalLoops::~NaturalLoops):
2193 (JSC::DFG::NaturalLoops::compute):
2194 (JSC::DFG::NaturalLoops::loopsOf):
2195 (JSC::DFG::NaturalLoops::dump):
2196 * dfg/DFGNaturalLoops.h: Added.
2199 (JSC::DFG::NaturalLoop::NaturalLoop):
2200 (JSC::DFG::NaturalLoop::addBlock):
2201 (JSC::DFG::NaturalLoop::header):
2202 (JSC::DFG::NaturalLoop::size):
2203 (JSC::DFG::NaturalLoop::at):
2204 (JSC::DFG::NaturalLoop::operator[]):
2205 (JSC::DFG::NaturalLoop::contains):
2207 (JSC::DFG::NaturalLoops::numLoops):
2208 (JSC::DFG::NaturalLoops::loop):
2209 (JSC::DFG::NaturalLoops::headerOf):
2211 2013-06-27 Filip Pizlo <fpizlo@apple.com>
2213 fourthTier: JSC's disassembly infrastructure should be able to disassemble the code that LLVM generates
2214 https://bugs.webkit.org/show_bug.cgi?id=118148
2216 Reviewed by Anders Carlsson.
2218 Oh boy. UDis86 cannot disassemble the AVX (or whatever it's called) stuff
2219 that LLVM generates for floating point. So the right decision is to
2220 switch to the LLVM disassembler, right? Wrong!! LLVM's disassembler
2221 cannot disassemble the load-from-absolute-address-into-%rax instructions
2222 that our JIT generates quite a lot of.
2224 So, this keeps the UDis86 disassembler, but adds the LLVM disassembler,
2225 and requires the caller of disassemble() to hint which one is likely to
2226 be less wrong for the given code.
2228 Maybe in the future LLVM will catch up to UDis86, but it's definitely not
2231 This now allows us to disassemble all of the code that LLVM generates.
2233 * JavaScriptCore.xcodeproj/project.pbxproj:
2234 * disassembler/Disassembler.cpp:
2236 * disassembler/Disassembler.h:
2237 (JSC::tryToDisassemble):
2239 * disassembler/LLVMDisassembler.cpp: Added.
2241 (JSC::symbolLookupCallback):
2242 (JSC::tryToDisassembleWithLLVM):
2243 * disassembler/LLVMDisassembler.h: Added.
2245 (JSC::tryToDisassembleWithLLVM):
2246 * disassembler/UDis86Disassembler.cpp:
2247 (JSC::tryToDisassembleWithUDis86):
2248 * disassembler/UDis86Disassembler.h: Added.
2250 (JSC::tryToDisassembleWithUDis86):
2251 * disassembler/X86Disassembler.cpp: Added.
2253 (JSC::tryToDisassemble):
2254 * ftl/FTLAbbreviatedTypes.h:
2255 * ftl/FTLCompile.cpp:
2256 (JSC::FTL::compile):
2258 * ftl/FTLJITFinalizer.h:
2259 * ftl/FTLLLVMHeaders.h: Removed.
2261 * runtime/InitializeThreading.cpp:
2262 (JSC::initializeThreadingOnce):
2263 * runtime/Options.h:
2266 2013-06-27 Filip Pizlo <fpizlo@apple.com>
2268 fourthTier: FTL should be able to dump disassembly
2269 https://bugs.webkit.org/show_bug.cgi?id=118141
2271 Reviewed by Geoffrey Garen.
2273 * ftl/FTLCompile.cpp:
2274 (JSC::FTL::compile):
2276 2013-06-27 Filip Pizlo <fpizlo@apple.com>
2278 Unreviewed, fix build for LLVM ToT.
2280 This doesn't affect those using the binary drops, but if you're building from
2281 LLVM ToT you'll get link errors. These arise because we expect there to be a
2282 libLLVMArchive, but that is no longer built by LLVM ToT. This casues the linker
2283 to fall back on the system's libLLVMArchive, which is incompatible with the
2284 other LLVM libs we pull in.
2286 Also, we didn't need that library anyway and shouldn't have been linking
2289 * Configurations/JavaScriptCore.xcconfig:
2291 2013-06-26 Filip Pizlo <fpizlo@apple.com>
2293 fourthTier: FTL should support hole/OOB PutByVal's
2294 https://bugs.webkit.org/show_bug.cgi?id=118112
2296 Reviewed by Geoffrey Garen.
2298 Added a common code generator for the out-of-bounds case that is reused by
2299 all contiguous-like arrays (Int32, Double, Contiguous).
2301 This is relatively straight-forward, except that it's the first time that
2302 the FTL has to call DFG operations that take more than two arguments.
2304 * ftl/FTLAbbreviations.h:
2305 (JSC::FTL::functionType):
2306 (JSC::FTL::buildCall):
2307 * ftl/FTLAbstractHeapRepository.h:
2309 * ftl/FTLCapabilities.cpp:
2310 (JSC::FTL::canCompile):
2311 * ftl/FTLIntrinsicRepository.h:
2313 * ftl/FTLLowerDFGToLLVM.cpp:
2314 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2316 (JSC::FTL::LowerDFGToLLVM::contiguousPutByValOutOfBounds):
2317 (JSC::FTL::LowerDFGToLLVM::vmCall):
2319 (JSC::FTL::Output::call):
2321 2013-06-26 Filip Pizlo <fpizlo@apple.com>
2323 fourthTier: FTL::canCompile(Graph&) should not consider nodes that won't be compiled
2324 https://bugs.webkit.org/show_bug.cgi?id=118097
2326 Reviewed by Mark Hahnenberg.
2328 This increases coverage to include programs that have unprofiled paths. Those paths will
2329 often have nodes that appear to do untyped speculations, and the FTL sometimes doesn't
2330 support those; except that it doesn't matter since the reason why they were untyped is
2331 that they were unprofiled and anyway we won't run them because we'll exit before them.
2333 * ftl/FTLCapabilities.cpp:
2334 (JSC::FTL::canCompile):
2336 2013-06-26 Filip Pizlo <fpizlo@apple.com>
2338 fourthTier: FTL should support ArrayifyToStructure
2339 https://bugs.webkit.org/show_bug.cgi?id=118095
2341 Reviewed by Mark Hahnenberg.
2343 * ftl/FTLCapabilities.cpp:
2344 (JSC::FTL::canCompile):
2345 * ftl/FTLIntrinsicRepository.h:
2347 * ftl/FTLLowerDFGToLLVM.cpp:
2348 (JSC::FTL::LowerDFGToLLVM::compileNode):
2349 (JSC::FTL::LowerDFGToLLVM::compileArrayifyToStructure):
2352 2013-06-26 Filip Pizlo <fpizlo@apple.com>
2354 fourthTier: FTL should support ForwardCheckStructure/ForwardStructureTransitionWatchpoint and doing so shouldn't break V8/crypto
2355 https://bugs.webkit.org/show_bug.cgi?id=118091
2357 Reviewed by Mark Hahnenberg.
2359 I was going to just add ForwardCheckStructure/ForwardStructureTransitionWatchpoint support,
2360 which is trivial. But doing so increases coverage a lot, and revealed long-standing bugs in
2361 the FTL. I then fixed those bugs, also:
2363 - The FTL should not attempt to compile a block that is not reachable according to the CFA.
2364 This is analogous to terminating basic block compilation if the CFA becomes !isValid().
2365 Attempting to compile such a block means that you're running on broken CFA state, and the
2366 CFA will become inconsistent with the code you're generating, leading to some
2367 strangeness. For example, the FTL relies on the CFA to tell it that we gave up compiling
2368 a node and hence don't have LValue's for that node (by virtue of us giving up due to
2369 !isValid()). But the CFA's isValid() bit will not be set correctly for blocks that
2370 weren't visited by the CFA at all, and the CFA expects you to know this because it
2371 expects that you already checked BasicBlock::cfaHasVisited.
2373 - SetLocal needs to change the ValueSource of the operand to indicate that its value has
2374 been stashed in the local (i.e. the "reference" corresponding to the operand in FTL
2375 speak). This is because although OSR exit already knows that the value of the operand is
2376 stored in the Node, and it already knows what LValue corresponds to the node, OSR exit
2377 will also assume that if the Node dies then the value-at-exit for that operand should be
2378 Dead (i.e. jsUndefined). But the Node dying, and the local dying, are two distinct
2379 things; in particular the local always outlives the Node in the case of a SetLocal. So,
2380 we just need to have SetLocal have the ValueSource be BlahInLocal rather than HaveNode,
2381 to ensure that OSR exit knows that the darn thing is really live until the end of the
2382 basic block, as opposed to until whenever the Node dies (which could be at any time).
2384 - PutByOffset was erroneously storing to an offset from the base object, rather than an
2385 offset from the storage. Note that the storage will be the base object (exactly - i.e.
2386 same node, same value) for inline stores, but will be a distinct thing for out-of-line
2389 - At-head set-up of OSR exit state was using ValueInLocals for variables forced double,
2390 when it should have been using DoubleInLocals.
2392 * ftl/FTLCapabilities.cpp:
2393 (JSC::FTL::canCompile):
2394 * ftl/FTLLowerDFGToLLVM.cpp:
2395 (JSC::FTL::LowerDFGToLLVM::compileBlock):
2396 (JSC::FTL::LowerDFGToLLVM::compileNode):
2397 (JSC::FTL::LowerDFGToLLVM::compileSetLocal):
2398 (JSC::FTL::LowerDFGToLLVM::compilePutByOffset):
2399 (JSC::FTL::LowerDFGToLLVM::initializeOSRExitStateForBlock):
2400 (JSC::FTL::LowerDFGToLLVM::addExitArgumentForNode):
2402 2013-06-26 Filip Pizlo <fpizlo@apple.com>
2404 fourthTier: FTL should support PutByVal
2405 https://bugs.webkit.org/show_bug.cgi?id=118075
2407 Reviewed by Mark Hahnenberg.
2409 * ftl/FTLCapabilities.cpp:
2410 (JSC::FTL::canCompile):
2411 * ftl/FTLLowerDFGToLLVM.cpp:
2412 (JSC::FTL::LowerDFGToLLVM::lower):
2413 (JSC::FTL::LowerDFGToLLVM::compileNode):
2414 (JSC::FTL::LowerDFGToLLVM::compileGetByVal):
2416 (JSC::FTL::LowerDFGToLLVM::compilePutByVal):
2418 2013-06-25 Filip Pizlo <fpizlo@apple.com>
2420 fourthTier: Convert versus AsIs should have no bearing on whether we can do the SaneChain optimization for double array GetByVals
2421 https://bugs.webkit.org/show_bug.cgi?id=118028
2423 Reviewed by Sam Weinig.
2425 The SaneChain optimization allows us to get rid of the NaN check on loading from
2426 a double array, if the result is used in an arithmetic op that wouldn't
2427 distinguish between NaN and undefined. Normally the NaN check would be needed
2428 because NaN is the hole marker.
2430 The SaneChain optimization definitely requires that you're an Original array,
2431 since we need to watchpoint the array prototype chain. And so it also needs to
2432 be a JSArray, and not an object that has indexed double properties. We also
2433 require an in-bounds access, since the backend is only capable of the
2434 optimization in the in-bounds case (though we could extend it to OOB in the
2435 future). But whether the array is being converted or is as-is isn't relevant.
2436 Either way, if it's a double original array in-bounds access by the time that
2437 the array check (or conversion!) completes, we can do the optimization.
2439 Ever-so-slight speed-up on Kraken/imaging-gaussian-blur.
2441 * dfg/DFGFixupPhase.cpp:
2442 (JSC::DFG::FixupPhase::fixupNode):
2444 2013-06-25 Filip Pizlo <fpizlo@apple.com>
2446 fourthTier: DFG should support switch_string
2447 https://bugs.webkit.org/show_bug.cgi?id=117967
2449 Reviewed by Sam Weinig.
2451 Add a reusable binary switch creator.
2453 Implement switch on string using three modes:
2455 - Binary switch on StringImpl* in the case of identifiers.
2457 - Trie of binary switches on characters in the case of a not-too-big
2458 switch over not-too-big 8-bit strings.
2460 - Hash lookup if all else fails.
2462 Anywhere from a 2x to 3x speed-up on microbenchmarks that stress
2463 string switches. 25-35% speed-up on HashMap tests. 4% speed-up on
2466 * JavaScriptCore.xcodeproj/project.pbxproj:
2467 * bytecode/JumpTable.h:
2469 (JSC::StringJumpTable::clear):
2470 * dfg/DFGBackwardsPropagationPhase.cpp:
2471 (JSC::DFG::BackwardsPropagationPhase::propagate):
2472 * dfg/DFGBinarySwitch.cpp: Added.
2474 (JSC::DFG::BinarySwitch::BinarySwitch):
2475 (JSC::DFG::BinarySwitch::advance):
2476 (JSC::DFG::BinarySwitch::build):
2477 * dfg/DFGBinarySwitch.h: Added.
2480 (JSC::DFG::BinarySwitch::caseIndex):
2481 (JSC::DFG::BinarySwitch::caseValue):
2482 (JSC::DFG::BinarySwitch::fallThrough):
2483 (JSC::DFG::BinarySwitch::Case::Case):
2485 (JSC::DFG::BinarySwitch::Case::operator<):
2486 (JSC::DFG::BinarySwitch::BranchCode::BranchCode):
2488 * dfg/DFGByteCodeParser.cpp:
2489 (JSC::DFG::ByteCodeParser::parseBlock):
2490 * dfg/DFGCapabilities.cpp:
2491 (JSC::DFG::capabilityLevel):
2492 * dfg/DFGFixupPhase.cpp:
2493 (JSC::DFG::FixupPhase::fixupNode):
2494 * dfg/DFGJITCompiler.cpp:
2495 (JSC::DFG::JITCompiler::link):
2496 * dfg/DFGLazyJSValue.cpp:
2497 (JSC::DFG::LazyJSValue::getValue):
2498 (JSC::DFG::equalToStringImpl):
2500 (JSC::DFG::LazyJSValue::strictEqual):
2501 (JSC::DFG::LazyJSValue::dump):
2502 * dfg/DFGLazyJSValue.h:
2503 (JSC::DFG::LazyJSValue::knownStringImpl):
2505 (JSC::DFG::LazyJSValue::stringImpl):
2506 (JSC::DFG::LazyJSValue::switchLookupValue):
2508 (WTF::printInternal):
2510 * dfg/DFGOperations.cpp:
2511 * dfg/DFGOperations.h:
2512 * dfg/DFGSpeculativeJIT.cpp:
2513 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2514 (JSC::DFG::SpeculativeJIT::StringSwitchCase::operator<):
2516 (JSC::DFG::SpeculativeJIT::emitBinarySwitchStringRecurse):
2517 (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
2518 (JSC::DFG::SpeculativeJIT::emitSwitchString):
2519 (JSC::DFG::SpeculativeJIT::emitSwitch):
2520 (JSC::DFG::SpeculativeJIT::addBranch):
2521 * dfg/DFGSpeculativeJIT.h:
2522 (JSC::DFG::SpeculativeJIT::callOperation):
2523 (JSC::DFG::SpeculativeJIT::branch8):
2525 (JSC::DFG::SpeculativeJIT::StringSwitchCase::StringSwitchCase):
2527 * ftl/FTLLowerDFGToLLVM.cpp:
2528 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2529 * runtime/Options.h:
2532 2013-06-24 Filip Pizlo <fpizlo@apple.com>
2534 fourthTier: Count external memory usage towards heap footprint
2535 https://bugs.webkit.org/show_bug.cgi?id=117948
2537 Reviewed by Geoffrey Garen.
2539 Currently just count strings. Strings get counted in such a way that we won't re-count strings
2540 that are aliased, by dividing by the reference count. This then ups the GC footprint and allows
2541 the collector to appropriately amortize itself.
2546 (JSC::Heap::collect):
2549 * heap/SlotVisitor.h:
2550 * heap/SlotVisitorInlines.h:
2551 (JSC::SlotVisitor::reportExtraMemoryUsage):
2553 * runtime/JSString.cpp:
2554 (JSC::JSString::visitChildren):
2556 2013-06-23 Filip Pizlo <fpizlo@apple.com>
2558 fourthTier: DFG should optimize identifier string equality
2559 https://bugs.webkit.org/show_bug.cgi?id=117920
2561 Reviewed by Sam Weinig.
2563 This is a 20% speed-up for string equality comparisons when both strings are
2566 This is important for two reasons:
2568 1) Using strings as enumerations is an idiom. A great example is typeof. It
2569 would be great if this performed better.
2571 2) When I implement switch_string in the DFG, it would be great to optimize
2572 the case where the switched-on value is an identifier. That would involve
2573 a simple binary switch rather than a more complicated trie-switch over
2576 * bytecode/SpeculatedType.cpp:
2577 (JSC::dumpSpeculation):
2578 (JSC::speculationToAbbreviatedString):
2579 (JSC::speculationFromCell):
2580 * bytecode/SpeculatedType.h:
2582 (JSC::isStringIdentSpeculation):
2583 (JSC::isStringSpeculation):
2584 * dfg/DFGAbstractState.cpp:
2585 (JSC::DFG::AbstractState::executeEffects):
2586 * dfg/DFGFixupPhase.cpp:
2587 (JSC::DFG::FixupPhase::fixupNode):
2589 (JSC::DFG::Node::shouldSpeculateStringIdent):
2591 * dfg/DFGSpeculativeJIT.cpp:
2592 (JSC::DFG::SpeculativeJIT::compilePeepHoleBranch):
2593 (JSC::DFG::SpeculativeJIT::compare):
2594 (JSC::DFG::SpeculativeJIT::compileStrictEq):
2595 (JSC::DFG::SpeculativeJIT::compileStringEquality):
2596 (JSC::DFG::SpeculativeJIT::compileStringIdentEquality):
2598 (JSC::DFG::SpeculativeJIT::speculateString):
2599 (JSC::DFG::SpeculativeJIT::speculateStringIdentAndLoadStorage):
2600 (JSC::DFG::SpeculativeJIT::speculateStringIdent):
2601 (JSC::DFG::SpeculativeJIT::speculate):
2602 * dfg/DFGSpeculativeJIT.h:
2604 * dfg/DFGUseKind.cpp:
2605 (WTF::printInternal):
2607 (JSC::DFG::typeFilterFor):
2610 2013-06-22 Filip Pizlo <fpizlo@apple.com>
2612 fourthTier: DFG shouldn't exit just because a String GetByVal went out-of-bounds
2613 https://bugs.webkit.org/show_bug.cgi?id=117906
2615 Reviewed by Mark Hahnenberg.
2617 This does the obvious thing, but also makes sure that out-of-bounds accesses
2618 don't fall off into a C call, but try to do the fast thing if the prototype
2619 chain is sane. We ought to probably do this for other array accesses in the
2620 future, as well, since it's so darn easy.
2622 * dfg/DFGAbstractState.cpp:
2623 (JSC::DFG::AbstractState::executeEffects):
2624 * dfg/DFGFixupPhase.cpp:
2625 (JSC::DFG::FixupPhase::fixupNode):
2626 * dfg/DFGOperations.cpp:
2627 * dfg/DFGOperations.h:
2628 * dfg/DFGSpeculativeJIT.cpp:
2629 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2630 * dfg/DFGSpeculativeJIT.h:
2631 (JSC::DFG::SpeculativeJIT::callOperation):
2632 * runtime/JSGlobalObject.cpp:
2633 (JSC::JSGlobalObject::objectPrototypeIsSane):
2635 (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2636 (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2637 * runtime/JSGlobalObject.h:
2640 2013-06-22 Filip Pizlo <fpizlo@apple.com>
2642 fourthTier: GC's put_by_id transition fixpoint should converge more quickly
2643 https://bugs.webkit.org/show_bug.cgi?id=117912
2645 Reviewed by Mark Hahnenberg.
2647 This was a rookie mistake. The GC does a classic forward data flow fixpoint. These work well so long as you
2648 iterate the program in program order, or at least something close to program order. Because I enjoy reverse
2649 loops ("while (n--) blah"), I ended up iterating in *reverse* of program order which ensured worst-case
2650 pathologies every single time. And unsurprisingly, this slowed down a program, namely pdfjs.
2652 Flipping the loops to iterate forward fixes a 90% regression in Octane/pdfjs and is otherwise neutral.
2654 * bytecode/CodeBlock.cpp:
2655 (JSC::CodeBlock::propagateTransitions):
2657 2013-06-21 Filip Pizlo <fpizlo@apple.com>
2659 fourthTier: DFG should CSE MakeRope
2660 https://bugs.webkit.org/show_bug.cgi?id=117905
2662 Reviewed by Geoffrey Garen.
2664 Adds MakeRope to the CSE phase and removes the comment that says that
2665 we could do it but aren't doing it.
2667 Also fixed SpeculatedType dumping so that if you have a Cell type then
2668 it just prints "Cell" and if you just have Object then it just prints
2669 "Object", instead of printing the long list of types.
2671 * bytecode/SpeculatedType.cpp:
2672 (JSC::dumpSpeculation):
2673 * dfg/DFGCSEPhase.cpp:
2674 (JSC::DFG::CSEPhase::performNodeCSE):
2676 2013-06-21 Filip Pizlo <fpizlo@apple.com>
2678 fourthTier: DFG should't exit just because it GetByVal'd a big character
2679 https://bugs.webkit.org/show_bug.cgi?id=117899
2681 Reviewed by Mark Hahnenberg.
2683 Add a slow path. Also clarify handling of GetByVal in PutStructure elimination.
2684 Previously it would fail due to canExit() but now we can also fail because
2685 GetByVal(String) can allocate. Just make it so GetByVal is totally poisoned, in
2686 a very explicit way.
2688 * dfg/DFGCSEPhase.cpp:
2689 (JSC::DFG::CSEPhase::putStructureStoreElimination):
2690 * dfg/DFGOperations.cpp:
2691 * dfg/DFGOperations.h:
2692 * dfg/DFGSpeculativeJIT.cpp:
2693 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2694 * dfg/DFGSpeculativeJIT.h:
2695 (JSC::DFG::SpeculativeJIT::callOperation):
2698 2013-06-21 Filip Pizlo <fpizlo@apple.com>
2700 fourthTier: Small strings shouldn't get GC'd
2701 https://bugs.webkit.org/show_bug.cgi?id=117897
2703 Reviewed by Mark Hahnenberg.
2705 Kill off the code needed to allocate them lazily and finalize them.
2707 * dfg/DFGSpeculativeJIT.cpp:
2708 (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
2710 (JSC::Heap::collect):
2711 * runtime/JSString.h:
2712 (JSC::jsSingleCharacterString):
2713 (JSC::jsSingleCharacterSubstring):
2715 (JSC::jsSubstring8):
2717 (JSC::jsOwnedString):
2718 * runtime/NumberPrototype.cpp:
2719 (JSC::integerValueToString):
2720 * runtime/SmallStrings.cpp:
2722 (JSC::SmallStrings::initializeCommonStrings):
2723 (JSC::SmallStrings::visitStrongReferences):
2724 * runtime/SmallStrings.h:
2725 (JSC::SmallStrings::singleCharacterString):
2728 2013-06-20 Filip Pizlo <fpizlo@apple.com>
2730 fourthTier: Structure should have a dump()
2731 https://bugs.webkit.org/show_bug.cgi?id=117859
2733 Reviewed by Geoffrey Garen.
2735 This is pretty cool. Anywhere we previously printed Structure pointers in dumps,
2736 we now print a bunch of other info as well. For example, for an object literal
2737 like "{f:42, g:64, h:24}", when we print the structure we'll now get:
2739 0x107a0af80:[Object, {f:0, g:1, h:2}, NonArray, Proto:0x107a8fff0]
2741 This also changes a bunch of places to use the dump method.
2743 * bytecode/StructureSet.h:
2744 (JSC::StructureSet::dump):
2746 (JSC::DFG::Graph::dump):
2747 * dfg/DFGStructureAbstractValue.h:
2748 (JSC::DFG::StructureAbstractValue::dump):
2749 * runtime/JSCJSValue.cpp:
2750 (JSC::JSValue::dump):
2751 * runtime/Structure.cpp:
2752 (JSC::Structure::dump):
2754 * runtime/Structure.h:
2757 2013-06-20 Filip Pizlo <fpizlo@apple.com>
2759 fourthTier: There should only be one table of SimpleJumpTables
2760 https://bugs.webkit.org/show_bug.cgi?id=117856
2762 Reviewed by Geoffrey Garen.
2764 Having multiple tables of SimpleJumpTables just means we have to duplicate a
2765 ton of code. This patch deduplicates all of it.
2767 * bytecode/CodeBlock.cpp:
2768 (JSC::CodeBlock::dumpBytecode):
2770 (JSC::CodeBlock::CodeBlock):
2771 (JSC::CodeBlock::shrinkToFit):
2772 * bytecode/CodeBlock.h:
2773 (JSC::CodeBlock::numberOfSwitchJumpTables):
2774 (JSC::CodeBlock::addSwitchJumpTable):
2775 (JSC::CodeBlock::switchJumpTable):
2776 (JSC::CodeBlock::clearSwitchJumpTables):
2778 * bytecode/PreciseJumpTargets.cpp:
2780 (JSC::computePreciseJumpTargets):
2781 * bytecode/UnlinkedCodeBlock.h:
2782 (JSC::UnlinkedCodeBlock::shrinkToFit):
2783 (JSC::UnlinkedCodeBlock::numberOfSwitchJumpTables):
2784 (JSC::UnlinkedCodeBlock::addSwitchJumpTable):
2785 (JSC::UnlinkedCodeBlock::switchJumpTable):
2787 * bytecompiler/BytecodeGenerator.cpp:
2789 (JSC::prepareJumpTableForSwitch):
2790 (JSC::BytecodeGenerator::endSwitch):
2791 * dfg/DFGByteCodeParser.cpp:
2793 (JSC::DFG::ByteCodeParser::parseBlock):
2794 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2795 * dfg/DFGJITCompiler.cpp:
2796 (JSC::DFG::JITCompiler::link):
2797 * dfg/DFGJITCompiler.h:
2799 * dfg/DFGOperations.cpp:
2800 * dfg/DFGSpeculativeJIT.cpp:
2801 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2803 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2804 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2805 * dfg/DFGSpeculativeJIT.h:
2809 * jit/JITOpcodes.cpp:
2810 (JSC::JIT::emit_op_switch_imm):
2811 (JSC::JIT::emit_op_switch_char):
2812 * jit/JITOpcodes32_64.cpp:
2813 (JSC::JIT::emit_op_switch_imm):
2814 (JSC::JIT::emit_op_switch_char):
2816 (JSC::DEFINE_STUB_FUNCTION):
2817 * llint/LLIntSlowPaths.cpp:
2818 (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2819 * llint/LowLevelInterpreter32_64.asm:
2820 * llint/LowLevelInterpreter64.asm:
2822 2013-06-20 Filip Pizlo <fpizlo@apple.com>
2824 fourthTier: FTL should clear character switch jump tables
2825 https://bugs.webkit.org/show_bug.cgi?id=117852
2827 Reviewed by Sam Weinig.
2829 The FTL just uses LLVM's switch, which results in LLVM allocating its own switch
2830 jump tables as needed.
2832 * bytecode/CodeBlock.h:
2833 (JSC::CodeBlock::clearCharacterSwitchJumpTables):
2837 2013-06-20 Filip Pizlo <fpizlo@apple.com>
2839 fourthTier: FTL should support SwitchChar
2840 https://bugs.webkit.org/show_bug.cgi?id=117849
2842 Reviewed by Geoffrey Garen.
2844 This adds Switch(SwitchChar) to the FTL and also implicitly does some other things.
2845 SwitchChar requires calling a slow path to resolve ropes. Previously the FTL had no
2846 support for calling slow paths, and we avoided adding coverage that would require
2847 that. Well, this patch adds the ability to call slow paths and just uses that for
2848 resolving ropes for SwitchChar. Also SwitchChar required adding awareness of strings,
2851 * bytecode/CodeBlock.h:
2853 (JSC::CodeBlock::addCodeOrigin):
2854 * dfg/DFGBackwardsPropagationPhase.cpp:
2855 (JSC::DFG::BackwardsPropagationPhase::propagate):
2857 (JSC::DFG::Graph::dump):
2860 (WTF::printInternal):
2863 * dfg/DFGOperations.h:
2864 * dfg/DFGSpeculativeJIT.h:
2865 (JSC::DFG::SpeculativeJIT::callOperation):
2866 * ftl/FTLAbbreviations.h:
2867 (JSC::FTL::int16Type):
2868 (JSC::FTL::constInt):
2869 * ftl/FTLAbstractHeapRepository.h:
2871 * ftl/FTLCapabilities.cpp:
2872 (JSC::FTL::canCompile):
2873 * ftl/FTLCommonValues.cpp:
2874 (JSC::FTL::CommonValues::CommonValues):
2875 * ftl/FTLCommonValues.h:
2877 * ftl/FTLIntrinsicRepository.cpp:
2878 (JSC::FTL::IntrinsicRepository::IntrinsicRepository):
2880 * ftl/FTLIntrinsicRepository.h:
2882 (IntrinsicRepository):
2883 * ftl/FTLLowerDFGToLLVM.cpp:
2884 (JSC::FTL::LowerDFGToLLVM::lower):
2885 (JSC::FTL::LowerDFGToLLVM::transferAndCheckArguments):
2886 (JSC::FTL::LowerDFGToLLVM::compileJump):
2887 (JSC::FTL::LowerDFGToLLVM::compileBranch):
2888 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
2889 (JSC::FTL::LowerDFGToLLVM::buildSwitch):
2891 (JSC::FTL::LowerDFGToLLVM::lowString):
2892 (JSC::FTL::LowerDFGToLLVM::speculate):
2893 (JSC::FTL::LowerDFGToLLVM::isObject):
2894 (JSC::FTL::LowerDFGToLLVM::isNotString):
2895 (JSC::FTL::LowerDFGToLLVM::isString):
2896 (JSC::FTL::LowerDFGToLLVM::isNotObject):
2897 (JSC::FTL::LowerDFGToLLVM::speculateObject):
2898 (JSC::FTL::LowerDFGToLLVM::speculateString):
2899 (JSC::FTL::LowerDFGToLLVM::speculateNonNullObject):
2900 (JSC::FTL::LowerDFGToLLVM::vmCall):
2901 (JSC::FTL::LowerDFGToLLVM::callPreflight):
2902 (JSC::FTL::LowerDFGToLLVM::callCheck):
2903 (JSC::FTL::LowerDFGToLLVM::lowBlock):
2905 (JSC::FTL::Output::constBool):
2906 (JSC::FTL::Output::constInt8):
2907 (JSC::FTL::Output::constInt32):
2908 (JSC::FTL::Output::constIntPtr):
2909 (JSC::FTL::Output::constInt64):
2910 (JSC::FTL::Output::load16):
2911 (JSC::FTL::Output::isNull):
2912 (JSC::FTL::Output::notNull):
2913 (JSC::FTL::Output::testIsZero32):
2914 (JSC::FTL::Output::testNonZero32):
2916 (JSC::FTL::Output::operation):
2917 (JSC::FTL::Output::crash):
2919 2013-06-18 Filip Pizlo <fpizlo@apple.com>
2921 fourthTier: DFG should have switch_char
2922 https://bugs.webkit.org/show_bug.cgi?id=117710
2924 Reviewed by Michael Saboff.
2926 Add op_switch_char. Most of this is fairly simple, except for the whole
2929 It's long been the case that anytime you wanted the DFG to speak of a string
2930 that didn't appear in the constant pool, you would have a hard time since
2931 the DFG isn't allowed to allocate in the GC heap. For example, if you know
2932 that you want to speak of a single character string, you might find that
2933 the one you wanted to speak of had been GC'd. Another example is if you
2934 wanted to add constant folding for string concatenation - something we don't
2935 have yet but will want eventually.
2937 I solve this by finally adding the notion of LazyJSValue. In the future I
2938 anticipate using this for a variety of string-related things. The idea here
2939 is that the DFG can either say that it already knows what the value is, or
2940 it can describe the value. For example, in this patch I needed to be able to
2941 describe single-character strings.
2943 * JavaScriptCore.xcodeproj/project.pbxproj:
2944 * bytecode/CodeBlock.cpp:
2945 (JSC::CodeBlock::dumpBytecode):
2946 (JSC::CodeBlock::CodeBlock):
2947 * bytecode/JumpTable.h:
2948 * dfg/DFGBackwardsPropagationPhase.cpp:
2949 (JSC::DFG::BackwardsPropagationPhase::propagate):
2950 * dfg/DFGByteCodeParser.cpp:
2952 (JSC::DFG::ByteCodeParser::parseBlock):
2953 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2954 * dfg/DFGCFGSimplificationPhase.cpp:
2955 (JSC::DFG::CFGSimplificationPhase::run):
2956 * dfg/DFGCapabilities.cpp:
2957 (JSC::DFG::capabilityLevel):
2958 * dfg/DFGDriver.cpp:
2959 (JSC::DFG::compile):
2960 * dfg/DFGFixupPhase.cpp:
2961 (JSC::DFG::FixupPhase::fixupNode):
2963 (JSC::DFG::JSValueRegs::payloadGPR):
2964 * dfg/DFGJITCompiler.cpp:
2965 (JSC::DFG::JITCompiler::jumpTable):
2967 (JSC::DFG::JITCompiler::numberOfJumpTables):
2968 (JSC::DFG::JITCompiler::linkSwitches):
2969 (JSC::DFG::JITCompiler::link):
2970 * dfg/DFGJITCompiler.h:
2972 * dfg/DFGLazyJSValue.cpp: Added.
2974 (JSC::DFG::LazyJSValue::getValue):
2975 (JSC::DFG::equalToSingleCharacter):
2976 (JSC::DFG::LazyJSValue::strictEqual):
2977 (JSC::DFG::LazyJSValue::dump):
2978 * dfg/DFGLazyJSValue.h: Added.
2981 (JSC::DFG::LazyJSValue::LazyJSValue):
2982 (JSC::DFG::LazyJSValue::singleCharacterString):
2983 (JSC::DFG::LazyJSValue::tryGetValue):
2984 (JSC::DFG::LazyJSValue::value):
2985 (JSC::DFG::LazyJSValue::character):
2986 (JSC::DFG::LazyJSValue::switchLookupValue):
2988 (JSC::DFG::SwitchCase::SwitchCase):
2990 * dfg/DFGSpeculativeJIT.cpp:
2991 (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2992 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
2994 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2995 (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2996 (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2997 (JSC::DFG::SpeculativeJIT::emitSwitch):
2998 * dfg/DFGSpeculativeJIT.h:
3001 2013-06-19 Mark Hahnenberg <mhahnenberg@apple.com>
3003 Refactor ObjCCallbackFunction to inherit directly from InternalFunction
3004 https://bugs.webkit.org/show_bug.cgi?id=117595
3006 Reviewed by Geoffrey Garen.
3008 * API/APICallbackFunction.h: Added. New struct that allows JSCallbackFunction and
3009 ObjCCallbackFunction to share their host call() implementation through the magic of
3011 (JSC::APICallbackFunction::call):
3012 * API/JSCallbackFunction.cpp:
3013 (JSC::JSCallbackFunction::getCallData): Changed to get the template-ized version of
3015 * API/JSCallbackFunction.h:
3016 * API/ObjCCallbackFunction.h: Now inherits directly from InternalFunction.
3017 * API/ObjCCallbackFunction.mm:
3018 (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3019 (JSC::ObjCCallbackFunction::getCallData): Ditto.
3020 * GNUmakefile.list.am: Build files!
3021 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj:
3022 * JavaScriptCore.vcxproj/JavaScriptCore.vcxproj.filters:
3023 * JavaScriptCore.xcodeproj/project.pbxproj:
3025 2013-06-19 Michael Saboff <msaboff@apple.com>
3027 fourthTier: Arity fixup should be done while on same stack
3028 https://bugs.webkit.org/show_bug.cgi?id=117102
3030 Reviewed by Oliver Hunt.
3032 Removed the fixup part of op_call_arityCheck() and op_construct_arityCheck() and moved it to
3033 a thunk for the JITs and as assembly for the llint. This patch provides the plumbing needed to
3034 move to the C stack for JS execution. The fixup thunk and llint code would need to be change to
3035 work with a stack that grows down when we do move to the C stack.
3037 Due to an issue with the offline assembler, I moved the const at the top of LowLevelInterpreter64.asm
3038 and LowLevelInterpreter32_64.asm to LowLevelInterpreter.asm. The problem is that a const defined in
3039 one file that are used in a macro doesn't resolve the const if the macro is used in another file. This
3040 seemed like the quickest path.
3042 * dfg/DFGJITCompiler.cpp:
3043 (JSC::DFG::JITCompiler::compileFunction):
3044 (JSC::DFG::JITCompiler::linkFunction):
3045 * dfg/DFGJITCompiler.h:
3050 (JSC::JIT::privateCompile):
3052 (JSC::DEFINE_STUB_FUNCTION):
3054 * jit/ThunkGenerators.cpp:
3056 * jit/ThunkGenerators.h:
3057 * llint/LowLevelInterpreter.asm:
3058 * llint/LowLevelInterpreter32_64.asm:
3059 * llint/LowLevelInterpreter64.asm:
3060 * runtime/CommonSlowPaths.cpp:
3061 (JSC::SLOW_PATH_DECL):
3062 * runtime/CommonSlowPaths.h:
3063 (JSC::CommonSlowPaths::arityCheckFor):
3065 2013-06-19 Michael Saboff <msaboff@apple.com>
3067 FTL: arm build is broken in ToT
3068 https://bugs.webkit.org/show_bug.cgi?id=117800
3070 Unreviewed build fixes.
3072 * assembler/ARMv7Assembler.h:
3073 (ARMv7Assembler): Merge of r147941
3074 * jit/JITArithmetic32_64.cpp:
3075 (JSC::JIT::emit_op_mod): Moved variable declaration back inside #ifdef where used.
3077 2013-06-17 Michael Saboff <msaboff@apple.com>
3079 FTL: Add another temp register regT4 to JSInterfaceJIT
3080 https://bugs.webkit.org/show_bug.cgi?id=117719
3082 Reviewed by Geoffrey Garen.
3084 Made the dedicated bucketCounterRegister to be regT4 and then used regT4 wherever
3085 bucketCounterRegister had been used. Since it is masked whenever it is used and
3086 we are looking for some randomness in the register anyway, we can use it without
3090 (JSC::JIT::privateCompile):
3092 (JSC::JIT::emitValueProfilingSite):
3094 (JSC::JIT::emitPutCallResult):
3095 * jit/JITCall32_64.cpp:
3096 (JSC::JIT::emitPutCallResult):
3098 (JSC::JIT::emitValueProfilingSite):
3099 * jit/JITOpcodes.cpp:
3100 (JSC::JIT::emit_op_to_this):
3101 (JSC::JIT::emit_op_get_callee):
3102 (JSC::JIT::emit_op_get_argument_by_val):
3103 * jit/JITOpcodes32_64.cpp:
3104 (JSC::JIT::emit_op_get_callee):
3105 (JSC::JIT::emit_op_to_this):
3106 (JSC::JIT::emit_op_get_argument_by_val):
3107 * jit/JITPropertyAccess.cpp:
3108 (JSC::JIT::emit_op_get_by_val):
3109 (JSC::JIT::emitSlow_op_get_by_val):
3110 (JSC::JIT::emit_op_get_by_id):
3111 (JSC::JIT::emitSlow_op_get_by_id):
3112 (JSC::JIT::emit_op_get_from_scope):
3113 (JSC::JIT::emitSlow_op_get_from_scope):
3114 * jit/JITPropertyAccess32_64.cpp:
3115 (JSC::JIT::emit_op_get_by_val):
3116 (JSC::JIT::emitSlow_op_get_by_val):
3117 (JSC::JIT::emit_op_get_by_id):
3118 (JSC::JIT::emitSlow_op_get_by_id):
3119 (JSC::JIT::emit_op_get_from_scope):
3120 (JSC::JIT::emitSlow_op_get_from_scope):
3121 * jit/JITStubCall.h:
3122 (JSC::JITStubCall::callWithValueProfiling):
3123 * jit/JSInterfaceJIT.h:
3126 2013-06-17 Filip Pizlo <fpizlo@apple.com>
3128 fourthTier: FTL should support Switch
3129 https://bugs.webkit.org/show_bug.cgi?id=117704
3131 Reviewed by Oliver Hunt.
3133 * bytecode/CodeBlock.h:
3134 (JSC::CodeBlock::clearImmediateSwitchJumpTables):
3135 * ftl/FTLAbbreviations.h:
3136 (JSC::FTL::buildFPToSI):
3137 (JSC::FTL::buildSwitch):
3138 (JSC::FTL::addCase):
3140 * ftl/FTLCapabilities.cpp:
3141 (JSC::FTL::canCompile):
3144 * ftl/FTLLowerDFGToLLVM.cpp:
3145 (JSC::FTL::LowerDFGToLLVM::compileNode):
3146 (JSC::FTL::LowerDFGToLLVM::compileSwitch):
3149 (JSC::FTL::Output::fpToInt):
3150 (JSC::FTL::Output::fpToInt32):
3152 (JSC::FTL::Output::switchInstruction):
3153 * ftl/FTLSwitchCase.h: Added.
3156 (JSC::FTL::SwitchCase::SwitchCase):
3157 (JSC::FTL::SwitchCase::value):
3158 (JSC::FTL::SwitchCase::target):
3160 2013-06-15 Filip Pizlo <fpizlo@apple.com>
3162 fourthTier: Add CFG simplification for Switch
3163 https://bugs.webkit.org/show_bug.cgi?id=117677
3165 Reviewed by Mark Hahnenberg.
3167 This is for completeness. It only speeds up a microbenchmark at this point.
3168 Broadly, we want all control constructs to be known to the CFG simplifier.
3170 * dfg/DFGCFGSimplificationPhase.cpp:
3171 (JSC::DFG::CFGSimplificationPhase::run):
3172 (JSC::DFG::CFGSimplificationPhase::convertToJump):
3173 (CFGSimplificationPhase):
3174 (JSC::DFG::CFGSimplificationPhase::noBlocks):
3175 (JSC::DFG::CFGSimplificationPhase::oneBlock):
3176 (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
3177 * runtime/JSCJSValue.h:
3179 * runtime/JSCJSValueInlines.h:
3180 (JSC::JSValue::pureStrictEqual):
3183 2013-06-13 Filip Pizlo <fpizlo@apple.com>
3185 fourthTier: DFG should support op_switch_imm
3186 https://bugs.webkit.org/show_bug.cgi?id=117559
3188 Reviewed by Oliver Hunt.
3190 Implement integer (i.e. immediate) switches in the DFG. Reduce the minimum
3191 threshold for using op_switch.
3193 Also get rid of edge code support, since we haven't used it in the year since
3194 I introduced it. It was supposed to allow us to break critical edges late in
3195 the backend, thus enabling global register allocation from an SSA-form graph.
3196 But we aren't doing that so I figure we should just kill the code for now. It
3197 would have made implementing switch harder.
3199 * assembler/AbstractMacroAssembler.h:
3200 (JSC::AbstractMacroAssembler::timesPtr):
3201 * assembler/MacroAssemblerCodeRef.h:
3202 (JSC::MacroAssemblerCodePtr::dumpWithName):
3203 (MacroAssemblerCodePtr):
3204 (JSC::MacroAssemblerCodePtr::dump):
3205 (MacroAssemblerCodeRef):
3206 (JSC::MacroAssemblerCodeRef::dump):
3207 * bytecode/CodeBlock.cpp:
3208 (JSC::CodeBlock::shrinkToFit):
3209 * bytecode/JumpTable.h:
3211 (JSC::SimpleJumpTable::clear):
3212 * dfg/DFGAbstractState.cpp:
3213 (JSC::DFG::AbstractState::executeEffects):
3214 (JSC::DFG::AbstractState::mergeToSuccessors):
3215 * dfg/DFGBackwardsPropagationPhase.cpp:
3216 (JSC::DFG::BackwardsPropagationPhase::propagate):
3217 * dfg/DFGByteCodeParser.cpp:
3219 (JSC::DFG::ByteCodeParser::parseBlock):
3220 (JSC::DFG::ByteCodeParser::linkBlock):
3221 (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
3222 * dfg/DFGCapabilities.cpp:
3223 (JSC::DFG::capabilityLevel):
3225 * dfg/DFGFixupPhase.cpp:
3226 (JSC::DFG::FixupPhase::fixupNode):
3228 (JSC::DFG::Graph::dump):
3229 (JSC::DFG::Graph::determineReachability):
3232 * dfg/DFGJITCompiler.cpp:
3233 (JSC::DFG::JITCompiler::JITCompiler):
3234 (JSC::DFG::JITCompiler::link):
3235 * dfg/DFGJITCompiler.h:
3237 (JSC::DFG::JITCompiler::blockHeads):
3240 (JSC::DFG::SwitchCase::SwitchCase):
3243 (JSC::DFG::SwitchData::SwitchData):
3245 (JSC::DFG::Node::isSwitch):
3246 (JSC::DFG::Node::isTerminal):
3247 (JSC::DFG::Node::switchData):
3248 (JSC::DFG::Node::numSuccessors):
3249 (JSC::DFG::Node::successor):
3250 * dfg/DFGNodeType.h:
3252 * dfg/DFGOperations.cpp:
3253 * dfg/DFGOperations.h:
3254 * dfg/DFGPredictionPropagationPhase.cpp:
3255 (JSC::DFG::PredictionPropagationPhase::propagate):
3256 * dfg/DFGSpeculativeJIT.cpp:
3257 (JSC::DFG::SpeculativeJIT::SpeculativeJIT):
3258 (JSC::DFG::SpeculativeJIT::compile):
3259 (JSC::DFG::SpeculativeJIT::createOSREntries):
3260 (JSC::DFG::SpeculativeJIT::emitSwitchImmIntJump):
3262 (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3263 (JSC::DFG::SpeculativeJIT::emitSwitch):
3264 (JSC::DFG::SpeculativeJIT::linkBranches):
3265 * dfg/DFGSpeculativeJIT.h:
3266 (JSC::DFG::SpeculativeJIT::callOperation):
3268 (JSC::DFG::SpeculativeJIT::branchDouble):
3269 (JSC::DFG::SpeculativeJIT::branchDoubleNonZero):
3270 (JSC::DFG::SpeculativeJIT::branch32):
3271 (JSC::DFG::SpeculativeJIT::branchTest32):
3272 (JSC::DFG::SpeculativeJIT::branch64):
3273 (JSC::DFG::SpeculativeJIT::branchPtr):
3274 (JSC::DFG::SpeculativeJIT::branchTestPtr):
3275 (JSC::DFG::SpeculativeJIT::branchTest8):
3276 (JSC::DFG::SpeculativeJIT::jump):
3277 * dfg/DFGSpeculativeJIT32_64.cpp:
3278 (JSC::DFG::SpeculativeJIT::compile):
3279 * dfg/DFGSpeculativeJIT64.cpp:
3280 (JSC::DFG::SpeculativeJIT::compile):
3282 (JSC::DEFINE_STUB_FUNCTION):
3286 2013-06-15 Filip Pizlo <fpizlo@apple.com>
3288 Concurrent JIT shouldn't try to recompute the CodeBlockHash as part of debug dumps, since doing so may fail if dealing with a CachedScript that doesn't have its script string handy
3289 https://bugs.webkit.org/show_bug.cgi?id=117676
3291 Reviewed by Sam Weinig.
3293 CodeBlock now caches m_hash, and the DFG Driver will force its computation if we're doing debug dumps of any kind.
3295 Also made sure that CodeBlock::CodeBlock initializes all of its fields; it was previously missing the
3296 initialization of m_capabilityLevelState.
3298 * bytecode/CodeBlock.cpp:
3299 (JSC::CodeBlock::hash):
3300 (JSC::CodeBlock::CodeBlock):
3301 * bytecode/CodeBlock.h:
3303 * bytecode/CodeBlockHash.cpp:
3304 (JSC::CodeBlockHash::CodeBlockHash):
3305 * bytecode/CodeBlockHash.h:
3307 (JSC::CodeBlockHash::isSet):
3308 (JSC::CodeBlockHash::operator!):
3309 * dfg/DFGDriver.cpp:
3310 (JSC::DFG::compile):
3312 2013-06-11 Filip Pizlo <fpizlo@apple.com>
3314 fourthTier: DFG should support op_in and it should use patching to make it fast
3315 https://bugs.webkit.org/show_bug.cgi?id=117385
3317 Reviewed by Geoffrey Garen.
3319 Implement op_in in the DFG and give it patching. The code we generate is just
3320 a jump on the hot path, and the slow paths generate stubs and link the jump to
3321 them. I didn't want to bother with patching structures and load offsets and
3322 the like, although I probably could have.
3324 This is a ginormous speed-up on microbenchmarks for "in", obviously.
3326 * bytecode/CodeBlock.cpp:
3327 (JSC::CodeBlock::dumpAssumingJITType):
3328 (JSC::CodeBlock::resetStubInternal):
3329 (JSC::structureStubInfoLessThan):
3331 (JSC::CodeBlock::sortStructureStubInfos):
3332 * bytecode/CodeBlock.h:
3334 * bytecode/StructureStubInfo.cpp:
3335 (JSC::StructureStubInfo::deref):
3336 (JSC::StructureStubInfo::visitWeakReferences):
3337 * bytecode/StructureStubInfo.h:
3340 (StructureStubInfo):
3341 (JSC::StructureStubInfo::initInList):
3342 * dfg/DFGAbstractState.cpp:
3343 (JSC::DFG::AbstractState::executeEffects):
3344 * dfg/DFGByteCodeParser.cpp:
3345 (JSC::DFG::ByteCodeParser::parseBlock):
3346 * dfg/DFGCCallHelpers.h:
3347 (JSC::DFG::CCallHelpers::setupResults):
3348 * dfg/DFGCapabilities.cpp:
3349 (JSC::DFG::capabilityLevel):
3350 * dfg/DFGFixupPhase.cpp:
3351 (JSC::DFG::FixupPhase::fixupNode):
3353 (JSC::DFG::JSValueRegs::payloadOnly):
3355 (JSC::DFG::JSValueRegs::JSValueRegs):
3356 (JSC::DFG::JSValueRegs::operator!):
3357 (JSC::DFG::JSValueSource::operator!):
3358 * dfg/DFGJITCompiler.cpp:
3359 (JSC::DFG::JITCompiler::link):
3360 * dfg/DFGJITCompiler.h:
3361 (JSC::DFG::InRecord::InRecord):
git://git.webkit.org / WebKit-https.git / blob